From f59236198e7bb2f0ec08dc8e0dc712fe910a1bed Mon Sep 17 00:00:00 2001 From: Jeremy Lewi Date: Thu, 21 May 2020 14:01:37 -0700 Subject: [PATCH] Create a new cluster for chatbot based on the GCP blueprint. * We want to create a webhook to respond to Dialogflow. To do that we need be able to modify the ISTIO ingress policy in order to apply different JWT validation for requests routed through IAP vs calls from DialogFlow. * I initially tried that using ISTIO 1.1 and ran into problems. On ISTIO 1.4 it seemed to work. * So this PR defines a new cluster based on the Kubeflow GCP blueprint so using ASM which has ISTIO 1.4. It is also using ACM to manage the deployment. * Related to #142 --- ...rcedefinition_applications.app.k8s.io.yaml | 233 + ...ation_application-controller-kubeflow.yaml | 35 + ...t_application-controller-stateful-set.yaml | 28 + ...e_application-controller-cluster-role.yaml | 21 + ...ation-controller-cluster-role-binding.yaml | 12 + ...ervice_application-controller-service.yaml | 8 + ...pplication-controller-service-account.yaml | 5 + ...n_certificaterequests.cert-manager.io.yaml | 181 + ...finition_certificates.cert-manager.io.yaml | 235 + ...ition_challenges.acme.cert-manager.io.yaml | 1369 ++ ...nition_clusterissuers.cert-manager.io.yaml | 1655 ++ ...rcedefinition_issuers.cert-manager.io.yaml | 1655 ++ ...efinition_orders.acme.cert-manager.io.yaml | 200 + ...ert-manager-cainjector:leaderelection.yaml | 18 + ...eta1_role_cert-manager:leaderelection.yaml | 18 + ...ert-manager-cainjector:leaderelection.yaml | 17 + ...webhook:webhook-authentication-reader.yaml | 17 + ...lebinding_cert-manager:leaderelection.yaml | 17 + ...p_cert-manager-kube-params-parameters.yaml | 9 + ...s.io_v1beta1_application_cert-manager.yaml | 39 + ...ion_cloudendpoints.ctl.isla.solutions.yaml | 20 + ...o_v1beta1_application_cloud-endpoints.yaml | 35 + ...deployment_cloud-endpoints-controller.yaml | 43 + ...controller_cloud-endpoints-controller.yaml | 26 + ...lusterrole_cloud-endpoints-controller.yaml | 26 + ...olebinding_cloud-endpoints-controller.yaml | 17 + ..._configmap_cloud-endpoints-parameters.yaml | 13 + ...v1_service_cloud-endpoints-controller.yaml | 20 + .../~g_v1_serviceaccount_kf-admin.yaml | 12 + ...1_computeaddress_code-intelligence-ip.yaml | 13 + ...e-intelligence-storage-artifact-store.yaml | 10 + ...e-intelligence-storage-metadata-store.yaml | 10 + ...a1_containercluster_code-intelligence.yaml | 41 + ...mber_code-intelligence-admin-bigquery.yaml | 14 + ...er_code-intelligence-admin-cloudbuild.yaml | 14 + ...mber_code-intelligence-admin-cloudsql.yaml | 14 + ...mber_code-intelligence-admin-dataflow.yaml | 14 + ...mber_code-intelligence-admin-dataproc.yaml | 14 + ...mber_code-intelligence-admin-istio-wi.yaml | 14 + ...ember_code-intelligence-admin-logging.yaml | 14 + ..._code-intelligence-admin-metricwriter.yaml | 14 + ...licymember_code-intelligence-admin-ml.yaml | 14 + ...e-intelligence-admin-monitoringviewer.yaml | 14 + ...ember_code-intelligence-admin-network.yaml | 14 + ...-intelligence-admin-servicemanagement.yaml | 14 + ...member_code-intelligence-admin-source.yaml | 14 + ...ember_code-intelligence-admin-storage.yaml | 14 + ...member_code-intelligence-admin-viewer.yaml | 14 + ...licymember_code-intelligence-admin-wi.yaml | 14 + ...ember_code-intelligence-user-bigquery.yaml | 14 + ...ber_code-intelligence-user-cloudbuild.yaml | 14 + ...ember_code-intelligence-user-cloudsql.yaml | 14 + ...ember_code-intelligence-user-dataflow.yaml | 14 + ...ember_code-intelligence-user-dataproc.yaml | 14 + ...member_code-intelligence-user-logging.yaml | 14 + ...r_code-intelligence-user-metricwriter.yaml | 14 + ...olicymember_code-intelligence-user-ml.yaml | 14 + ...de-intelligence-user-monitoringviewer.yaml | 14 + ...ymember_code-intelligence-user-source.yaml | 14 + ...member_code-intelligence-user-storage.yaml | 14 + ...ymember_code-intelligence-user-viewer.yaml | 14 + ...cymember_code-intelligence-vm-logging.yaml | 14 + ...ode-intelligence-vm-policy-cloudtrace.yaml | 14 + ...-intelligence-vm-policy-meshtelemetry.yaml | 14 + ...elligence-vm-policy-monitoring-viewer.yaml | 14 + ...ode-intelligence-vm-policy-monitoring.yaml | 14 + ...r_code-intelligence-vm-policy-storage.yaml | 14 + ...erviceaccount_code-intelligence-admin.yaml | 9 + ...serviceaccount_code-intelligence-user.yaml | 9 + ...amserviceaccount_code-intelligence-vm.yaml | 9 + ...8s.io_v1beta1_application_iap-ingress.yaml | 34 + .../apps_v1_deployment_iap-enabler.yaml | 44 + .../apps_v1_deployment_whoami-app.yaml | 35 + .../apps_v1_statefulset_backend-updater.yaml | 44 + ....istio.io_v1alpha1_policy_ingress-jwt.yaml | 25 + ...beta1_backendconfig_iap-backendconfig.yaml | 13 + ...ns_v1_cloudendpoint_code-intelligence.yaml | 12 + ...ensions_v1beta1_ingress_envoy-ingress.yaml | 20 + ...a1_managedcertificate_gke-certificate.yaml | 10 + ...s.io_v1beta1_clusterrole_kf-admin-iap.yaml | 41 + ...beta1_clusterrolebinding_kf-admin-iap.yaml | 14 + ...io_v1alpha1_clusterrbacconfig_default.yaml | 10 + .../~g_v1_configmap_envoy-config.yaml | 128 + ...nfigmap_iap-ingress-config-c2924ch89c.yaml | 16 + ...v1_configmap_ingress-bootstrap-config.yaml | 30 + .../~g_v1_service_istio-ingressgateway.yaml | 50 + .../iap-ingress/~g_v1_service_whoami-app.yaml | 16 + .../~g_v1_serviceaccount_kf-admin.yaml | 9 + .../.build/istio/Base/Base.yaml | 5117 +++++ .../istio/Base/CertManager/CertManager.yaml | 1 + .../.build/istio/Base/Citadel/Citadel.yaml | 1 + .../.build/istio/Base/Cni/Cni.yaml | 1 + .../Base/EgressGateway/EgressGateway.yaml | 1 + .../.build/istio/Base/Galley/Galley.yaml | 593 + .../.build/istio/Base/Grafana/Grafana.yaml | 1 + .../Base/IngressGateway/IngressGateway.yaml | 417 + .../.build/istio/Base/Injector/Injector.yaml | 790 + .../.build/istio/Base/Kiali/Kiali.yaml | 1 + .../istio/Base/NodeAgent/NodeAgent.yaml | 133 + .../.build/istio/Base/Pilot/Pilot.yaml | 1144 + .../.build/istio/Base/Policy/Policy.yaml | 1 + .../istio/Base/Prometheus/Prometheus.yaml | 1 + .../PrometheusOperator.yaml | 1 + .../istio/Base/Telemetry/Telemetry.yaml | 1 + .../.build/istio/Base/Tracing/Tracing.yaml | 1 + ...ebhook-mutating-webhook-configuration.yaml | 28 + ...urcedefinition_notebooks.kubeflow.org.yaml | 69 + ...cedefinition_poddefaults.kubeflow.org.yaml | 56 + ...ourcedefinition_profiles.kubeflow.org.yaml | 158 + ...cedefinition_pytorchjobs.kubeflow.org.yaml | 45 + ...esourcedefinition_tfjobs.kubeflow.org.yaml | 50 + ..._v1beta1_application_centraldashboard.yaml | 57 + ...k8s.io_v1beta1_application_gpu-driver.yaml | 35 + ...ation_jupyter-web-app-jupyter-web-app.yaml | 55 + ...tebook-controller-notebook-controller.yaml | 46 + ...v1beta1_application_profiles-profiles.yaml | 44 + ..._v1beta1_application_pytorch-job-crds.yaml | 46 + ..._v1beta1_application_pytorch-operator.yaml | 49 + ...8s.io_v1beta1_application_tf-job-crds.yaml | 46 + ...o_v1beta1_application_tf-job-operator.yaml | 47 + ...pp.k8s.io_v1beta1_application_webhook.yaml | 39 + ..._v1_daemonset_nvidia-driver-installer.yaml | 72 + ...ployment_admission-webhook-deployment.yaml | 42 + .../apps_v1_deployment_centraldashboard.yaml | 50 + ...deployment_jupyter-web-app-deployment.yaml | 46 + ...oyment_notebook-controller-deployment.yaml | 51 + ...pps_v1_deployment_profiles-deployment.yaml | 95 + .../apps_v1_deployment_pytorch-operator.yaml | 45 + .../apps_v1_deployment_tf-job-operator.yaml | 43 + ...a2_certificate_admission-webhook-cert.yaml | 18 + ...ow.org_v1beta1_profile_kubeflow-jlewi.yaml | 9 + ...lpha3_virtualservice_centraldashboard.yaml | 24 + ...rvice_jupyter-web-app-jupyter-web-app.yaml | 28 + ...v1alpha3_virtualservice_profiles-kfam.yaml | 27 + ...errole_admission-webhook-cluster-role.yaml | 22 + ...on-webhook-kubeflow-poddefaults-admin.yaml | 15 + ...ion-webhook-kubeflow-poddefaults-edit.yaml | 15 + ...ion-webhook-kubeflow-poddefaults-view.yaml | 21 + ...8s.io_v1_clusterrole_centraldashboard.yaml | 19 + ...sterrole_jupyter-web-app-cluster-role.yaml | 57 + ...er-web-app-kubeflow-notebook-ui-admin.yaml | 9 + ...ter-web-app-kubeflow-notebook-ui-edit.yaml | 20 + ...ter-web-app-kubeflow-notebook-ui-view.yaml | 26 + ....k8s.io_v1_clusterrole_kubeflow-admin.yaml | 9 + ...n.k8s.io_v1_clusterrole_kubeflow-edit.yaml | 11 + ...clusterrole_kubeflow-kubernetes-admin.yaml | 27 + ..._clusterrole_kubeflow-kubernetes-edit.yaml | 135 + ..._clusterrole_kubeflow-kubernetes-view.yaml | 125 + ...lusterrole_kubeflow-pytorchjobs-admin.yaml | 14 + ...clusterrole_kubeflow-pytorchjobs-edit.yaml | 25 + ...clusterrole_kubeflow-pytorchjobs-view.yaml | 19 + ..._v1_clusterrole_kubeflow-tfjobs-admin.yaml | 14 + ...o_v1_clusterrole_kubeflow-tfjobs-edit.yaml | 25 + ...o_v1_clusterrole_kubeflow-tfjobs-view.yaml | 19 + ...n.k8s.io_v1_clusterrole_kubeflow-view.yaml | 11 + ...k-controller-kubeflow-notebooks-admin.yaml | 15 + ...ok-controller-kubeflow-notebooks-edit.yaml | 26 + ...ok-controller-kubeflow-notebooks-view.yaml | 20 + ..._clusterrole_notebook-controller-role.yaml | 54 + ...dmission-webhook-cluster-role-binding.yaml | 17 + ...1_clusterrolebinding_centraldashboard.yaml | 16 + ..._jupyter-web-app-cluster-role-binding.yaml | 15 + ...ding_notebook-controller-role-binding.yaml | 17 + ...binding_profiles-cluster-role-binding.yaml | 14 + ...ation.k8s.io_v1_role_centraldashboard.yaml | 28 + ...8s.io_v1_rolebinding_centraldashboard.yaml | 17 + ..._v1beta1_clusterrole_pytorch-operator.yaml | 32 + ...o_v1beta1_clusterrole_tf-job-operator.yaml | 40 + ...1_clusterrolebinding_pytorch-operator.yaml | 17 + ...a1_clusterrolebinding_tf-job-operator.yaml | 17 + ...jupyter-web-app-jupyter-notebook-role.yaml | 39 + ...web-app-jupyter-notebook-role-binding.yaml | 15 + ...-webhook-admission-webhook-parameters.yaml | 14 + ...map_default-install-config-6mcgbmmtg6.yaml | 8 + ...app-jupyter-web-app-config-dhcbh64467.yaml | 138 + ..._configmap_kubeflow-config-988m2m9m87.yaml | 9 + ...notebook-controller-config-h4d668t5tb.yaml | 13 + ...p_profiles-profiles-config-b8664685bd.yaml | 10 + ..._v1_service_admission-webhook-service.yaml | 19 + .../~g_v1_service_centraldashboard.yaml | 29 + ...~g_v1_service_jupyter-web-app-service.yaml | 29 + ...1_service_notebook-controller-service.yaml | 18 + .../~g_v1_service_profiles-kfam.yaml | 12 + .../~g_v1_service_pytorch-operator.yaml | 25 + .../~g_v1_service_tf-job-operator.yaml | 25 + ...unt_admission-webhook-service-account.yaml | 10 + ...~g_v1_serviceaccount_centraldashboard.yaml | 8 + ...count_jupyter-web-app-service-account.yaml | 8 + ...t_notebook-controller-service-account.yaml | 10 + ...t_profiles-controller-service-account.yaml | 7 + ...~g_v1_serviceaccount_pytorch-operator.yaml | 10 + ...~g_v1_serviceaccount_tf-job-dashboard.yaml | 10 + .../~g_v1_serviceaccount_tf-job-operator.yaml | 10 + ...erissuer_kubeflow-self-signing-issuer.yaml | 7 + .../code-intelligence/.build/kubeflow-istio | 181 + ...sitecontrollers.metacontroller.k8s.io.yaml | 17 + ...rollerrevisions.metacontroller.k8s.io.yaml | 14 + ...atorcontrollers.metacontroller.k8s.io.yaml | 17 + .../apps_v1_statefulset_metacontroller.yaml | 46 + ..._meta-controller-cluster-role-binding.yaml | 14 + ...erviceaccount_meta-controller-service.yaml | 7 + .../~g_v1_namespace_cert-manager.yaml | 4 + .../namespaces/~g_v1_namespace_kubeflow.yaml | 7 + kubeflow_clusters/code-intelligence/Kptfile | 11 + kubeflow_clusters/code-intelligence/Makefile | 198 + kubeflow_clusters/code-intelligence/README.md | 194 + .../code-intelligence/acm-repo/Base.yaml | 5062 ++++ .../acm-repo/CertManager.yaml | 1 + .../code-intelligence/acm-repo/Citadel.yaml | 1 + .../code-intelligence/acm-repo/Cni.yaml | 1 + .../acm-repo/EgressGateway.yaml | 1 + .../code-intelligence/acm-repo/Galley.yaml | 565 + .../code-intelligence/acm-repo/Grafana.yaml | 1 + .../acm-repo/IngressGateway.yaml | 389 + .../code-intelligence/acm-repo/Injector.yaml | 765 + .../code-intelligence/acm-repo/Kiali.yaml | 1 + .../code-intelligence/acm-repo/NodeAgent.yaml | 124 + .../code-intelligence/acm-repo/Pilot.yaml | 1098 + .../code-intelligence/acm-repo/Policy.yaml | 1 + .../acm-repo/Prometheus.yaml | 1 + .../acm-repo/PrometheusOperator.yaml | 1 + .../code-intelligence/acm-repo/Telemetry.yaml | 1 + .../code-intelligence/acm-repo/Tracing.yaml | 1 + ...ebhook-mutating-webhook-configuration.yaml | 28 + ...rcedefinition_applications.app.k8s.io.yaml | 233 + ...n_certificaterequests.cert-manager.io.yaml | 181 + ...finition_certificates.cert-manager.io.yaml | 235 + ...ition_challenges.acme.cert-manager.io.yaml | 1369 ++ ...ion_cloudendpoints.ctl.isla.solutions.yaml | 20 + ...nition_clusterissuers.cert-manager.io.yaml | 1655 ++ ...sitecontrollers.metacontroller.k8s.io.yaml | 17 + ...rollerrevisions.metacontroller.k8s.io.yaml | 14 + ...atorcontrollers.metacontroller.k8s.io.yaml | 17 + ...rcedefinition_issuers.cert-manager.io.yaml | 1655 ++ ...urcedefinition_notebooks.kubeflow.org.yaml | 69 + ...efinition_orders.acme.cert-manager.io.yaml | 200 + ...cedefinition_poddefaults.kubeflow.org.yaml | 56 + ...ourcedefinition_profiles.kubeflow.org.yaml | 158 + ...cedefinition_pytorchjobs.kubeflow.org.yaml | 45 + ...esourcedefinition_tfjobs.kubeflow.org.yaml | 50 + ...ation_application-controller-kubeflow.yaml | 35 + ..._v1beta1_application_centraldashboard.yaml | 57 + ...s.io_v1beta1_application_cert-manager.yaml | 39 + ...o_v1beta1_application_cloud-endpoints.yaml | 35 + ...k8s.io_v1beta1_application_gpu-driver.yaml | 35 + ...8s.io_v1beta1_application_iap-ingress.yaml | 34 + ...ation_jupyter-web-app-jupyter-web-app.yaml | 55 + ...tebook-controller-notebook-controller.yaml | 46 + ...v1beta1_application_profiles-profiles.yaml | 44 + ..._v1beta1_application_pytorch-job-crds.yaml | 46 + ..._v1beta1_application_pytorch-operator.yaml | 49 + ...8s.io_v1beta1_application_tf-job-crds.yaml | 46 + ...o_v1beta1_application_tf-job-operator.yaml | 47 + ...pp.k8s.io_v1beta1_application_webhook.yaml | 39 + ..._v1_daemonset_nvidia-driver-installer.yaml | 72 + ...ployment_admission-webhook-deployment.yaml | 42 + .../apps_v1_deployment_centraldashboard.yaml | 50 + ...deployment_cloud-endpoints-controller.yaml | 43 + .../apps_v1_deployment_iap-enabler.yaml | 44 + ...deployment_jupyter-web-app-deployment.yaml | 46 + ...oyment_notebook-controller-deployment.yaml | 51 + ...pps_v1_deployment_profiles-deployment.yaml | 95 + .../apps_v1_deployment_pytorch-operator.yaml | 45 + .../apps_v1_deployment_tf-job-operator.yaml | 43 + .../apps_v1_deployment_whoami-app.yaml | 35 + ...t_application-controller-stateful-set.yaml | 28 + .../apps_v1_statefulset_backend-updater.yaml | 44 + .../apps_v1_statefulset_metacontroller.yaml | 46 + ....istio.io_v1alpha1_policy_ingress-jwt.yaml | 25 + ...a2_certificate_admission-webhook-cert.yaml | 18 + ...erissuer_kubeflow-self-signing-issuer.yaml | 6 + ...beta1_backendconfig_iap-backendconfig.yaml | 13 + ...ns_v1_cloudendpoint_code-intelligence.yaml | 12 + ...ensions_v1beta1_ingress_envoy-ingress.yaml | 20 + .../acm-repo/kaniko/namespace.yaml | 10 + ...ow.org_v1beta1_profile_kubeflow-jlewi.yaml | 8 + ...controller_cloud-endpoints-controller.yaml | 25 + ...a1_managedcertificate_gke-certificate.yaml | 10 + ...lpha3_virtualservice_centraldashboard.yaml | 24 + ...rvice_jupyter-web-app-jupyter-web-app.yaml | 28 + ...v1alpha3_virtualservice_profiles-kfam.yaml | 27 + ...errole_admission-webhook-cluster-role.yaml | 22 + ...on-webhook-kubeflow-poddefaults-admin.yaml | 15 + ...ion-webhook-kubeflow-poddefaults-edit.yaml | 15 + ...ion-webhook-kubeflow-poddefaults-view.yaml | 21 + ...e_application-controller-cluster-role.yaml | 21 + ...8s.io_v1_clusterrole_centraldashboard.yaml | 19 + ...sterrole_jupyter-web-app-cluster-role.yaml | 57 + ...er-web-app-kubeflow-notebook-ui-admin.yaml | 9 + ...ter-web-app-kubeflow-notebook-ui-edit.yaml | 20 + ...ter-web-app-kubeflow-notebook-ui-view.yaml | 26 + ....k8s.io_v1_clusterrole_kubeflow-admin.yaml | 9 + ...n.k8s.io_v1_clusterrole_kubeflow-edit.yaml | 11 + ...clusterrole_kubeflow-kubernetes-admin.yaml | 27 + ..._clusterrole_kubeflow-kubernetes-edit.yaml | 135 + ..._clusterrole_kubeflow-kubernetes-view.yaml | 125 + ...lusterrole_kubeflow-pytorchjobs-admin.yaml | 14 + ...clusterrole_kubeflow-pytorchjobs-edit.yaml | 25 + ...clusterrole_kubeflow-pytorchjobs-view.yaml | 19 + ..._v1_clusterrole_kubeflow-tfjobs-admin.yaml | 14 + ...o_v1_clusterrole_kubeflow-tfjobs-edit.yaml | 25 + ...o_v1_clusterrole_kubeflow-tfjobs-view.yaml | 19 + ...n.k8s.io_v1_clusterrole_kubeflow-view.yaml | 11 + ...k-controller-kubeflow-notebooks-admin.yaml | 15 + ...ok-controller-kubeflow-notebooks-edit.yaml | 26 + ...ok-controller-kubeflow-notebooks-view.yaml | 20 + ..._clusterrole_notebook-controller-role.yaml | 54 + ...dmission-webhook-cluster-role-binding.yaml | 17 + ...ation-controller-cluster-role-binding.yaml | 12 + ...1_clusterrolebinding_centraldashboard.yaml | 16 + ..._jupyter-web-app-cluster-role-binding.yaml | 15 + ..._meta-controller-cluster-role-binding.yaml | 14 + ...ding_notebook-controller-role-binding.yaml | 17 + ...binding_profiles-cluster-role-binding.yaml | 14 + ...ation.k8s.io_v1_role_centraldashboard.yaml | 28 + ...8s.io_v1_rolebinding_centraldashboard.yaml | 17 + ...lusterrole_cloud-endpoints-controller.yaml | 26 + ...s.io_v1beta1_clusterrole_kf-admin-iap.yaml | 41 + ..._v1beta1_clusterrole_pytorch-operator.yaml | 32 + ...o_v1beta1_clusterrole_tf-job-operator.yaml | 40 + ...olebinding_cloud-endpoints-controller.yaml | 17 + ...beta1_clusterrolebinding_kf-admin-iap.yaml | 14 + ...1_clusterrolebinding_pytorch-operator.yaml | 17 + ...a1_clusterrolebinding_tf-job-operator.yaml | 17 + ...ert-manager-cainjector:leaderelection.yaml | 18 + ...eta1_role_cert-manager:leaderelection.yaml | 18 + ...jupyter-web-app-jupyter-notebook-role.yaml | 39 + ...ert-manager-cainjector:leaderelection.yaml | 17 + ...webhook:webhook-authentication-reader.yaml | 17 + ...lebinding_cert-manager:leaderelection.yaml | 17 + ...web-app-jupyter-notebook-role-binding.yaml | 15 + ...io_v1alpha1_clusterrbacconfig_default.yaml | 9 + .../acm-repo/v1_namespace_chatbot-dev.yaml | 5 + ...-webhook-admission-webhook-parameters.yaml | 13 + ...p_cert-manager-kube-params-parameters.yaml | 9 + ..._configmap_cloud-endpoints-parameters.yaml | 13 + ...map_default-install-config-6mcgbmmtg6.yaml | 8 + .../~g_v1_configmap_envoy-config.yaml | 128 + ...nfigmap_iap-ingress-config-c2924ch89c.yaml | 16 + ...v1_configmap_ingress-bootstrap-config.yaml | 30 + ...app-jupyter-web-app-config-dhcbh64467.yaml | 138 + ..._configmap_kubeflow-config-988m2m9m87.yaml | 9 + ...notebook-controller-config-h4d668t5tb.yaml | 13 + ...p_profiles-profiles-config-b8664685bd.yaml | 10 + .../~g_v1_namespace_cert-manager.yaml | 4 + .../acm-repo/~g_v1_namespace_kubeflow.yaml | 7 + ..._v1_service_admission-webhook-service.yaml | 19 + ...ervice_application-controller-service.yaml | 8 + .../~g_v1_service_centraldashboard.yaml | 29 + ...v1_service_cloud-endpoints-controller.yaml | 20 + ...~g_v1_service_jupyter-web-app-service.yaml | 29 + ...1_service_notebook-controller-service.yaml | 18 + .../acm-repo/~g_v1_service_profiles-kfam.yaml | 12 + .../~g_v1_service_pytorch-operator.yaml | 25 + .../~g_v1_service_tf-job-operator.yaml | 25 + .../acm-repo/~g_v1_service_whoami-app.yaml | 16 + ...unt_admission-webhook-service-account.yaml | 10 + ...pplication-controller-service-account.yaml | 5 + ...~g_v1_serviceaccount_centraldashboard.yaml | 8 + ...count_jupyter-web-app-service-account.yaml | 8 + .../~g_v1_serviceaccount_kf-admin.yaml | 12 + ...erviceaccount_meta-controller-service.yaml | 7 + ...t_notebook-controller-service-account.yaml | 10 + ...t_profiles-controller-service-account.yaml | 7 + ...~g_v1_serviceaccount_pytorch-operator.yaml | 10 + ...~g_v1_serviceaccount_tf-job-dashboard.yaml | 10 + .../~g_v1_serviceaccount_tf-job-operator.yaml | 10 + .../config-management-operator.yaml | 258 + .../configsync/config-management.yaml | 20 + .../hack/check_domain_length.sh | 15 + .../hack/check_oauth_secret.sh | 8 + .../code-intelligence/hack/create_context.sh | 34 + .../code-intelligence/instance/README.md | 8 + .../instance/gcp_config/cluster_patch.yaml | 31 + .../instance/gcp_config/enable-services.yaml | 98 + .../instance/gcp_config/iam_policy.yaml | 25 + .../instance/gcp_config/kustomization.yaml | 16 + .../instance/gcp_config/nodepool_patch.yaml | 11 + .../kustomize/application/kustomization.yaml | 4 + .../cert-manager-crds/kustomization.yaml | 4 + .../kustomization.yaml | 4 + .../kustomize/cert-manager/kustomization.yaml | 4 + .../cloud-endpoints/kustomization.yaml | 6 + .../cloud-endpoints/service-accounts.yaml | 6 + .../iap-ingress/iap-ingress-config.yaml | 10 + .../kustomize/iap-ingress/kustomization.yaml | 8 + .../iap-ingress/service-accounts.yaml | 6 + .../kubeflow-apps/default-install-config.yaml | 8 + .../kubeflow-apps/kustomization.yaml | 7 + .../kubeflow-apps/profiles-config.yaml | 8 + .../kubeflow-apps/service-accounts.yaml | 6 + .../kubeflow-issuer/kustomization.yaml | 4 + .../kubeflow-istio/kustomization.yaml | 4 + .../metacontroller/kustomization.yaml | 4 + .../kustomize/namespaces/kustomization.yaml | 4 + .../kustomize/namespaces/namespaces.yaml | 14 + .../code-intelligence/instance/settings.yaml | 6 + .../upstream/manifests/Kptfile | 11 + .../upstream/manifests/LICENSE | 201 + .../upstream/manifests/OWNERS | 18 + .../upstream/manifests/README.md | 239 + .../bootstrap/base/cluster-role-binding.yaml | 11 + .../bootstrap/base/cluster-role.yaml | 25 + .../bootstrap/base/config-map.yaml | 131 + .../bootstrap/base/kustomization.yaml | 39 + .../bootstrap/base/params.env | 2 + .../bootstrap/base/params.yaml | 3 + .../bootstrap/base/service-account.yaml | 4 + .../bootstrap/base/stateful-set.yaml | 29 + .../overlays/application/application.yaml | 34 + .../overlays/application/kustomization.yaml | 9 + .../webhook/base/cluster-role-binding.yaml | 11 + .../webhook/base/cluster-role.yaml | 65 + .../admission-webhook/webhook/base/crd.yaml | 51 + .../webhook/base/deployment.yaml | 22 + .../webhook/base/kustomization.yaml | 55 + .../base/mutating-webhook-configuration.yaml | 21 + .../admission-webhook/webhook/base/params.env | 1 + .../webhook/base/params.yaml | 7 + .../webhook/base/service-account.yaml | 4 + .../webhook/base/service.yaml | 8 + .../overlays/application/application.yaml | 41 + .../overlays/application/kustomization.yaml | 9 + .../overlays/cert-manager/certificate.yaml | 14 + .../overlays/cert-manager/deployment.yaml | 12 + .../overlays/cert-manager/kustomization.yaml | 48 + .../mutating-webhook-configuration.yaml | 7 + .../webhook/overlays/cert-manager/params.env | 1 + .../webhook/overlays/cert-manager/params.yaml | 9 + .../webhook/v3/kustomization.yaml | 8 + .../application-crds/base/crd.yaml | 233 + .../application-crds/base/kustomization.yaml | 4 + .../base/cluster-role-binding.yaml | 11 + .../application/base/cluster-role.yaml | 21 + .../application/base/kustomization.yaml | 29 + .../application/application/base/params.env | 1 + .../application/application/base/params.yaml | 3 + .../application/base/service-account.yaml | 4 + .../application/application/base/service.yaml | 7 + .../application/base/stateful-set.yaml | 29 + .../overlays/application/application.yaml | 34 + .../overlays/application/kustomization.yaml | 9 + .../overlays/debug/kustomization.yaml | 10 + .../overlays/debug/stateful-set.yaml | 25 + .../application/v3/kustomization.yaml | 22 + .../argo/base/cluster-role-binding.yaml | 29 + .../manifests/argo/base/cluster-role.yaml | 85 + .../manifests/argo/base/config-map.yaml | 29 + .../upstream/manifests/argo/base/crd.yaml | 15 + .../manifests/argo/base/deployment.yaml | 111 + .../manifests/argo/base/kustomization.yaml | 111 + .../upstream/manifests/argo/base/params.env | 12 + .../upstream/manifests/argo/base/params.yaml | 7 + .../manifests/argo/base/service-account.yaml | 11 + .../upstream/manifests/argo/base/service.yaml | 23 + .../overlays/application/application.yaml | 38 + .../overlays/application/kustomization.yaml | 9 + .../argo/overlays/istio/kustomization.yaml | 8 + .../manifests/argo/overlays/istio/params.yaml | 3 + .../argo/overlays/istio/virtual-service.yaml | 20 + .../upstream/manifests/aws/OWNERS | 3 + .../base/cluster-role-binding.yaml | 11 + .../base/cluster-role.yaml | 35 + .../base/deployment.yaml | 53 + .../base/kustomization.yaml | 27 + .../base/params.env | 1 + .../base/service-account.yaml | 4 + .../overlays/application/application.yaml | 36 + .../overlays/application/kustomization.yaml | 8 + .../overlays/vpc/kustomization.yaml | 24 + .../overlays/vpc/params.env | 2 + .../overlays/vpc/vpc.yaml | 26 + .../aws-efs-csi-driver/base/csi-driver.yaml | 7 + .../base/csi-node-daemonset.yaml | 99 + .../base/kustomization.yaml | 12 + .../overlays/application/application.yaml | 36 + .../overlays/application/kustomization.yaml | 7 + .../base/csi-controller-sa.yaml | 8 + .../base/csi-controller.yaml | 64 + .../aws-fsx-csi-driver/base/csi-driver.yaml | 7 + .../base/csi-node-daemonset.yaml | 90 + .../csi-provisioner-cluster-role-binding.yaml | 12 + .../base/csi-provisioner-cluster-role.yaml | 26 + .../base/kustomization.yaml | 16 + .../overlays/application/application.yaml | 44 + .../overlays/application/kustomization.yaml | 7 + .../base/authzadaptor.yaml | 13 + .../base/deployment.yaml | 23 + .../aws-istio-authz-adaptor/base/handler.yaml | 10 + .../base/instance.yaml | 8 + .../base/kustomization.yaml | 46 + .../aws-istio-authz-adaptor/base/params.env | 3 + .../aws-istio-authz-adaptor/base/params.yaml | 7 + .../aws-istio-authz-adaptor/base/rule.yaml | 17 + .../aws-istio-authz-adaptor/base/service.yaml | 12 + .../base/template.yaml | 9 + .../overlays/application/application.yaml | 38 + .../overlays/application/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 12 + .../base/cluster-role.yaml | 10 + .../fluentd-cloud-watch/base/configmap.yaml | 312 + .../fluentd-cloud-watch/base/daemonset.yaml | 79 + .../base/kustomization.yaml | 35 + .../aws/fluentd-cloud-watch/base/params.env | 2 + .../base/service-account.yaml | 4 + .../overlays/application/application.yaml | 39 + .../overlays/application/kustomization.yaml | 7 + .../manifests/aws/infra_configs/README.md | 2 + .../aws/infra_configs/cluster_config.yaml | 44 + .../aws/infra_configs/cluster_features.yaml | 17 + .../infra_configs/iam_alb_ingress_policy.json | 118 + .../infra_configs/iam_cloudwatch_policy.json | 16 + .../aws/infra_configs/iam_csi_fsx_policy.json | 31 + .../iam_profile_controller_policy.json | 14 + .../aws/istio-ingress/base/ingress.yaml | 16 + .../aws/istio-ingress/base/istio-policy.yaml | 20 + .../aws/istio-ingress/base/kustomization.yaml | 21 + .../aws/istio-ingress/base/params.env | 1 + .../aws/istio-ingress/base/params.yaml | 3 + .../overlays/cognito/ingress.yaml | 9 + .../overlays/cognito/kustomization.yaml | 39 + .../istio-ingress/overlays/cognito/params.env | 4 + .../overlays/cognito/params.yaml | 3 + .../istio-ingress/overlays/oidc/ingress.yaml | 10 + .../overlays/oidc/kustomization.yaml | 57 + .../overlays/oidc/oidc-secret.yaml | 8 + .../istio-ingress/overlays/oidc/params.env | 6 + .../istio-ingress/overlays/oidc/params.yaml | 3 + .../istio-ingress/overlays/oidc/secrets.env | 2 + .../overlays/secure/ingress.yaml | 9 + .../overlays/secure/kustomization.yaml | 35 + .../istio-ingress/overlays/secure/params.env | 3 + .../istio-ingress/overlays/secure/params.yaml | 3 + .../nvidia-device-plugin/base/daemonset.yaml | 37 + .../base/kustomization.yaml | 11 + .../overlays/application/application.yaml | 37 + .../overlays/application/kustomization.yaml | 9 + .../upstream/manifests/cert-manager/OWNERS | 4 + .../cert-manager-crds/base/crd.yaml | 5308 +++++ .../cert-manager-crds/base/kustomization.yaml | 4 + .../base/kustomization.yaml | 23 + .../base/params.env | 1 + .../base/params.yaml | 3 + .../base/role-binding.yaml | 58 + .../base/role.yaml | 28 + .../cert-manager/base/api-service.yaml | 16 + .../base/cluster-role-binding.yaml | 135 + .../cert-manager/base/cluster-role.yaml | 265 + .../cert-manager/base/deployment.yaml | 124 + .../cert-manager/base/kustomization.yaml | 40 + .../base/mutating-webhook-configuration.yaml | 32 + .../cert-manager/base/namespace.yaml | 4 + .../cert-manager/cert-manager/base/params.env | 1 + .../cert-manager/base/params.yaml | 9 + .../cert-manager/base/service-account.yaml | 24 + .../cert-manager/base/service.yaml | 30 + .../validating-webhook-configuration.yaml | 31 + .../kubeflow-issuer/kustomization.yaml | 6 + .../overlays/application/application.yaml | 34 + .../overlays/application/kustomization.yaml | 11 + .../overlays/application/params.yaml | 11 + .../overlays/letsencrypt/cluster-issuer.yaml | 11 + .../overlays/letsencrypt/kustomization.yaml | 32 + .../overlays/letsencrypt/params.env | 2 + .../overlays/letsencrypt/params.yaml | 5 + .../overlays/self-signed/cluster-issuer.yaml | 6 + .../overlays/self-signed/kustomization.yaml | 11 + .../cert-manager/v3/kustomization.yaml | 8 + .../base/gatekeeper-deployment.yaml | 40 + .../basic-auth/base/gatekeeper-service.yaml | 22 + .../basic-auth/base/kflogin-deployment.yaml | 23 + .../basic-auth/base/kflogin-service.yaml | 24 + .../common/basic-auth/base/kustomization.yaml | 46 + .../common/basic-auth/base/params.env | 2 + .../common/basic-auth/base/params.yaml | 5 + .../istio/kflogin-virtual-service.yaml | 20 + .../overlays/istio/kustomization.yaml | 8 + .../basic-auth/overlays/istio/params.yaml | 3 + .../base/clusterrole-binding.yaml | 14 + .../centraldashboard/base/clusterrole.yaml | 17 + .../centraldashboard/base/deployment.yaml | 32 + .../base/deployment_patch.yaml | 16 + .../centraldashboard/base/kustomization.yaml | 57 + .../common/centraldashboard/base/params.env | 3 + .../common/centraldashboard/base/params.yaml | 9 + .../centraldashboard/base/role-binding.yaml | 14 + .../common/centraldashboard/base/role.yaml | 25 + .../base/service-account.yaml | 4 + .../common/centraldashboard/base/service.yaml | 24 + .../base_v3/kustomization.yaml | 10 + .../overlays/application/application.yaml | 54 + .../overlays/application/kustomization.yaml | 7 + .../overlays/istio/kustomization.yaml | 7 + .../overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 20 + .../overlays/stacks/deployment_kf_config.yaml | 20 + .../overlays/stacks/kustomization.yaml | 12 + .../spartakus/base/cluster-role-binding.yaml | 13 + .../common/spartakus/base/cluster-role.yaml | 14 + .../common/spartakus/base/deployment.yaml | 29 + .../common/spartakus/base/kustomization.yaml | 21 + .../common/spartakus/base/params.env | 1 + .../common/spartakus/base/params.yaml | 3 + .../spartakus/base/service-account.yaml | 6 + .../overlays/application/application.yaml | 33 + .../overlays/application/kustomization.yaml | 9 + .../default-install/base/kustomization.yaml | 28 + .../manifests/default-install/base/params.env | 2 + .../default-install/base/params.yaml | 5 + .../base/profile-instance.yaml | 8 + .../upstream/manifests/dex-auth/OWNERS | 3 + .../upstream/manifests/dex-auth/README.md | 168 + .../dex-authenticator/base/config-map.yaml | 93 + .../dex-authenticator/base/deployment.yaml | 57 + .../dex-authenticator/base/kustomization.yaml | 67 + .../dex-authenticator/base/namespace.yaml | 4 + .../dex-authenticator/base/params.env | 9 + .../dex-authenticator/base/params.yaml | 3 + .../dex-authenticator/base/service.yaml | 16 + .../dex-auth/dex-crds/base/config-map.yaml | 30 + .../dex-auth/dex-crds/base/crds.yaml | 45 + .../dex-auth/dex-crds/base/deployment.yaml | 34 + .../dex-auth/dex-crds/base/kustomization.yaml | 84 + .../dex-auth/dex-crds/base/namespace.yaml | 4 + .../dex-auth/dex-crds/base/params.env | 11 + .../dex-auth/dex-crds/base/params.yaml | 5 + .../dex-auth/dex-crds/base/service.yaml | 14 + .../overlays/istio/kustomization.yaml | 23 + .../dex-crds/overlays/istio/params.env | 1 + .../dex-crds/overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 22 + .../dex-crds/overlays/ldap/config-map.yaml | 97 + .../dex-crds/overlays/ldap/deployment.yaml | 19 + .../dex-crds/overlays/ldap/kustomization.yaml | 54 + .../dex-crds/overlays/ldap/params.env | 11 + .../dex-crds/overlays/ldap/params.yaml | 3 + .../dex-auth/dex-ldap/base/deployment.yaml | 31 + .../dex-auth/dex-ldap/base/kustomization.yaml | 15 + .../dex-auth/dex-ldap/base/namespace.yaml | 4 + .../dex-auth/dex-ldap/base/service.yaml | 31 + .../keycloak-gatekeeper/base/config-map.yaml | 70 + .../keycloak-gatekeeper/base/deployment.yaml | 61 + .../base/kustomization.yaml | 73 + .../keycloak-gatekeeper/base/namespace.yaml | 4 + .../keycloak-gatekeeper/base/params.env | 7 + .../keycloak-gatekeeper/base/params.yaml | 3 + .../keycloak-gatekeeper/base/service.yaml | 15 + .../base/virtualservice.yaml | 21 + .../manifests/docs/KustomizeBestPractices.md | 261 + .../upstream/manifests/docs/TestFramework.md | 11 + .../docs/dex-auth/assets/auth-istio.png | Bin 0 -> 48213 bytes .../docs/dex-auth/assets/ldap_tree.png | Bin 0 -> 151085 bytes .../dex-auth/assets/user_settings_ldap.png | Bin 0 -> 69479 bytes .../docs/dex-auth/examples/README.md | 17 + .../docs/dex-auth/examples/apply_example.sh | 60 + .../Istio/base/kustomization.yaml | 36 + .../authentication/Istio/base/params.env | 3 + .../authentication/Istio/base/params.yaml | 7 + .../authentication/Istio/base/policy.yaml | 16 + .../Istio/cluster_rbac_config.yaml | 8 + .../Istio/ml_pipeline_service_role.yaml | 8 + .../ml_pipeline_service_role_binding.yaml | 12 + .../cluster_read_all_cluster_role.yaml | 58 + ...cluster_read_all_cluster_role_binding.yaml | 18 + .../cluster_write_all_cluster_role.yaml | 67 + ...luster_write_all_cluster_role_binding.yaml | 15 + .../secrets_write_all_cluster_role.yaml | 24 + ...ecrets_write_all_cluster_role_binding.yaml | 12 + .../docs/dex-auth/examples/gencert.sh | 60 + .../experimental/gcp/template/openapi.yaml | 54 + .../mirror-images/gcp_template.yaml | 9 + .../mirror-images/mirror_task.yaml | 23 + .../upstream/manifests/gatekeeper/README.md | 58 + .../gatekeeper/constraint-template.yaml | 40 + .../gatekeeper/ns-required-annotations.yaml | 15 + .../base/backend-config.yaml | 7 + .../base/cloud-endpoint.yaml | 9 + .../base/cluster-role-binding.yaml | 12 + .../basic-auth-ingress/base/cluster-role.yaml | 26 + .../basic-auth-ingress/base/config-map.yaml | 74 + .../basic-auth-ingress/base/deployment.yaml | 28 + .../base/gcp-credentials-patch.yaml | 21 + .../gcp/basic-auth-ingress/base/ingress.yaml | 17 + .../base/istio-mapping-svc.yaml | 27 + .../base/kustomization.yaml | 88 + .../gcp/basic-auth-ingress/base/params.env | 9 + .../gcp/basic-auth-ingress/base/params.yaml | 35 + .../base/service-account.yaml | 4 + .../gcp/basic-auth-ingress/base/service.yaml | 22 + .../basic-auth-ingress/base/stateful-set.yaml | 41 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../overlays/certmanager/certificate.yaml | 18 + .../overlays/certmanager/job.yaml | 31 + .../overlays/certmanager/kustomization.yaml | 14 + .../gcp-credentials-patch.yaml | 21 + .../gcp-credentials/kustomization.yaml | 6 + .../overlays/managed-cert/cert.yaml | 7 + .../overlays/managed-cert/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 11 + .../cloud-endpoints/base/cluster-role.yaml | 21 + .../base/composite-controller.yaml | 20 + .../gcp/cloud-endpoints/base/crd.yaml | 15 + .../gcp/cloud-endpoints/base/deployment.yaml | 28 + .../base/gcp-credentials-patch.yaml | 21 + .../cloud-endpoints/base/kustomization.yaml | 40 + .../gcp/cloud-endpoints/base/params.env | 2 + .../gcp/cloud-endpoints/base/params.yaml | 7 + .../cloud-endpoints/base/service-account.yaml | 4 + .../gcp/cloud-endpoints/base/service.yaml | 11 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 10 + .../gcp-credentials-patch.yaml | 21 + .../gcp-credentials/kustomization.yaml | 6 + .../gcp/deployment_manager_configs/README.md | 4 + .../cluster-kubeflow.yaml | 97 + .../deployment_manager_configs/cluster.jinja | 185 + .../cluster.jinja.schema | 34 + .../gcp/deployment_manager_configs/gcfs.yaml | 19 + .../iam_bindings_template.yaml | 46 + .../deployment_manager_configs/network.jinja | 19 + .../deployment_manager_configs/network.yaml | 19 + .../storage-kubeflow.yaml | 34 + .../deployment_manager_configs/storage.jinja | 75 + .../storage.jinja.schema | 126 + .../gcp/gpu-driver/base/daemon-set.yaml | 61 + .../gcp/gpu-driver/base/kustomization.yaml | 13 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../gcp/iap-ingress/base/backend-config.yaml | 11 + .../gcp/iap-ingress/base/cloud-endpoint.yaml | 9 + .../base/cluster-role-binding.yaml | 11 + .../gcp/iap-ingress/base/cluster-role.yaml | 39 + .../gcp/iap-ingress/base/config-map.yaml | 153 + .../gcp/iap-ingress/base/deployment.yaml | 66 + .../gcp/iap-ingress/base/ingress.yaml | 17 + .../gcp/iap-ingress/base/kustomization.yaml | 107 + .../manifests/gcp/iap-ingress/base/params.env | 10 + .../gcp/iap-ingress/base/params.yaml | 45 + .../gcp/iap-ingress/base/policy.yaml | 22 + .../gcp/iap-ingress/base/service-account.yaml | 4 + .../gcp/iap-ingress/base/service.yaml | 13 + .../gcp/iap-ingress/base/stateful-set.yaml | 40 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../overlays/certmanager/certificate.yaml | 18 + .../iap-ingress/overlays/certmanager/job.yaml | 43 + .../overlays/certmanager/kustomization.yaml | 14 + .../overlays/gcp-credentials/deployment.yaml | 21 + .../gcp-credentials/kustomization.yaml | 7 + .../gcp-credentials/stateful-set.yaml | 20 + .../overlays/managed-cert/cert.yaml | 7 + .../overlays/managed-cert/kustomization.yaml | 9 + .../gcp/iap-ingress/v3/kustomization.yaml | 121 + .../gcp/privateutil/base/iap-jwt-key.yaml | 97 + .../gcp/privateutil/base/kustomization.yaml | 4 + .../gcp/prometheus/base/kustomization.yaml | 37 + .../manifests/gcp/prometheus/base/params.env | 3 + .../manifests/gcp/prometheus/base/params.yaml | 3 + .../gcp/prometheus/base/prometheus.yaml | 273 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../upstream/manifests/gcp/v2/README.md | 88 + .../manifests/gcp/v2/asm/istio-operator.yaml | 39 + .../gcp/v2/cnrm/cluster/cluster.yaml | 39 + .../gcp/v2/cnrm/cluster/kf-vm-policy.yaml | 71 + .../gcp/v2/cnrm/cluster/kf-vm-sa.yaml | 21 + .../gcp/v2/cnrm/cluster/kustomization.yaml | 6 + .../gcp/v2/cnrm/cluster/nodepool.yaml | 36 + .../gcp/v2/cnrm/iam/kf-admin-policy.yaml | 167 + .../gcp/v2/cnrm/iam/kf-admin-sa.yaml | 21 + .../gcp/v2/cnrm/iam/kf-user-policy.yaml | 143 + .../manifests/gcp/v2/cnrm/iam/kf-user-sa.yaml | 21 + .../gcp/v2/cnrm/iam/kustomization.yaml | 7 + .../gcp/v2/cnrm/ingress/compute-address.yaml | 11 + .../gcp/v2/cnrm/ingress/kustomization.yaml | 4 + .../manifests/gcp/v2/cnrm/kustomization.yaml | 8 + .../manifests/gcp/v2/cnrm/pipelines/disk.yaml | 15 + .../gcp/v2/cnrm/pipelines/kustomization.yaml | 4 + .../gcp/v2/management/cluster/README.md | 2 + .../gcp/v2/management/cluster/cluster.yaml | 26 + .../management/cluster/enable-services.yaml | 8 + .../v2/management/cluster/kustomization.yaml | 4 + .../gcp/v2/management/cluster/nodepool.yaml | 28 + .../gcp/v2/management/cnrm-install/README.md | 12 + .../cnrm-install/enable-services.yaml | 8 + .../gcp/v2/management/cnrm-install/iam.yaml | 36 + .../install-system/0-cnrm-system.yaml | 581 + .../cnrm-install/install-system/crds.yaml | 17665 ++++++++++++++ .../install-system/kustomization.yaml | 5 + .../gcp/v2/privateGKE/compute-network.yaml | 39 + .../manifests/gcp/v2/privateGKE/dns-gcr.yaml | 41 + .../gcp/v2/privateGKE/dns-google-apis.yaml | 41 + .../manifests/gcp/v2/privateGKE/firewall.yaml | 95 + .../gcp/v2/privateGKE/kustomization.yaml | 5 + .../upstream/manifests/go.mod | 5 + .../upstream/manifests/go.sum | 167 + .../manifests/hack/build_kfdef_specs.py | 75 + .../upstream/manifests/hack/gen-tree.sh | 10 + .../hack/generate_legacy_kustomizations.py | 185 + .../upstream/manifests/hack/generate_tests.py | 170 + .../hack/templates/kustomize_test.go.template | 15 + .../upstream/manifests/hack/utils.sh | 122 + .../upstream/manifests/istio-1-3-1/OWNERS | 3 + .../base/cluster-role-binding.yaml | 11 + .../base/cluster-role.yaml | 11 + .../base/deployment.yaml | 181 + .../base/horizontal-pod-autoscaler.yaml | 19 + .../base/kustomization.yaml | 32 + .../base/namespace.yaml | 4 + .../base/params.env | 1 + .../base/params.yaml | 3 + .../base/pod-disruption-budget.yaml | 14 + .../base/service-account.yaml | 11 + .../base/service.yaml | 47 + .../istio-crds-1-3-1/base/crd.yaml | 723 + .../istio-crds-1-3-1/base/kustomization.yaml | 7 + .../base/attribute-manifest.yaml | 199 + .../base/cluster-role-binding.yaml | 149 + .../base/cluster-role.yaml | 401 + .../istio-install-1-3-1/base/config-map.yaml | 1000 + .../istio-install-1-3-1/base/daemon-set.yaml | 86 + .../istio-install-1-3-1/base/deployment.yaml | 1164 + .../istio-install-1-3-1/base/handler.yaml | 223 + .../base/horizontal-pod-autoscaler.yaml | 82 + .../istio-install-1-3-1/base/instance.yaml | 323 + .../istio-install-1-3-1/base/job.yaml | 63 + .../base/kustomization.yaml | 61 + .../base/mutating-webhook-configuration.yaml | 27 + .../istio-install-1-3-1/base/namespace.yaml | 4 + .../istio-install-1-3-1/base/params.env | 1 + .../istio-install-1-3-1/base/params.yaml | 35 + .../base/pod-disruption-budget.yaml | 99 + .../base/role-binding.yaml | 11 + .../istio-install-1-3-1/base/role.yaml | 13 + .../istio-install-1-3-1/base/rule.yaml | 134 + .../base/service-account.yaml | 86 + .../base/service-role-binding.yaml | 13 + .../base/service-role.yaml | 10 + .../istio-install-1-3-1/base/service.yaml | 189 + .../upstream/manifests/istio/OWNERS | 3 + .../base/envoy-filter.yaml | 19 + .../base/kustomization.yaml | 5 + .../base/cluster-role-binding.yaml | 14 + .../base/cluster-role.yaml | 22 + .../base/deployment.yaml | 158 + .../base/horizontal-pod-autoscaler.yaml | 19 + .../base/kustomization.yaml | 32 + .../cluster-local-gateway/base/namespace.yaml | 4 + .../cluster-local-gateway/base/params.env | 1 + .../cluster-local-gateway/base/params.yaml | 5 + .../base/pod-disruption-budget.yaml | 14 + .../base/service-account.yaml | 11 + .../cluster-local-gateway/base/service.yaml | 47 + .../upstream/manifests/istio/gcp-1-1-6/OWNERS | 4 + .../manifests/istio/gcp-1-1-6/README.md | 8 + .../istio/gcp-1-1-6/kustomization.yaml | 8 + .../base/istio-ingressgateway.yaml | 62 + .../istio/iap-gateway/base/kustomization.yaml | 5 + .../base/certificate.yaml | 13 + .../base/kustomization.yaml | 22 + .../base/params.env | 1 + .../base/params.yaml | 3 + .../manifests/istio/istio-crds/base/crds.yaml | 1535 ++ .../istio/istio-crds/base/kustomization.yaml | 5 + .../istio-install/base/istio-noauth.yaml | 17384 ++++++++++++++ .../istio-install/base/kustomization.yaml | 39 + .../manifests/istio/istio/base/README.md | 7 + .../istio/istio/base/cluster-roles.yaml | 55 + .../istio/istio/base/kf-istio-resources.yaml | 113 + .../istio/istio/base/kustomization.yaml | 26 + .../manifests/istio/istio/base/params.env | 2 + .../manifests/istio/istio/base/params.yaml | 5 + .../https-gateway/kf-istio-resources.yaml | 18 + .../overlays/https-gateway/kustomization.yaml | 13 + .../istio/overlays/https-gateway/params.env | 1 + .../istio/overlays/https-gateway/params.yaml | 3 + .../oidc-authservice/base/envoy-filter.yaml | 32 + .../oidc-authservice/base/kustomization.yaml | 87 + .../istio/oidc-authservice/base/params.env | 9 + .../istio/oidc-authservice/base/params.yaml | 7 + .../istio/oidc-authservice/base/pvc.yaml | 10 + .../istio/oidc-authservice/base/service.yaml | 13 + .../oidc-authservice/base/statefulset.yaml | 62 + .../overlays/application/application.yaml | 43 + .../overlays/application/kustomization.yaml | 9 + .../ibm-storage-config/kustomization.yaml | 10 + .../ibm-storage-config/statefulset.yaml | 15 + .../upstream/manifests/jupyter/OWNERS | 4 + .../base/cluster-role-binding.yaml | 11 + .../jupyter-web-app/base/cluster-role.yaml | 112 + .../base/configs/spawner_ui_config.yaml | 128 + .../jupyter-web-app/base/deployment.yaml | 24 + .../base/deployment_patch.yaml | 27 + .../jupyter-web-app/base/kustomization.yaml | 85 + .../jupyter/jupyter-web-app/base/params.env | 7 + .../jupyter/jupyter-web-app/base/params.yaml | 9 + .../jupyter-web-app/base/role-binding.yaml | 11 + .../jupyter/jupyter-web-app/base/role.yaml | 35 + .../jupyter-web-app/base/service-account.yaml | 4 + .../jupyter/jupyter-web-app/base/service.yaml | 23 + .../base_v3/deployment_patch.yaml | 22 + .../base_v3/kustomization.yaml | 50 + .../overlays/application/application.yaml | 49 + .../overlays/application/kustomization.yaml | 7 + .../overlays/aws/kustomization.yaml | 9 + .../overlays/aws/spawner_ui_config.yaml | 132 + .../overlays/istio/kustomization.yaml | 6 + .../overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 24 + .../base/cluster-role-binding.yaml | 11 + .../base/cluster-role.yaml | 107 + .../jupyter/notebook-controller/base/crd.yaml | 64 + .../notebook-controller/base/deployment.yaml | 23 + .../base/deployment_patch.yaml | 15 + .../base/kustomization.yaml | 43 + .../notebook-controller/base/params.env | 3 + .../base/service-account.yaml | 4 + .../notebook-controller/base/service.yaml | 7 + .../base_v3/deployment_patch.yaml | 21 + .../base_v3/kustomization.yaml | 28 + .../overlays/application/application.yaml | 39 + .../overlays/application/kustomization.yaml | 9 + .../overlays/istio/deployment.yaml | 14 + .../overlays/istio/kustomization.yaml | 12 + .../overlays/istio/params.env | 2 + .../upstream/manifests/katib/OWNERS | 4 + .../katib-controller/kustomization.yaml | 27 + .../katib-db-manager/kustomization.yaml | 10 + .../katib-db-mysql/kustomization.yaml | 12 + .../katib-db-manager-deployment.yaml | 37 + .../katib-external-db/kustomization.yaml | 14 + .../installs/katib-external-db/secrets.env | 5 + .../katib-standalone-ibm/kustomization.yaml | 10 + .../katib-standalone/kustomization.yaml | 10 + .../base/katib-configmap.yaml | 49 + .../base/katib-controller-deployment.yaml | 48 + .../base/katib-controller-rbac.yaml | 146 + .../base/katib-controller-secret.yaml | 4 + .../base/katib-controller-service.yaml | 19 + .../base/katib-db-manager-deployment.yaml | 49 + .../base/katib-db-manager-service.yaml | 16 + .../base/katib-mysql-deployment.yaml | 66 + .../base/katib-mysql-pvc.yaml | 10 + .../base/katib-mysql-secret.yaml | 7 + .../base/katib-mysql-service.yaml | 16 + .../base/katib-ui-deployment.yaml | 39 + .../katib-controller/base/katib-ui-rbac.yaml | 36 + .../base/katib-ui-service.yaml | 17 + .../katib-controller/base/kustomization.yaml | 52 + .../katib/katib-controller/base/params.env | 1 + .../katib/katib-controller/base/params.yaml | 7 + .../base/trial-template-configmap.yaml | 27 + .../overlays/application/application.yaml | 66 + .../overlays/application/kustomization.yaml | 9 + .../katib-mysql-deployment.yaml | 11 + .../ibm-storage-config/kustomization.yaml | 10 + .../istio/katib-ui-virtual-service.yaml | 20 + .../overlays/istio/kustomization.yaml | 8 + .../overlays/istio/params.yaml | 3 + .../katib-controller/v3/kustomization.yaml | 39 + .../katib/katib-controller/v3/params.yaml | 3 + .../katib/katib-crds/base/experiment-crd.yaml | 25 + .../katib/katib-crds/base/kustomization.yaml | 7 + .../katib/katib-crds/base/suggestion-crd.yaml | 34 + .../katib/katib-crds/base/trial-crd.yaml | 28 + .../overlays/application/application.yaml | 64 + .../overlays/application/kustomization.yaml | 9 + .../katib/katib-crds/v3/kustomization.yaml | 11 + .../upstream/manifests/kfdef/OWNERS | 11 + .../upstream/manifests/kfdef/README.md | 3 + .../upstream/manifests/kfdef/generic/OWNERS | 2 + .../manifests/kfdef/generic/README.md | 2 + .../kfdef/generic/auth_oidc/authservice.tmpl | 73 + .../kfdef/generic/auth_oidc/dex.tmpl | 121 + .../kfdef/generic/auth_oidc/envoy-filter.yaml | 34 + .../kfdef/generic/auth_oidc/gateway.yaml | 50 + .../manifests/kfdef/generic/istio/crds.yaml | 1534 ++ .../kfdef/generic/istio/istio-noauth.yaml | 18988 ++++++++++++++++ .../manifests/kfdef/kfctl_anthos.v1.0.0.yaml | 319 + .../manifests/kfdef/kfctl_anthos.v1.0.1.yaml | 319 + .../manifests/kfdef/kfctl_anthos.v1.0.2.yaml | 319 + .../manifests/kfdef/kfctl_anthos.yaml | 319 + .../manifests/kfdef/kfctl_aws.v1.0.0.yaml | 351 + .../manifests/kfdef/kfctl_aws.v1.0.1.yaml | 351 + .../manifests/kfdef/kfctl_aws.v1.0.2.yaml | 393 + .../upstream/manifests/kfdef/kfctl_aws.yaml | 386 + .../kfdef/kfctl_aws_cognito.v1.0.0.yaml | 378 + .../kfdef/kfctl_aws_cognito.v1.0.1.yaml | 378 + .../kfdef/kfctl_aws_cognito.v1.0.2.yaml | 420 + .../manifests/kfdef/kfctl_aws_cognito.yaml | 413 + .../manifests/kfdef/kfctl_gcp_asm_exp.yaml | 408 + .../kfdef/kfctl_gcp_basic_auth.v1.0.0.yaml | 431 + .../kfdef/kfctl_gcp_basic_auth.v1.0.1.yaml | 431 + .../kfdef/kfctl_gcp_basic_auth.v1.0.2.yaml | 431 + .../manifests/kfdef/kfctl_gcp_basic_auth.yaml | 423 + .../manifests/kfdef/kfctl_gcp_iap.v1.0.0.yaml | 426 + .../manifests/kfdef/kfctl_gcp_iap.v1.0.1.yaml | 426 + .../manifests/kfdef/kfctl_gcp_iap.v1.0.2.yaml | 429 + .../manifests/kfdef/kfctl_gcp_iap.yaml | 426 + .../manifests/kfdef/kfctl_ibm.v1.0.0.yaml | 361 + .../manifests/kfdef/kfctl_ibm.v1.0.1.yaml | 361 + .../manifests/kfdef/kfctl_ibm.v1.0.2.yaml | 361 + .../upstream/manifests/kfdef/kfctl_ibm.yaml | 353 + .../kfdef/kfctl_istio_dex.v1.0.0.yaml | 374 + .../kfdef/kfctl_istio_dex.v1.0.1.yaml | 374 + .../kfdef/kfctl_istio_dex.v1.0.2.yaml | 374 + .../manifests/kfdef/kfctl_istio_dex.yaml | 373 + .../kfdef/kfctl_k8s_istio.v1.0.0.yaml | 356 + .../kfdef/kfctl_k8s_istio.v1.0.1.yaml | 356 + .../kfdef/kfctl_k8s_istio.v1.0.2.yaml | 356 + .../manifests/kfdef/kfctl_k8s_istio.yaml | 348 + .../kfdef/kfctl_upgrade_gcp_iap_1.0.0.yaml | 14 + .../kfdef/kfctl_upgrade_gcp_iap_1.0.2.yaml | 14 + .../upstream/manifests/kfdef/source/README.md | 16 + .../kfdef/source/master/kfctl_anthos.yaml | 325 + .../kfdef/source/master/kfctl_aws.yaml | 386 + .../source/master/kfctl_aws_cognito.yaml | 413 + .../source/master/kfctl_gcp_basic_auth.yaml | 445 + .../kfdef/source/master/kfctl_gcp_iap.yaml | 452 + .../kfdef/source/master/kfctl_ibm.yaml | 357 + .../kfdef/source/master/kfctl_istio_dex.yaml | 377 + .../kfdef/source/master/kfctl_k8s_istio.yaml | 353 + .../kfdef/source/master/kustomization.yaml | 12 + .../kfdef/source/v1.0.0/kfctl_anthos.yaml | 13 + .../kfdef/source/v1.0.0/kfctl_aws.yaml | 13 + .../source/v1.0.0/kfctl_aws_cognito.yaml | 13 + .../source/v1.0.0/kfctl_gcp_basic_auth.yaml | 13 + .../kfdef/source/v1.0.0/kfctl_gcp_iap.yaml | 12 + .../kfdef/source/v1.0.0/kfctl_ibm.yaml | 13 + .../kfdef/source/v1.0.0/kfctl_istio_dex.yaml | 14 + .../kfdef/source/v1.0.0/kfctl_k8s_istio.yaml | 13 + .../kfdef/source/v1.0.0/kustomization.yaml | 14 + .../kfdef/source/v1.0.1/kfctl_anthos.yaml | 13 + .../kfdef/source/v1.0.1/kfctl_aws.yaml | 13 + .../source/v1.0.1/kfctl_aws_cognito.yaml | 13 + .../source/v1.0.1/kfctl_gcp_basic_auth.yaml | 13 + .../kfdef/source/v1.0.1/kfctl_gcp_iap.yaml | 12 + .../kfdef/source/v1.0.1/kfctl_ibm.yaml | 13 + .../kfdef/source/v1.0.1/kfctl_istio_dex.yaml | 14 + .../kfdef/source/v1.0.1/kfctl_k8s_istio.yaml | 13 + .../kfdef/source/v1.0.1/kustomization.yaml | 14 + .../kfdef/source/v1.0.2/kfctl_anthos.yaml | 13 + .../kfdef/source/v1.0.2/kfctl_aws.yaml | 13 + .../source/v1.0.2/kfctl_aws_cognito.yaml | 13 + .../source/v1.0.2/kfctl_gcp_basic_auth.yaml | 13 + .../kfdef/source/v1.0.2/kfctl_gcp_iap.yaml | 12 + .../kfdef/source/v1.0.2/kfctl_ibm.yaml | 13 + .../kfdef/source/v1.0.2/kfctl_istio_dex.yaml | 14 + .../kfdef/source/v1.0.2/kfctl_k8s_istio.yaml | 13 + .../kfdef/source/v1.0.2/kustomization.yaml | 14 + .../kfserving/kfserving-crds/base/crd.yaml | 607 + .../kfserving-crds/base/kustomization.yaml | 4 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 25 + .../kfserving-install/base/cluster-role.yaml | 209 + .../kfserving-install/base/config-map.yaml | 102 + .../kfserving-install/base/kustomization.yaml | 32 + .../kfserving-install/base/params.env | 1 + .../kfserving-install/base/params.yaml | 5 + .../kfserving-install/base/secret.yaml | 4 + .../kfserving-install/base/service.yaml | 34 + .../kfserving-install/base/statefulset.yaml | 70 + .../overlays/application/application.yaml | 40 + .../overlays/application/kustomization.yaml | 9 + .../knative-serving-crds/base/crd.yaml | 397 + .../base/kustomization.yaml | 5 + .../knative-serving-crds/base/namespace.yaml | 9 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../base/apiservice.yaml | 18 + .../base/cluster-role-binding.yaml | 50 + .../base/cluster-role.yaml | 265 + .../base/config-map.yaml | 694 + .../base/deployment.yaml | 359 + .../knative-serving-install/base/gateway.yaml | 18 + .../knative-serving-install/base/hpa.yaml | 23 + .../knative-serving-install/base/image.yaml | 12 + .../base/kustomization.yaml | 39 + .../base/role-binding.yaml | 17 + .../base/service-account.yaml | 10 + .../base/service-role-binding.yaml | 11 + .../base/service-role.yaml | 13 + .../knative-serving-install/base/service.yaml | 86 + .../base/webhook-configuration.yaml | 61 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../kubebench/base/cluster-role-binding.yaml | 11 + .../kubebench/base/cluster-role.yaml | 38 + .../manifests/kubebench/base/config-map.yaml | 17 + .../manifests/kubebench/base/crd.yaml | 11 + .../manifests/kubebench/base/deployment.yaml | 30 + .../kubebench/base/kustomization.yaml | 30 + .../manifests/kubebench/base/params.env | 2 + .../manifests/kubebench/base/params.yaml | 3 + .../kubebench/base/service-account.yaml | 6 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../overlays/istio/kustomization.yaml | 8 + .../kubebench/overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 20 + .../upstream/manifests/kubeflow-roles/OWNERS | 4 + .../manifests/kubeflow-roles/README.md | 70 + .../kubeflow-roles/base/cluster-roles.yaml | 335 + .../kubeflow-roles/base/kustomization.yaml | 4 + .../base/cluster-role-binding.yaml | 11 + .../manifests/metacontroller/base/crd.yaml | 45 + .../metacontroller/base/kustomization.yaml | 14 + .../metacontroller/base/service-account.yaml | 4 + .../metacontroller/base/stateful-set.yaml | 43 + .../upstream/manifests/metadata/OWNERS | 4 + .../manifests/metadata/base/grpc-params.env | 2 + .../metadata/base/kustomization.yaml | 73 + .../metadata/base/metadata-deployment.yaml | 78 + .../base/metadata-envoy-deployment.yaml | 26 + .../metadata/base/metadata-envoy-service.yaml | 14 + .../metadata/base/metadata-service.yaml | 29 + .../metadata/base/metadata-ui-deployment.yaml | 26 + .../metadata/base/metadata-ui-role.yaml | 26 + .../base/metadata-ui-rolebinding.yaml | 14 + .../metadata/base/metadata-ui-sa.yaml | 4 + .../metadata/base/metadata-ui-service.yaml | 12 + .../manifests/metadata/base/params.env | 1 + .../overlays/application/application.yaml | 40 + .../overlays/application/kustomization.yaml | 9 + .../metadata/overlays/db/kustomization.yaml | 34 + .../overlays/db/metadata-db-deployment.yaml | 49 + .../metadata/overlays/db/metadata-db-pvc.yaml | 10 + .../overlays/db/metadata-db-service.yaml | 14 + .../overlays/db/metadata-deployment.yaml | 63 + .../manifests/metadata/overlays/db/params.env | 3 + .../metadata/overlays/db/secrets.env | 2 + .../external-mysql/kustomization.yaml | 14 + .../external-mysql/metadata-deployment.yaml | 63 + .../overlays/external-mysql/params.env | 4 + .../overlays/external-mysql/secrets.env | 2 + .../overlays/google-cloudsql/README.md | 58 + .../google-cloudsql/kustomization.yaml | 15 + .../google-cloudsql/metadata-deployment.yaml | 108 + .../overlays/google-cloudsql/params.env | 5 + .../ibm-storage-config/kustomization.yaml | 8 + .../overlays/istio/kustomization.yaml | 9 + .../metadata/overlays/istio/params.yaml | 3 + .../istio/virtual-service-metadata-grpc.yaml | 21 + .../overlays/istio/virtual-service.yaml | 21 + .../manifests/metadata/v3/kustomization.yaml | 8 + .../manifests/metadata/v3/params.yaml | 3 + .../base/artifact-store-deployment.yaml | 39 + .../modeldb/base/artifact-store-service.yaml | 14 + .../modeldb/base/backend-deployment.yaml | 38 + .../modeldb/base/backend-proxy-service.yaml | 14 + .../modeldb/base/backend-service.yaml | 13 + .../manifests/modeldb/base/configmap.yaml | 17 + .../manifests/modeldb/base/kustomization.yaml | 35 + .../base/mysql-backend-deployment.yaml | 39 + .../manifests/modeldb/base/mysql-service.yaml | 14 + .../modeldb/base/persistent-volume-claim.yaml | 12 + .../modeldb/base/proxy-deployment.yaml | 36 + .../manifests/modeldb/base/secret.yaml | 40 + .../modeldb/base/webapp-deplyment.yaml | 27 + .../modeldb/base/webapp-service.yaml | 14 + .../base/cluster-role-binding.yaml | 13 + .../mpi-operator/base/cluster-role.yaml | 162 + .../mpi-job/mpi-operator/base/crd.yaml | 150 + .../mpi-job/mpi-operator/base/deployment.yaml | 27 + .../mpi-operator/base/kustomization.yaml | 36 + .../mpi-job/mpi-operator/base/params.env | 2 + .../mpi-operator/base/service-account.yaml | 6 + .../overlays/application/application.yaml | 42 + .../overlays/application/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 13 + .../mxnet-operator/base/cluster-role.yaml | 107 + .../mxnet-job/mxnet-operator/base/crd.yaml | 12 + .../mxnet-operator/base/deployment.yaml | 31 + .../mxnet-operator/base/kustomization.yaml | 15 + .../mxnet-operator/base/service-account.yaml | 6 + .../overlays/application/application.yaml | 42 + .../overlays/application/kustomization.yaml | 9 + .../namespaces/base/kustomization.yaml | 4 + .../manifests/namespaces/base/namespaces.yaml | 13 + .../upstream/manifests/pipeline/OWNERS | 4 + .../pipeline/api-service/base/config-map.yaml | 27 + .../pipeline/api-service/base/deployment.yaml | 35 + .../api-service/base/kustomization.yaml | 15 + .../api-service/base/role-binding.yaml | 11 + .../pipeline/api-service/base/role.yaml | 37 + .../api-service/base/service-account.yaml | 4 + .../pipeline/api-service/base/service.yaml | 14 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../overlays/external-mysql/config-map.yaml | 28 + .../external-mysql/kustomization.yaml | 35 + .../overlays/external-mysql/params.env | 3 + .../overlays/external-mysql/params.yaml | 3 + .../overlays/use-kf-user/deployment.yaml | 12 + .../overlays/use-kf-user/kustomization.yaml | 6 + .../pipeline/minio/base/deployment.yaml | 33 + .../pipeline/minio/base/kustomization.yaml | 28 + .../manifests/pipeline/minio/base/params.env | 1 + .../manifests/pipeline/minio/base/params.yaml | 5 + .../minio/base/persistent-volume-claim.yaml | 10 + .../manifests/pipeline/minio/base/secret.yaml | 8 + .../pipeline/minio/base/service.yaml | 11 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../minio/overlays/minioPd/kustomization.yaml | 31 + .../minio/overlays/minioPd/params.env | 2 + .../minio/overlays/minioPd/params.yaml | 9 + .../minioPd/persistent-volume-claim.yaml | 7 + .../overlays/minioPd/persistent-volume.yaml | 12 + .../pipeline/mysql/base/deployment.yaml | 28 + .../pipeline/mysql/base/kustomization.yaml | 27 + .../manifests/pipeline/mysql/base/params.env | 1 + .../manifests/pipeline/mysql/base/params.yaml | 5 + .../mysql/base/persistent-volume-claim.yaml | 10 + .../pipeline/mysql/base/service.yaml | 7 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../mysql/overlays/mysqlPd/kustomization.yaml | 31 + .../mysql/overlays/mysqlPd/params.env | 2 + .../mysql/overlays/mysqlPd/params.yaml | 9 + .../mysqlPd/persistent-volume-claim.yaml | 7 + .../overlays/mysqlPd/persistent-volume.yaml | 12 + .../base/clusterrole-binding.yaml | 11 + .../persistent-agent/base/clusterrole.yaml | 21 + .../persistent-agent/base/deployment.yaml | 20 + .../persistent-agent/base/kustomization.yaml | 14 + .../base/service-account.yaml | 4 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../base/deployment.yaml | 23 + .../base/kustomization.yaml | 12 + .../base/service.yaml | 12 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../overlays/use-kf-user/deployment.yaml | 8 + .../overlays/use-kf-user/kustomization.yaml | 6 + .../base/cluster-role-binding.yaml | 11 + .../pipelines-runner/base/cluster-role.yaml | 93 + .../pipelines-runner/base/kustomization.yaml | 9 + .../base/service-account.yaml | 4 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../use-kf-user/cluster-role-binding.yaml | 9 + .../overlays/use-kf-user/kustomization.yaml | 6 + .../pipelines-ui/base/deployment.yaml | 27 + .../pipelines-ui/base/kustomization.yaml | 45 + .../pipeline/pipelines-ui/base/params.env | 1 + .../pipelines-ui/base/role-binding.yaml | 13 + .../pipeline/pipelines-ui/base/role.yaml | 26 + .../pipelines-ui/base/service-account.yaml | 4 + .../pipeline/pipelines-ui/base/service.yaml | 26 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../pipelines-ui/overlays/gcp/configmap.yaml | 11 + .../pipelines-ui/overlays/gcp/deployment.yaml | 31 + .../overlays/gcp/kustomization.yaml | 8 + .../overlays/istio/kustomization.yaml | 8 + .../pipelines-ui/overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 43 + .../base/cluster-role-binding.yaml | 11 + .../pipelines-viewer/base/cluster-role.yaml | 86 + .../pipeline/pipelines-viewer/base/crd.yaml | 18 + .../pipelines-viewer/base/deployment.yaml | 20 + .../pipelines-viewer/base/kustomization.yaml | 16 + .../base/service-account.yaml | 4 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../scheduledworkflow/base/cluster-role.yaml | 55 + .../pipeline/scheduledworkflow/base/crd.yaml | 18 + .../scheduledworkflow/base/deployment.yaml | 20 + .../scheduledworkflow/base/kustomization.yaml | 16 + .../scheduledworkflow/base/role-binding.yaml | 11 + .../pipeline/scheduledworkflow/base/role.yaml | 29 + .../base/service-account.yaml | 4 + .../overlays/application/application.yaml | 31 + .../overlays/application/kustomization.yaml | 9 + .../manifests/profiles/base/README.md | 5 + .../profiles/base/cluster-role-binding.yaml | 11 + .../upstream/manifests/profiles/base/crd.yaml | 156 + .../manifests/profiles/base/deployment.yaml | 57 + .../profiles/base/kustomization.yaml | 65 + .../manifests/profiles/base/params.env | 4 + .../manifests/profiles/base/params.yaml | 13 + .../profiles/base/service-account.yaml | 4 + .../manifests/profiles/base/service.yaml | 7 + .../profiles/base_v3/deployment_patch.yaml | 58 + .../profiles/base_v3/kustomization.yaml | 29 + .../overlays/application/application.yaml | 43 + .../overlays/application/kustomization.yaml | 9 + .../profiles/overlays/debug/deployment.yaml | 22 + .../overlays/debug/kustomization.yaml | 25 + .../profiles/overlays/debug/params.env | 1 + .../profiles/overlays/debug/params.yaml | 3 + .../profiles/overlays/devices/deployment.yaml | 16 + .../overlays/devices/kustomization.yaml | 6 + .../overlays/istio/kustomization.yaml | 8 + .../profiles/overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 24 + .../profiles/overlays/test/app_test.yaml | 23 + .../profiles/overlays/test/kustomization.yaml | 6 + .../upstream/manifests/prow_config.yaml | 33 + .../pytorch-job-crds/base/crd.yaml | 42 + .../pytorch-job-crds/base/kustomization.yaml | 4 + .../overlays/application/application.yaml | 42 + .../overlays/application/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 13 + .../pytorch-operator/base/cluster-role.yaml | 86 + .../pytorch-operator/base/deployment.yaml | 34 + .../pytorch-operator/base/kustomization.yaml | 15 + .../pytorch-operator/base/params.env | 3 + .../base/service-account.yaml | 6 + .../pytorch-operator/base/service.yaml | 19 + .../overlays/application/application.yaml | 44 + .../overlays/application/kustomization.yaml | 9 + .../upstream/manifests/seldon/Makefile | 15 + .../upstream/manifests/seldon/README.md | 18 + .../manifests/seldon/kustomization.tpl | 4 + .../base/kustomization.yaml | 4 + .../seldon-core-operator/base/resources.yaml | 4980 ++++ .../overlays/application/application.yaml | 41 + .../overlays/application/kustomization.yaml | 9 + .../upstream/manifests/seldon/values.yaml | 160 + .../spark-operator/base/Kube-descriptor.yaml | 12 + .../spark-operator/base/cr-clusterrole.yaml | 72 + .../spark/spark-operator/base/crb.yaml | 11 + .../spark/spark-operator/base/deploy.yaml | 44 + .../spark-operator/base/kustomization.yaml | 21 + .../spark-operator/base/operator-sa.yaml | 4 + .../spark/spark-operator/base/role.yaml | 18 + .../spark-operator/base/rolebinding.yaml | 12 + ...applications.sparkoperator.k8s.io-crd.yaml | 2546 +++ .../spark/spark-operator/base/spark-sa.yaml | 5 + ...applications.sparkoperator.k8s.io-crd.yaml | 2528 ++ .../overlays/application/application.yaml | 37 + .../overlays/application/kustomization.yaml | 9 + .../manifests/stacks/examples/README.md | 2 + .../alice_gcp/configs/spawner_ui_config.yaml | 15 + .../examples/alice_gcp/kubeflow-config.yaml | 13 + .../examples/alice_gcp/kustomization.yaml | 20 + .../kfctl_gcp_stacks.experimental.yaml | 94 + .../upstream/manifests/stacks/gcp/OWNERS | 4 + .../manifests/stacks/gcp/config/params.env | 3 + .../manifests/stacks/gcp/kustomization.yaml | 41 + .../base/cluster-role-binding.yaml | 11 + .../tektoncd-dashboard/base/cluster-role.yaml | 38 + .../tektoncd-dashboard/base/crds.yaml | 18 + .../tektoncd-dashboard/base/deployment.yaml | 38 + .../base/kustomization.yaml | 16 + .../tektoncd-dashboard/base/pipeline.yaml | 33 + .../base/service-account.yaml | 4 + .../tektoncd-dashboard/base/service.yaml | 10 + .../tektoncd-dashboard/base/task.yaml | 30 + .../overlays/application/application.yaml | 33 + .../overlays/application/kustomization.yaml | 23 + .../overlays/application/params.env | 1 + .../overlays/application/params.yaml | 9 + .../overlays/istio/kustomization.yaml | 26 + .../overlays/istio/params.env | 2 + .../overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 21 + .../base/cluster-role-binding.yaml | 11 + .../tektoncd-install/base/cluster-role.yaml | 166 + .../tektoncd-install/base/config-map.yaml | 110 + .../tektoncd/tektoncd-install/base/crds.yaml | 174 + .../tektoncd-install/base/deployment.yaml | 109 + .../tektoncd-install/base/kustomization.yaml | 119 + .../tektoncd-install/base/namespace.yaml | 4 + .../tektoncd/tektoncd-install/base/params.env | 13 + .../tektoncd-install/base/params.yaml | 3 + .../base/pod-security-policy.yaml | 28 + .../base/service-account.yaml | 4 + .../tektoncd-install/base/service.yaml | 29 + .../overlays/application/application.yaml | 24 + .../overlays/application/kustomization.yaml | 22 + .../overlays/application/params.env | 1 + .../overlays/application/params.yaml | 9 + .../overlays/istio/kustomization.yaml | 28 + .../overlays/istio/params.env | 2 + .../overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 20 + .../tensorboard/base/deployment.yaml | 33 + .../tensorboard/base/kustomization.yaml | 32 + .../manifests/tensorboard/base/params.env | 27 + .../manifests/tensorboard/base/params.yaml | 3 + .../manifests/tensorboard/base/service.yaml | 24 + .../overlays/istio/kustomization.yaml | 8 + .../tensorboard/overlays/istio/params.yaml | 3 + .../overlays/istio/virtual-service.yaml | 20 + .../tf-training/tf-job-crds/base/crd.yaml | 47 + .../tf-job-crds/base/kustomization.yaml | 4 + .../overlays/application/application.yaml | 42 + .../overlays/application/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 14 + .../tf-job-operator/base/cluster-role.yaml | 96 + .../tf-job-operator/base/deployment.yaml | 31 + .../tf-job-operator/base/kustomization.yaml | 15 + .../tf-job-operator/base/params.env | 1 + .../tf-job-operator/base/service-account.yaml | 14 + .../tf-job-operator/base/service.yaml | 19 + .../overlays/application/application.yaml | 42 + .../overlays/application/kustomization.yaml | 9 + .../base/cluster-role-binding.yaml | 11 + .../xgboost-operator/base/cluster-role.yaml | 75 + .../xgboost-operator/base/crd.yaml | 121 + .../xgboost-operator/base/deployment.yaml | 18 + .../xgboost-operator/base/kustomization.yaml | 18 + .../xgboost-operator/base/params.env | 0 .../base/service-account.yaml | 4 + .../xgboost-operator/base/service.yaml | 16 + .../overlays/application/application.yaml | 39 + .../overlays/application/kustomization.yaml | 9 + 1413 files changed, 159131 insertions(+) create mode 100644 kubeflow_clusters/code-intelligence/.build/application/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/application/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/application/apps_v1_statefulset_application-controller-stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/application/~g_v1_service_application-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/application/~g_v1_serviceaccount_application-controller-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/~g_v1_configmap_cert-manager-kube-params-parameters.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cert-manager/app.k8s.io_v1beta1_application_cert-manager.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/app.k8s.io_v1beta1_application_cloud-endpoints.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apps_v1_deployment_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_configmap_cloud-endpoints-parameters.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_service_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_serviceaccount_kf-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computeaddress_code-intelligence-ip.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-artifact-store.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-metadata-store.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/container.cnrm.cloud.google.com_v1beta1_containercluster_code-intelligence.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-bigquery.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudbuild.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudsql.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataproc.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-istio-wi.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-logging.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-metricwriter.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-ml.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-monitoringviewer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-network.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-servicemanagement.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-source.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-storage.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-viewer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-wi.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-bigquery.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudbuild.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudsql.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataproc.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-logging.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-metricwriter.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-ml.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-monitoringviewer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-source.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-storage.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-viewer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-logging.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-cloudtrace.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-meshtelemetry.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring-viewer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-storage.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-user.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-vm.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/app.k8s.io_v1beta1_application_iap-ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_iap-enabler.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_whoami-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_statefulset_backend-updater.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/extensions_v1beta1_ingress_envoy-ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_envoy-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_ingress-bootstrap-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_istio-ingressgateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_whoami-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_serviceaccount_kf-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Base.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/CertManager/CertManager.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Citadel/Citadel.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Cni/Cni.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/EgressGateway/EgressGateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Galley/Galley.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Grafana/Grafana.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/IngressGateway/IngressGateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Injector/Injector.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Kiali/Kiali.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/NodeAgent/NodeAgent.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Pilot/Pilot.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Policy/Policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Prometheus/Prometheus.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/PrometheusOperator/PrometheusOperator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Telemetry/Telemetry.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/istio/Base/Tracing/Tracing.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_gpu-driver.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_profiles-profiles.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_webhook.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_daemonset_nvidia-driver-installer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_admission-webhook-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_jupyter-web-app-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_notebook-controller-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_profiles-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_admission-webhook-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_jupyter-web-app-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_notebook-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_profiles-kfam.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_admission-webhook-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_notebook-controller-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_profiles-controller-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-dashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-issuer/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/kubeflow-istio create mode 100644 kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/metacontroller/apps_v1_statefulset_metacontroller.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/metacontroller/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/metacontroller/~g_v1_serviceaccount_meta-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_cert-manager.yaml create mode 100644 kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_kubeflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/Kptfile create mode 100644 kubeflow_clusters/code-intelligence/Makefile create mode 100644 kubeflow_clusters/code-intelligence/README.md create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Base.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/CertManager.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Citadel.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Cni.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/EgressGateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Galley.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Grafana.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/IngressGateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Injector.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Kiali.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/NodeAgent.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Pilot.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Prometheus.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/PrometheusOperator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Telemetry.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/Tracing.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cert-manager.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cloud-endpoints.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_gpu-driver.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_iap-ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_profiles-profiles.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_webhook.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_daemonset_nvidia-driver-installer.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_admission-webhook-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_iap-enabler.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_jupyter-web-app-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_notebook-controller-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_profiles-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_whoami-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_application-controller-stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_backend-updater.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_metacontroller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/extensions_v1beta1_ingress_envoy-ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/kaniko/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/v1_namespace_chatbot-dev.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cert-manager-kube-params-parameters.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cloud-endpoints-parameters.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_envoy-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_ingress-bootstrap-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_cert-manager.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_kubeflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_admission-webhook-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_application-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_cloud-endpoints-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_jupyter-web-app-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_notebook-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_profiles-kfam.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_whoami-app.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_admission-webhook-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_application-controller-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_centraldashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_kf-admin.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_meta-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_notebook-controller-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_profiles-controller-service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_pytorch-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-dashboard.yaml create mode 100644 kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/configsync/config-management-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/configsync/config-management.yaml create mode 100755 kubeflow_clusters/code-intelligence/hack/check_domain_length.sh create mode 100755 kubeflow_clusters/code-intelligence/hack/check_oauth_secret.sh create mode 100755 kubeflow_clusters/code-intelligence/hack/create_context.sh create mode 100644 kubeflow_clusters/code-intelligence/instance/README.md create mode 100644 kubeflow_clusters/code-intelligence/instance/gcp_config/cluster_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/gcp_config/enable-services.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/gcp_config/iam_policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/gcp_config/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/gcp_config/nodepool_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-crds/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-kube-system-resources/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/service-accounts.yaml create mode 100755 kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/iap-ingress-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/service-accounts.yaml create mode 100755 kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/default-install-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/kustomization.yaml create mode 100755 kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/profiles-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/service-accounts.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-issuer/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/metacontroller/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/namespaces.yaml create mode 100644 kubeflow_clusters/code-intelligence/instance/settings.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/Kptfile create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/LICENSE create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/mutating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/certificate.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/application/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/vpc.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-driver.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-node-daemonset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-driver.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-node-daemonset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/authzadaptor.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/handler.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/instance.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/template.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/configmap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/daemonset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_features.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_alb_ingress_policy.json create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_cloudwatch_policy.json create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_csi_fsx_policy.json create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_profile_controller_policy.json create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/istio-policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/oidc-secret.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/secrets.env create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/ingress.yaml create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/kustomization.yaml create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.env create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/daemonset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/api-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/mutating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/validating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/kubeflow-issuer/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/cluster-issuer.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/cluster-issuer.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kflogin-virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base_v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/deployment_kf_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/profile-instance.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/virtualservice.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/KustomizeBestPractices.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/TestFramework.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/assets/auth-istio.png create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/assets/ldap_tree.png create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/assets/user_settings_ldap.png create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/README.md create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/apply_example.sh create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/cluster_rbac_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role_binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role_binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role_binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role_binding.yaml create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/gencert.sh create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/experimental/gcp/template/openapi.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/gcp_template.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/mirror_task.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/constraint-template.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/ns-required-annotations.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/backend-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cloud-endpoint.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/gcp-credentials-patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/istio-mapping-svc.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/certificate.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/job.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/gcp-credentials-patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/cert.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/composite-controller.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/gcp-credentials-patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/gcp-credentials-patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster-kubeflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja.schema create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/gcfs.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/iam_bindings_template.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.jinja create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage-kubeflow.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja.schema create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/daemon-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/backend-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cloud-endpoint.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/ingress.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/certificate.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/job.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/cert.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/iap-jwt-key.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/prometheus.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/asm/istio-operator.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/cluster.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/nodepool.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/compute-address.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/disk.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/cluster.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/enable-services.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/nodepool.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/enable-services.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/iam.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/compute-network.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-gcr.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-google-apis.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/firewall.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/go.mod create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/go.sum create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/hack/build_kfdef_specs.py create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/hack/gen-tree.sh create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_legacy_kustomizations.py create mode 100755 kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_tests.py create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/hack/templates/kustomize_test.go.template create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/hack/utils.sh create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/horizontal-pod-autoscaler.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/pod-disruption-budget.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/attribute-manifest.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/daemon-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/handler.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/horizontal-pod-autoscaler.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/instance.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/job.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/mutating-webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/pod-disruption-budget.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/rule.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/envoy-filter.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/horizontal-pod-autoscaler.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/pod-disruption-budget.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/istio-ingressgateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/certificate.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/istio-noauth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/cluster-roles.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kf-istio-resources.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kf-istio-resources.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/envoy-filter.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/pvc.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/statefulset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/configs/spawner_ui_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/deployment_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/spawner_ui_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/deployment_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-controller/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-manager/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-mysql/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/katib-db-manager-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/secrets.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone-ibm/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-configmap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-rbac.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-secret.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-pvc.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-secret.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-rbac.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/trial-template-configmap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/katib-mysql-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/katib-ui-virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/experiment-crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/suggestion-crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/trial-crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/authservice.tmpl create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/dex.tmpl create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/envoy-filter.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/gateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/istio-noauth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_asm_exp.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.1.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.0.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.2.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_anthos.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws_cognito.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_basic_auth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_ibm.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_istio_dex.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_k8s_istio.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_anthos.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws_cognito.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_basic_auth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_ibm.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_istio_dex.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_k8s_istio.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_anthos.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws_cognito.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_basic_auth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_ibm.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_istio_dex.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_k8s_istio.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_anthos.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws_cognito.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_basic_auth.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_iap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_ibm.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_istio_dex.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_k8s_istio.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/secret.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/statefulset.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/apiservice.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/gateway.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/hpa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/image.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/webhook-configuration.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/cluster-roles.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/stateful-set.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/grpc-params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-rolebinding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-pvc.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/secrets.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/metadata-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/secrets.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/metadata-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/ibm-storage-config/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service-metadata-grpc.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-proxy-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/configmap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-backend-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/persistent-volume-claim.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/proxy-deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/secret.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-deplyment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/namespaces.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/persistent-volume-claim.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/secret.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume-claim.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/persistent-volume-claim.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume-claim.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/configmap.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/deployment_patch.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/app_test.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/prow_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/Makefile create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/kustomization.tpl create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/resources.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/seldon/values.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/Kube-descriptor.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/cr-clusterrole.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/crb.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/deploy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/operator-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/rolebinding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/spark-sa.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/README.md create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/configs/spawner_ui_config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kubeflow-config.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/kfctl_gcp_stacks.experimental.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/OWNERS create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/config/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/pipeline.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/task.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/config-map.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/crds.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/namespace.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/pod-security-policy.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/params.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/virtual-service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role-binding.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/crd.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/deployment.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/kustomization.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/params.env create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service-account.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/application.yaml create mode 100644 kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/kustomization.yaml diff --git a/kubeflow_clusters/code-intelligence/.build/application/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml b/kubeflow_clusters/code-intelligence/.build/application/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml new file mode 100644 index 0000000000..bd5a7b2938 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml @@ -0,0 +1,233 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: applications.app.k8s.io +spec: + group: app.k8s.io + names: + kind: Application + plural: applications + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + addOwnerRef: + type: boolean + assemblyPhase: + type: string + componentKinds: + items: + type: object + type: array + descriptor: + properties: + description: + type: string + icons: + items: + properties: + size: + type: string + src: + type: string + type: + type: string + required: + - src + type: object + type: array + keywords: + items: + type: string + type: array + links: + items: + properties: + description: + type: string + url: + type: string + type: object + type: array + maintainers: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + notes: + type: string + owners: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + type: + type: string + version: + type: string + type: object + info: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + ingressRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + host: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + secretKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + serviceRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + port: + format: int32 + type: integer + resourceVersion: + type: string + uid: + type: string + type: object + type: + type: string + type: object + type: object + type: array + selector: + type: object + type: object + status: + properties: + components: + items: + properties: + group: + type: string + kind: + type: string + link: + type: string + name: + type: string + status: + type: string + type: object + type: array + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + lastUpdateTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + - status + type: object + type: array + observedGeneration: + format: int64 + type: integer + type: object + version: v1beta1 diff --git a/kubeflow_clusters/code-intelligence/.build/application/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml b/kubeflow_clusters/code-intelligence/.build/application/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml new file mode 100644 index 0000000000..b4baf2abab --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: application-controller-kubeflow + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: app.k8s.io + kind: Application + descriptor: + description: application that aggregates all kubeflow applications + keywords: + - kubeflow + links: + - description: About + url: https://kubeflow.org + maintainers: + - email: jlewi@google.com + name: Jeremy Lewi + - email: kam.d.kasravi@intel.com + name: Kam Kasravi + owners: + - email: jlewi@google.com + name: Jeremy Lewi + type: kubeflow + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: kubeflow + app.kubernetes.io/instance: kubeflow-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: kubeflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/application/apps_v1_statefulset_application-controller-stateful-set.yaml b/kubeflow_clusters/code-intelligence/.build/application/apps_v1_statefulset_application-controller-stateful-set.yaml new file mode 100644 index 0000000000..5ee7182fe6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/apps_v1_statefulset_application-controller-stateful-set.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: application-controller-stateful-set + namespace: kubeflow +spec: + selector: + matchLabels: + app: application-controller + serviceName: application-controller-service + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: application-controller + spec: + containers: + - command: + - /root/manager + env: + - name: project + value: $(project) + image: gcr.io/kubeflow-images-public/kubernetes-sigs/application:1.0-beta + imagePullPolicy: Always + name: manager + serviceAccountName: application-controller-service-account + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml b/kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml new file mode 100644 index 0000000000..1186eacf3c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: application-controller-cluster-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update + - patch + - watch +- apiGroups: + - app.k8s.io + resources: + - '*' + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml new file mode 100644 index 0000000000..625b542472 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: application-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: application-controller-cluster-role +subjects: +- kind: ServiceAccount + name: application-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/application/~g_v1_service_application-controller-service.yaml b/kubeflow_clusters/code-intelligence/.build/application/~g_v1_service_application-controller-service.yaml new file mode 100644 index 0000000000..0c6322990d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/~g_v1_service_application-controller-service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: application-controller-service + namespace: kubeflow +spec: + ports: + - port: 443 diff --git a/kubeflow_clusters/code-intelligence/.build/application/~g_v1_serviceaccount_application-controller-service-account.yaml b/kubeflow_clusters/code-intelligence/.build/application/~g_v1_serviceaccount_application-controller-service-account.yaml new file mode 100644 index 0000000000..05af566f47 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/application/~g_v1_serviceaccount_application-controller-service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: application-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml new file mode 100644 index 0000000000..0b81ee91ef --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml @@ -0,0 +1,181 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertificateRequest is a type to represent a Certificate Signing + Request + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateRequestSpec defines the desired state of CertificateRequest + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + format: byte + type: string + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + type: object + status: + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + format: byte + type: string + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + format: byte + type: string + conditions: + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml new file mode 100644 index 0000000000..6a46d9446b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml @@ -0,0 +1,235 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + to be valid. + properties: + commonName: + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. + items: + type: string + type: array + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + enum: + - rsa + - ecdsa + type: string + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + enum: + - pkcs1 + - pkcs8 + type: string + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + organization: + description: Organization is the organization to be used on the Certificate + items: + type: string + type: array + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + items: + type: string + type: array + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + items: + description: CertificateCondition contains condition information for + an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + lastFailureTime: + format: date-time + type: string + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml new file mode 100644 index 0000000000..32c452b7c2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml @@ -0,0 +1,1369 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: challenges.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME + server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" + are defined. Supported values are (case-insensitive): + ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or + ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ""tsigSecretSecretRef"" is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ""tsigKeyName"" is defined, this field is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml new file mode 100644 index 0000000000..7691a8e2fd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml @@ -0,0 +1,1655 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml new file mode 100644 index 0000000000..d529bff171 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml @@ -0,0 +1,1655 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml new file mode 100644 index 0000000000..12b262c51e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-crds/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml new file mode 100644 index 0000000000..c37a3b7497 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: cainjector + kustomize.component: cert-manager + name: cert-manager-cainjector:leaderelection + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - update + - patch diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml new file mode 100644 index 0000000000..542fbcbd59 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: cert-manager + kustomize.component: cert-manager + name: cert-manager:leaderelection + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - update + - patch diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml new file mode 100644 index 0000000000..a47a2fe74f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: cainjector + kustomize.component: cert-manager + name: cert-manager-cainjector:leaderelection + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-cainjector:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-cainjector + namespace: cert-manager diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml new file mode 100644 index 0000000000..f7ec38a254 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: webhook + kustomize.component: cert-manager + name: cert-manager-webhook:webhook-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml new file mode 100644 index 0000000000..25a7fde904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: cert-manager + kustomize.component: cert-manager + name: cert-manager:leaderelection + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/~g_v1_configmap_cert-manager-kube-params-parameters.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/~g_v1_configmap_cert-manager-kube-params-parameters.yaml new file mode 100644 index 0000000000..d8e47f2a94 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager-kube-system-resources/~g_v1_configmap_cert-manager-kube-params-parameters.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + certManagerNamespace: cert-manager +kind: ConfigMap +metadata: + labels: + kustomize.component: cert-manager + name: cert-manager-kube-params-parameters + namespace: kube-system diff --git a/kubeflow_clusters/code-intelligence/.build/cert-manager/app.k8s.io_v1beta1_application_cert-manager.yaml b/kubeflow_clusters/code-intelligence/.build/cert-manager/app.k8s.io_v1beta1_application_cert-manager.yaml new file mode 100644 index 0000000000..b03bf759df --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cert-manager/app.k8s.io_v1beta1_application_cert-manager.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/name: cert-manager + name: cert-manager + namespace: cert-manager +spec: + componentKinds: + - group: rbac + kind: ClusterRole + - group: rbac + kind: ClusterRoleBinding + - group: core + kind: Namespace + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + description: Automatically provision and manage TLS certificates in Kubernetes + https://jetstack.io. + keywords: + - cert-manager + links: + - description: About + url: https://github.com/jetstack/cert-manager + type: "" + version: v0.10.0 + selector: + matchLabels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: cert-manager + app.kubernetes.io/part-of: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml new file mode 100644 index 0000000000..2d6992c7b2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml @@ -0,0 +1,20 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloudendpoints.ctl.isla.solutions +spec: + group: ctl.isla.solutions + names: + kind: CloudEndpoint + plural: cloudendpoints + shortNames: + - cloudep + - ce + singular: cloudendpoint + scope: Namespaced + version: v1 diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/app.k8s.io_v1beta1_application_cloud-endpoints.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/app.k8s.io_v1beta1_application_cloud-endpoints.yaml new file mode 100644 index 0000000000..fc8a1cdd3f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/app.k8s.io_v1beta1_application_cloud-endpoints.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + name: cloud-endpoints + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: "" + keywords: + - cloud-endpoints + - kubeflow + links: + - description: About + url: "" + maintainers: [] + owners: [] + type: cloud-endpoints + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/instance: cloud-endpoints-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: cloud-endpoints + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apps_v1_deployment_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apps_v1_deployment_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..8fa50c740b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/apps_v1_deployment_cloud-endpoints-controller.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + spec: + containers: + - image: gcr.io/cloud-solutions-group/cloud-endpoints-controller:0.2.1 + imagePullPolicy: Always + name: cloud-endpoints-controller + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 80 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + serviceAccountName: kf-admin + terminationGracePeriodSeconds: 5 diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..0265d074d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml @@ -0,0 +1,26 @@ +apiVersion: metacontroller.k8s.io/v1alpha1 +kind: CompositeController +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller + namespace: kubeflow +spec: + childResources: [] + clientConfig: + service: + caBundle: '...' + name: cloud-endpoints-controller + namespace: kubeflow + generateSelector: true + hooks: + sync: + webhook: + url: http://cloud-endpoints-controller.kubeflow/sync + parentResource: + apiVersion: ctl.isla.solutions/v1 + resource: cloudendpoints + resyncPeriodSeconds: 2 diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..b9160d2c7c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + verbs: + - get + - list +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..04dc8c0284 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cloud-endpoints-controller +subjects: +- kind: ServiceAccount + name: kf-admin + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_configmap_cloud-endpoints-parameters.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_configmap_cloud-endpoints-parameters.yaml new file mode 100644 index 0000000000..0d685cf7f0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_configmap_cloud-endpoints-parameters.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + namespace: kubeflow + secretName: admin-gcp-sa +kind: ConfigMap +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-parameters + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_service_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_service_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..3dde7ad13e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_service_cloud-endpoints-controller.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller + namespace: kubeflow +spec: + ports: + - name: http + port: 80 + selector: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_serviceaccount_kf-admin.yaml b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_serviceaccount_kf-admin.yaml new file mode 100644 index 0000000000..4779c0ee5d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/cloud-endpoints/~g_v1_serviceaccount_kf-admin.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: kf-admin + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computeaddress_code-intelligence-ip.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computeaddress_code-intelligence-ip.yaml new file mode 100644 index 0000000000..5ceb66e6d3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computeaddress_code-intelligence-ip.yaml @@ -0,0 +1,13 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeAddress +metadata: + labels: + kf-name: code-intelligence + label-one: value-one + name: code-intelligence-ip + namespace: issue-label-bot-dev +spec: + addressType: EXTERNAL + description: Static IP for Kubeflow ingress. + ipVersion: IPV4 + location: global diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-artifact-store.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-artifact-store.yaml new file mode 100644 index 0000000000..367e7f6a30 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-artifact-store.yaml @@ -0,0 +1,10 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeDisk +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-storage-artifact-store + namespace: issue-label-bot-dev +spec: + location: us-central1-f + size: 200 diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-metadata-store.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-metadata-store.yaml new file mode 100644 index 0000000000..9ff478f5f6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/compute.cnrm.cloud.google.com_v1beta1_computedisk_code-intelligence-storage-metadata-store.yaml @@ -0,0 +1,10 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeDisk +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-storage-metadata-store + namespace: issue-label-bot-dev +spec: + location: us-central1-f + size: 20 diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/container.cnrm.cloud.google.com_v1beta1_containercluster_code-intelligence.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/container.cnrm.cloud.google.com_v1beta1_containercluster_code-intelligence.yaml new file mode 100644 index 0000000000..b89e0e46a0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/container.cnrm.cloud.google.com_v1beta1_containercluster_code-intelligence.yaml @@ -0,0 +1,41 @@ +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + clusterName: issue-label-bot-dev/us-central1/code-intelligence + labels: + kf-name: code-intelligence + mesh_id: issue-label-bot-dev_us-central1_code-intelligence + name: code-intelligence + namespace: issue-label-bot-dev +spec: + clusterAutoscaling: + autoProvisioningDefaults: + oauthScopes: + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring + - https://www.googleapis.com/auth/devstorage.read_only + serviceAccountRef: + name: code-intelligence-vm + enabled: true + resourceLimits: + - maximum: 128 + resourceType: cpu + - maximum: 2000 + resourceType: memory + - maximum: 16 + resourceType: nvidia-tesla-k80 + initialNodeCount: 2 + location: us-central1 + loggingService: logging.googleapis.com/kubernetes + minMasterVersion: 1.14.10-gke.36 + monitoringService: monitoring.googleapis.com/kubernetes + nodeConfig: + machineType: n1-standard-8 + metadata: + disable-legacy-endpoints: "true" + serviceAccountRef: + name: code-intelligence-vm + workloadMetadataConfig: + nodeMetadata: GKE_METADATA_SERVER + workloadIdentityConfig: + identityNamespace: issue-label-bot-dev.svc.id.goog diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-bigquery.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-bigquery.yaml new file mode 100644 index 0000000000..eabbd611f0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-bigquery.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-bigquery + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/bigquery.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudbuild.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudbuild.yaml new file mode 100644 index 0000000000..56b1b4a427 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudbuild.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-cloudbuild + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/cloudbuild.builds.editor diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudsql.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudsql.yaml new file mode 100644 index 0000000000..0b32e0ea13 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-cloudsql.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-cloudsql + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/cloudsql.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataflow.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataflow.yaml new file mode 100644 index 0000000000..c91bdc06c2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataflow.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-dataflow + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/dataflow.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataproc.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataproc.yaml new file mode 100644 index 0000000000..6d8dcac4a4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-dataproc.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-dataproc + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/dataproc.editor diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-istio-wi.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-istio-wi.yaml new file mode 100644 index 0000000000..b3bef73c11 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-istio-wi.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-istio-wi + namespace: issue-label-bot-dev +spec: + member: serviceAccount:issue-label-bot-dev.svc.id.goog[istio-system/kf-admin] + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: code-intelligence-admin + role: roles/iam.workloadIdentityUser diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-logging.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-logging.yaml new file mode 100644 index 0000000000..a1ec74373f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-logging.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-logging + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/logging.logWriter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-metricwriter.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-metricwriter.yaml new file mode 100644 index 0000000000..16ca8d9f24 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-metricwriter.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-metricwriter + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/monitoring.metricWriter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-ml.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-ml.yaml new file mode 100644 index 0000000000..ee8aa5c0cb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-ml.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-ml + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/ml.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-monitoringviewer.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-monitoringviewer.yaml new file mode 100644 index 0000000000..33c365e638 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-monitoringviewer.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-monitoringviewer + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/monitoring.viewer diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-network.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-network.yaml new file mode 100644 index 0000000000..c87c134866 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-network.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-network + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/compute.networkAdmin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-servicemanagement.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-servicemanagement.yaml new file mode 100644 index 0000000000..821999b99a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-servicemanagement.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-servicemanagement + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/servicemanagement.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-source.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-source.yaml new file mode 100644 index 0000000000..11d0f265d5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-source.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-source + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/source.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-storage.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-storage.yaml new file mode 100644 index 0000000000..f6bc2dfde6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-storage.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-storage + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/storage.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-viewer.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-viewer.yaml new file mode 100644 index 0000000000..763ef7003c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-viewer.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-viewer + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/viewer diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-wi.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-wi.yaml new file mode 100644 index 0000000000..daa79b6d9c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-admin-wi.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin-wi + namespace: issue-label-bot-dev +spec: + member: serviceAccount:issue-label-bot-dev.svc.id.goog[kubeflow/kf-admin] + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: code-intelligence-admin + role: roles/iam.workloadIdentityUser diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-bigquery.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-bigquery.yaml new file mode 100644 index 0000000000..3c21f618c7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-bigquery.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-bigquery + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/bigquery.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudbuild.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudbuild.yaml new file mode 100644 index 0000000000..274d097a8b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudbuild.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-cloudbuild + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/cloudbuild.builds.editor diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudsql.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudsql.yaml new file mode 100644 index 0000000000..bbef68bd47 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-cloudsql.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-cloudsql + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/cloudsql.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataflow.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataflow.yaml new file mode 100644 index 0000000000..61f805d190 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataflow.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-dataflow + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/dataflow.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataproc.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataproc.yaml new file mode 100644 index 0000000000..5294c448b4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-dataproc.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-dataproc + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/dataproc.editor diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-logging.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-logging.yaml new file mode 100644 index 0000000000..b65a4eba8b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-logging.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-logging + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/logging.logWriter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-metricwriter.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-metricwriter.yaml new file mode 100644 index 0000000000..2e59e1a227 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-metricwriter.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-metricwriter + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/monitoring.metricWriter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-ml.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-ml.yaml new file mode 100644 index 0000000000..05a736b10e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-ml.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-ml + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/ml.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-monitoringviewer.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-monitoringviewer.yaml new file mode 100644 index 0000000000..76bec407f5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-monitoringviewer.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-monitoringviewer + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/monitoring.viewer diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-source.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-source.yaml new file mode 100644 index 0000000000..49a4260030 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-source.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-source + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/source.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-storage.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-storage.yaml new file mode 100644 index 0000000000..42af9817e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-storage.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-storage + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/storage.admin diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-viewer.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-viewer.yaml new file mode 100644 index 0000000000..1ee43af6a5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-user-viewer.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user-viewer + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/viewer diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-logging.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-logging.yaml new file mode 100644 index 0000000000..85da996623 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-logging.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm-logging + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/logging.logWriter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-cloudtrace.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-cloudtrace.yaml new file mode 100644 index 0000000000..f24d66e015 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-cloudtrace.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm-policy-cloudtrace + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/cloudtrace.agent diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-meshtelemetry.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-meshtelemetry.yaml new file mode 100644 index 0000000000..255d64e6d3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-meshtelemetry.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm-policy-meshtelemetry + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/meshtelemetry.reporter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring-viewer.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring-viewer.yaml new file mode 100644 index 0000000000..637d68ba01 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring-viewer.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm-policy-monitoring-viewer + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/monitoring.viewer diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring.yaml new file mode 100644 index 0000000000..30511ba756 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-monitoring.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm-policy-monitoring + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/monitoring.metricWriter diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-storage.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-storage.yaml new file mode 100644 index 0000000000..27ff41a1d1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iampolicymember_code-intelligence-vm-policy-storage.yaml @@ -0,0 +1,14 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm-policy-storage + namespace: issue-label-bot-dev +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + external: projects/issue-label-bot-dev + kind: Project + role: roles/storage.objectViewer diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-admin.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-admin.yaml new file mode 100644 index 0000000000..830236fe3e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-admin.yaml @@ -0,0 +1,9 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-admin + namespace: issue-label-bot-dev +spec: + displayName: kubeflow admin service account diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-user.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-user.yaml new file mode 100644 index 0000000000..9b4748671b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-user.yaml @@ -0,0 +1,9 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-user + namespace: issue-label-bot-dev +spec: + displayName: kubeflow user service account diff --git a/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-vm.yaml b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-vm.yaml new file mode 100644 index 0000000000..ae13cc047b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/gcp_config/iam.cnrm.cloud.google.com_v1beta1_iamserviceaccount_code-intelligence-vm.yaml @@ -0,0 +1,9 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + labels: + kf-name: code-intelligence + name: code-intelligence-vm + namespace: issue-label-bot-dev +spec: + displayName: kubeflow vm service account diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/app.k8s.io_v1beta1_application_iap-ingress.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/app.k8s.io_v1beta1_application_iap-ingress.yaml new file mode 100644 index 0000000000..a35a7711ff --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/app.k8s.io_v1beta1_application_iap-ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + kustomize.component: iap-ingress + name: iap-ingress + namespace: istio-system +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: "" + keywords: + - iap-ingress + - kubeflow + links: + - description: About + url: "" + maintainers: [] + owners: [] + type: iap-ingress + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: iap-ingress + app.kubernetes.io/instance: iap-ingress-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: iap-ingress + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_iap-enabler.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_iap-enabler.yaml new file mode 100644 index 0000000000..364925986b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_iap-enabler.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: iap-ingress + name: iap-enabler + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + kustomize.component: iap-ingress + template: + metadata: + labels: + kustomize.component: iap-ingress + service: iap-enabler + spec: + containers: + - command: + - bash + - /var/envoy-config/setup_backend.sh + env: + - name: NAMESPACE + value: istio-system + - name: SERVICE + value: istio-ingressgateway + - name: INGRESS_NAME + value: envoy-ingress + - name: ENVOY_ADMIN + value: http://localhost:8001 + - name: USE_ISTIO + value: "true" + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: iap + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + restartPolicy: Always + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_whoami-app.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_whoami-app.yaml new file mode 100644 index 0000000000..883255b6ba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_deployment_whoami-app.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: iap-ingress + name: whoami-app + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + kustomize.component: iap-ingress + template: + metadata: + labels: + app: whoami + kustomize.component: iap-ingress + spec: + containers: + - env: + - name: PORT + value: "8081" + image: gcr.io/cloud-solutions-group/esp-sample-app:1.0.0 + name: app + ports: + - containerPort: 8081 + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_statefulset_backend-updater.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_statefulset_backend-updater.yaml new file mode 100644 index 0000000000..e32e111e7c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/apps_v1_statefulset_backend-updater.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + kustomize.component: iap-ingress + service: backend-updater + name: backend-updater + namespace: istio-system +spec: + selector: + matchLabels: + kustomize.component: iap-ingress + service: backend-updater + serviceName: backend-updater + template: + metadata: + labels: + kustomize.component: iap-ingress + service: backend-updater + spec: + containers: + - command: + - bash + - /var/envoy-config/update_backend.sh + env: + - name: NAMESPACE + value: istio-system + - name: SERVICE + value: istio-ingressgateway + - name: INGRESS_NAME + value: envoy-ingress + - name: USE_ISTIO + value: "true" + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: backend-updater + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml new file mode 100644 index 0000000000..90be0f516b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml @@ -0,0 +1,25 @@ +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + labels: + kustomize.component: iap-ingress + name: ingress-jwt + namespace: istio-system +spec: + origins: + - jwt: + audiences: + - TO_BE_PATCHED + issuer: https://cloud.google.com/iap + jwksUri: https://www.gstatic.com/iap/verify/public_key-jwk + jwtHeaders: + - x-goog-iap-jwt-assertion + trigger_rules: + - excluded_paths: + - exact: /healthz/ready + - prefix: /.well-known/acme-challenge + principalBinding: USE_ORIGIN + targets: + - name: istio-ingressgateway + ports: + - number: 80 diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml new file mode 100644 index 0000000000..831df7cde3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml @@ -0,0 +1,13 @@ +apiVersion: cloud.google.com/v1beta1 +kind: BackendConfig +metadata: + labels: + kustomize.component: iap-ingress + name: iap-backendconfig + namespace: istio-system +spec: + iap: + enabled: true + oauthclientCredentials: + secretName: kubeflow-oauth + timeoutSec: 3600 diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml new file mode 100644 index 0000000000..4ea397a526 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml @@ -0,0 +1,12 @@ +apiVersion: ctl.isla.solutions/v1 +kind: CloudEndpoint +metadata: + labels: + kustomize.component: iap-ingress + name: code-intelligence + namespace: istio-system +spec: + project: issue-label-bot-dev + targetIngress: + name: envoy-ingress + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/extensions_v1beta1_ingress_envoy-ingress.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/extensions_v1beta1_ingress_envoy-ingress.yaml new file mode 100644 index 0000000000..869fe56f77 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/extensions_v1beta1_ingress_envoy-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + kubernetes.io/ingress.global-static-ip-name: code-intelligence-ip + networking.gke.io/managed-certificates: gke-certificate + labels: + kustomize.component: iap-ingress + name: envoy-ingress + namespace: istio-system +spec: + rules: + - host: code-intelligence.endpoints.issue-label-bot-dev.cloud.goog + http: + paths: + - backend: + serviceName: istio-ingressgateway + servicePort: 80 + path: /* diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml new file mode 100644 index 0000000000..eb07cd0acc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.gke.io/v1beta1 +kind: ManagedCertificate +metadata: + labels: + kustomize.component: iap-ingress + name: gke-certificate + namespace: istio-system +spec: + domains: + - code-intelligence.endpoints.issue-label-bot-dev.cloud.goog diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml new file mode 100644 index 0000000000..8577c94071 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml @@ -0,0 +1,41 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + kustomize.component: iap-ingress + name: kf-admin-iap +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - get + - list + - patch + - update +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - update + - patch +- apiGroups: + - authentication.istio.io + resources: + - policies + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml new file mode 100644 index 0000000000..f59f8f4df3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + kustomize.component: iap-ingress + name: kf-admin-iap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kf-admin-iap +subjects: +- kind: ServiceAccount + name: kf-admin + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml new file mode 100644 index 0000000000..2795a6862a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default + namespace: istio-system +spec: + exclusion: + namespaces: + - istio-system + mode: ON_WITH_EXCLUSION diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_envoy-config.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_envoy-config.yaml new file mode 100644 index 0000000000..1cfaa4903b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_envoy-config.yaml @@ -0,0 +1,128 @@ +apiVersion: v1 +data: + healthcheck_route.yaml: | + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: default-routes + namespace: $(namespace) + spec: + hosts: + - "*" + gateways: + - kubeflow-gateway + http: + - match: + - uri: + exact: /healthz + route: + - destination: + port: + number: 80 + host: whoami-app.kubeflow.svc.cluster.local + - match: + - uri: + exact: /whoami + route: + - destination: + port: + number: 80 + host: whoami-app.kubeflow.svc.cluster.local + --- + apiVersion: networking.istio.io/v1alpha3 + kind: Gateway + metadata: + name: kubeflow-gateway + namespace: $(namespace) + spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + setup_backend.sh: "#!/usr/bin/env bash\n#\n# A simple shell script to configure + the JWT audience used with ISTIO\nset -x\n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nPROJECT_NUM=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id)\nif + [ -z ${PROJECT_NUM} ]; then\n echo Error unable to fetch PROJECT_NUM from compute + metadata\n exit 1\nfi\n\n# Activate the service account\nif [ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" + ]; then\n # As of 0.7.0 we should be using workload identity and never setting + GOOGLE_APPLICATION_CREDENTIALS.\n # But we kept this for backwards compatibility + but can remove later.\n gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}\nfi\n\n# + Print out the config for debugging\ngcloud config list\ngcloud auth list\n\nset_jwt_policy + () {\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[?(@.name==\"http2\")].nodePort}')\n + \ echo \"node port is ${NODE_PORT}\"\n\n BACKEND_NAME=\"\"\n while [[ -z ${BACKEND_NAME} + ]]; do\n BACKENDS=$(kubectl --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} + -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n echo + \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n BACKEND_ID=\"\"\n while [[ + -z ${BACKEND_ID} ]]; do\n BACKEND_ID=$(gcloud compute --project=${PROJECT} + backend-services list --filter=name~${BACKEND_NAME} --format='value(id)')\n echo + \"Waiting for backend id PROJECT=${PROJECT} NAMESPACE=${NAMESPACE} SERVICE=${SERVICE} + filter=name~${BACKEND_NAME}\"\n sleep 2\n done\n echo BACKEND_ID=${BACKEND_ID}\n\n + \ JWT_AUDIENCE=\"/projects/${PROJECT_NUM}/global/backendServices/${BACKEND_ID}\"\n + \ \n # Use kubectl patch.\n echo patch JWT audience: ${JWT_AUDIENCE}\n kubectl + -n ${NAMESPACE} patch policy ingress-jwt --type json -p '[{\"op\": \"replace\", + \"path\": \"/spec/origins/0/jwt/audiences/0\", \"value\": \"'${JWT_AUDIENCE}'\"}]'\n\n + \ echo \"Clearing lock on service annotation\"\n kubectl patch svc \"${SERVICE}\" + -p \"{\\\"metadata\\\": { \\\"annotations\\\": {\\\"backendlock\\\": \\\"\\\" + }}}\"\n}\n\nwhile true; do\n set_jwt_policy\n # Every 5 minutes recheck the + JWT policy and reset it if the backend has changed for some reason.\n # This + follows Kubernetes level based design.\n # We have at least one report see \n + \ # https://github.com/kubeflow/kubeflow/issues/4342#issuecomment-544653657\n + \ # of the backend id changing over time.\n sleep 300\ndone\n" + update_backend.sh: "#!/bin/bash\n#\n# A simple shell script to configure the health + checks by using gcloud.\nset -x\n\n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nif [[ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" ]]; then\n # + TODO(jlewi): As of 0.7 we should always be using workload identity. We can remove + it post 0.7.0 once we have workload identity\n # fully working\n # Activate + the service account, allow 5 retries\n for i in {1..5}; do gcloud auth activate-service-account + --key-file=${GOOGLE_APPLICATION_CREDENTIALS} && break || sleep 10; done\nfi \n\nset_health_check + () {\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[?(@.name==\"http2\")].nodePort}')\n + \ echo node port is ${NODE_PORT}\n\n while [[ -z ${BACKEND_NAME} ]]; do\n BACKENDS=$(kubectl + --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n + \ echo \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n while [[ -z ${BACKEND_SERVICE} + ]];\n do BACKEND_SERVICE=$(gcloud --project=${PROJECT} compute backend-services + list --filter=name~${BACKEND_NAME} --uri);\n echo \"Waiting for the backend-services + resource PROJECT=${PROJECT} BACKEND_NAME=${BACKEND_NAME} SERVICE=${SERVICE}...\";\n + \ sleep 2;\n done\n\n while [[ -z ${HEALTH_CHECK_URI} ]];\n do HEALTH_CHECK_URI=$(gcloud + compute --project=${PROJECT} health-checks list --filter=name~${BACKEND_NAME} + --uri);\n echo \"Waiting for the healthcheck resource PROJECT=${PROJECT} NODEPORT=${NODE_PORT} + SERVICE=${SERVICE}...\";\n sleep 2;\n done\n\n echo health check URI is ${HEALTH_CHECK_URI}\n\n + \ # Since we create the envoy-ingress ingress object before creating the envoy\n + \ # deployment object, healthcheck will not be configured correctly in the GCP\n + \ # load balancer. It will default the healthcheck request path to a value of\n + \ # / instead of the intended /healthz.\n # Manually update the healthcheck request + path to /healthz\n if [[ ${HEALTHCHECK_PATH} ]]; then\n # This is basic auth\n + \ echo Running health checks update ${HEALTH_CHECK_URI} with ${HEALTHCHECK_PATH}\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --request-path=${HEALTHCHECK_PATH}\n else\n # /healthz/ready is the health + check path for istio-ingressgateway\n echo Running health checks update ${HEALTH_CHECK_URI} + with /healthz/ready\n gcloud --project=${PROJECT} compute health-checks update + http ${HEALTH_CHECK_URI} --request-path=/healthz/ready\n # We need the nodeport + for istio-ingressgateway status-port\n STATUS_NODE_PORT=$(kubectl -n istio-system + get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name==\"status-port\")].nodePort}')\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --port=${STATUS_NODE_PORT}\n fi \n}\n\nwhile true; do\n set_health_check\n + \ echo \"Backend updated successfully. Waiting 1 hour before updating again.\"\n + \ sleep 3600\ndone\n" +kind: ConfigMap +metadata: + labels: + kustomize.component: iap-ingress + name: envoy-config + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml new file mode 100644 index 0000000000..14b9b50761 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + appName: code-intelligence + hostname: code-intelligence.endpoints.issue-label-bot-dev.cloud.goog + ingressName: envoy-ingress + ipName: code-intelligence-ip + istioNamespace: istio-system + oauthSecretName: kubeflow-oauth + project: issue-label-bot-dev + tlsSecretName: envoy-ingress-tls +kind: ConfigMap +metadata: + labels: + kustomize.component: iap-ingress + name: iap-ingress-config-c2924ch89c + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_ingress-bootstrap-config.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_ingress-bootstrap-config.yaml new file mode 100644 index 0000000000..024ac69f43 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_configmap_ingress-bootstrap-config.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +data: + ingress_bootstrap.sh: | + #!/usr/bin/env bash + + set -x + set -e + + # This is a workaround until this is resolved: https://github.com/kubernetes/ingress-gce/pull/388 + # The long-term solution is to use a managed SSL certificate on GKE once the feature is GA. + + # The ingress is initially created without a tls spec. + # Wait until cert-manager generates the certificate using the http-01 challenge on the GCLB ingress. + # After the certificate is obtained, patch the ingress with the tls spec to enable SSL on the GCLB. + + # Wait for certificate. + until kubectl -n ${NAMESPACE} get secret ${TLS_SECRET_NAME} 2>/dev/null; do + echo "Waiting for certificate..." + sleep 2 + done + + kubectl -n ${NAMESPACE} patch ingress ${INGRESS_NAME} --type='json' -p '[{"op": "add", "path": "/spec/tls", "value": [{"secretName": "'${TLS_SECRET_NAME}'", "hosts":["'${TLS_HOST_NAME}'"]}]}]' + + echo "Done" +kind: ConfigMap +metadata: + labels: + kustomize.component: iap-ingress + name: ingress-bootstrap-config + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_istio-ingressgateway.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_istio-ingressgateway.yaml new file mode 100644 index 0000000000..a2b6b9e967 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_istio-ingressgateway.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + labels: + app: istio-ingressgateway + istio: ingressgateway + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15020 + protocol: TCP + targetPort: 15020 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: kiali + port: 15029 + protocol: TCP + targetPort: 15029 + - name: prometheus + port: 15030 + protocol: TCP + targetPort: 15030 + - name: grafana + port: 15031 + protocol: TCP + targetPort: 15031 + - name: tracing + port: 15032 + protocol: TCP + targetPort: 15032 + - name: tls + port: 15443 + protocol: TCP + targetPort: 15443 + selector: + app: istio-ingressgateway + istio: ingressgateway + sessionAffinity: None + type: NodePort diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_whoami-app.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_whoami-app.yaml new file mode 100644 index 0000000000..a1e526a478 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_service_whoami-app.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: whoami + kustomize.component: iap-ingress + name: whoami-app + namespace: istio-system +spec: + ports: + - port: 80 + targetPort: 8081 + selector: + app: whoami + kustomize.component: iap-ingress + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_serviceaccount_kf-admin.yaml b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_serviceaccount_kf-admin.yaml new file mode 100644 index 0000000000..b211eedf6a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/iap-ingress/~g_v1_serviceaccount_kf-admin.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + labels: + kustomize.component: iap-ingress + name: kf-admin + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Base.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Base.yaml new file mode 100644 index 0000000000..bbd329e891 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Base.yaml @@ -0,0 +1,5117 @@ +# Resources for Base component + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: +- apiGroups: + - "config.istio.io" + - "rbac.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer + release: istio + name: attributemanifests.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + attributes: + additionalProperties: + properties: + description: + description: A human-readable description of the attribute's purpose. + format: string + type: string + valueType: + description: The type of data carried by this attribute. + enum: + - VALUE_TYPE_UNSPECIFIED + - STRING + - INT64 + - DOUBLE + - BOOL + - TIMESTAMP + - IP_ADDRESS + - EMAIL_ADDRESS + - URI + - DNS_NAME + - DURATION + - STRING_MAP + type: string + type: object + description: The set of attributes this Istio component will be responsible + for producing at runtime. + type: object + name: + description: Name of the component producing these attributes. + format: string + type: string + revision: + description: The revision of this document. + format: string + type: string + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + heritage: Tiller + istio: rbac + release: istio + name: clusterrbacconfigs.rbac.istio.io +spec: + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + enforcementMode: + enum: + - ENFORCED + - PERMISSIVE + type: string + exclusion: + description: A list of services or namespaces that should not be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + inclusion: + description: A list of services or namespaces that should be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + mode: + description: Istio RBAC mode. + enum: + - "OFF" + - "ON" + - ON_WITH_INCLUSION + - ON_WITH_EXCLUSION + type: string + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to SIDECAR_INBOUND context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + filters: + items: + properties: + filterConfig: + type: object + filterName: + description: The name of the filter to instantiate. + format: string + type: string + filterType: + description: The type of filter to instantiate. + enum: + - INVALID + - HTTP + - NETWORK + type: string + insertPosition: + description: Insert position in the filter chain. + properties: + index: + description: Position of this filter in the filter chain. + enum: + - FIRST + - LAST + - BEFORE + - AFTER + type: string + relativeTo: + format: string + type: string + type: object + listenerMatch: + properties: + address: + description: One or more IP addresses to which the listener + is bound. + items: + format: string + type: string + type: array + listenerProtocol: + description: Selects a class of listeners for the same protocol. + enum: + - ALL + - HTTP + - TCP + type: string + listenerType: + description: Inbound vs outbound sidecar listener or gateway + listener. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + portNamePrefix: + format: string + type: string + portNumber: + type: integer + type: object + type: object + type: array + workloadLabels: + additionalProperties: + format: string + type: string + description: Deprecated. + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + api_specs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + apiSpecs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed HTTPAPISpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + api_keys: + items: + oneOf: + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + apiKeys: + items: + oneOf: + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + patterns: + description: List of HTTP patterns to match. + items: + oneOf: + - required: + - uriTemplate + - required: + - regex + properties: + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + httpMethod: + format: string + type: string + regex: + format: string + type: string + uriTemplate: + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + name: meshpolicies.authentication.istio.io +spec: + group: authentication.istio.io + names: + categories: + - istio-io + - authentication-istio-io + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Authentication policy for Istio services. See more details + at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' + properties: + originIsOptional: + type: boolean + origins: + description: List of authentication methods that can be used for origin + authentication. + items: + properties: + jwt: + description: Jwt params for the method. + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + peerIsOptional: + type: boolean + peers: + description: List of authentication methods that can be used for peer + authentication. + items: + oneOf: + - required: + - mtls + - required: + - jwt + properties: + jwt: + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + mtls: + description: Set if mTLS is used. + properties: + allowTls: + description: WILL BE DEPRECATED, if set, will translates to + `TLS_PERMISSIVE` mode. + type: boolean + mode: + description: Defines the mode of mTLS authentication. + enum: + - STRICT + - PERMISSIVE + type: string + type: object + type: object + type: array + principalBinding: + description: Define whether peer or origin identity should be use for + principal. + enum: + - USE_PEER + - USE_ORIGIN + type: string + targets: + description: List rules to select workloads that the policy should be + applied on. + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: The name must be a short name from the service registry. + format: string + type: string + ports: + description: Specifies the ports. + items: + oneOf: + - required: + - number + - required: + - name + properties: + name: + format: string + type: string + number: + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + name: policies.authentication.istio.io +spec: + group: authentication.istio.io + names: + categories: + - istio-io + - authentication-istio-io + kind: Policy + plural: policies + singular: policy + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Authentication policy for Istio services. See more details + at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' + properties: + originIsOptional: + type: boolean + origins: + description: List of authentication methods that can be used for origin + authentication. + items: + properties: + jwt: + description: Jwt params for the method. + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + peerIsOptional: + type: boolean + peers: + description: List of authentication methods that can be used for peer + authentication. + items: + oneOf: + - required: + - mtls + - required: + - jwt + properties: + jwt: + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + mtls: + description: Set if mTLS is used. + properties: + allowTls: + description: WILL BE DEPRECATED, if set, will translates to + `TLS_PERMISSIVE` mode. + type: boolean + mode: + description: Defines the mode of mTLS authentication. + enum: + - STRICT + - PERMISSIVE + type: string + type: object + type: object + type: array + principalBinding: + description: Define whether peer or origin identity should be use for + principal. + enum: + - USE_PEER + - USE_ORIGIN + type: string + targets: + description: List rules to select workloads that the policy should be + applied on. + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: The name must be a short name from the service registry. + format: string + type: string + ports: + description: Specifies the ports. + items: + oneOf: + - required: + - number + - required: + - name + properties: + name: + format: string + type: string + number: + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + quotaSpecs: + items: + properties: + name: + description: The short name of the QuotaSpec. + format: string + type: string + namespace: + description: Optional namespace of the QuotaSpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed QuotaSpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: Determines the quotas used for individual requests. + properties: + rules: + description: A list of Quota rules. + items: + properties: + match: + description: If empty, match all request. + items: + properties: + clause: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + description: Map of attribute names to StringMatch type. + type: object + type: object + type: array + quotas: + description: The list of quotas to charge. + items: + properties: + charge: + format: int32 + type: integer + quota: + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: rbac + package: istio.io.mixer + release: istio + name: rbacconfigs.rbac.istio.io +spec: + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + enforcementMode: + enum: + - ENFORCED + - PERMISSIVE + type: string + exclusion: + description: A list of services or namespaces that should not be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + inclusion: + description: A list of services or namespaces that should be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + mode: + description: Istio RBAC mode. + enum: + - "OFF" + - "ON" + - ON_WITH_INCLUSION + - ON_WITH_EXCLUSION + type: string + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer + release: istio + name: rules.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: rule + plural: rules + singular: rule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + actions: + description: The actions that will be executed when match evaluates + to `true`. + items: + properties: + handler: + description: Fully qualified name of the handler to invoke. + format: string + type: string + instances: + items: + format: string + type: string + type: array + name: + description: A handle to refer to the results of the action. + format: string + type: string + type: object + type: array + match: + description: Match is an attribute based predicate. + format: string + type: string + requestHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + responseHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + sampling: + properties: + random: + description: Provides filtering of actions based on random selection + per request. + properties: + attributeExpression: + description: Specifies an attribute expression to use to override + the numerator in the `percent_sampled` field. + format: string + type: string + percentSampled: + description: The default sampling rate, expressed as a percentage. + properties: + denominator: + description: Specifies the denominator. + enum: + - HUNDRED + - TEN_THOUSAND + type: string + numerator: + description: Specifies the numerator. + type: integer + type: object + useIndependentRandomness: + description: By default sampling will be based on the value + of the request header `x-request-id`. + type: boolean + type: object + rateLimit: + properties: + maxUnsampledEntries: + description: Number of entries to allow during the `sampling_duration` + before sampling is enforced. + format: int64 + type: integer + samplingDuration: + description: Window in which to enforce the sampling rate. + type: string + samplingRate: + description: The rate at which to sample entries once the unsampled + limit has been reached. + format: int64 + type: integer + type: object + type: object + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: rbac + package: istio.io.mixer + release: istio + name: servicerolebindings.rbac.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + actions: + items: + properties: + constraints: + description: Optional. + items: + properties: + key: + description: Key of the constraint. + format: string + type: string + values: + description: List of valid values for the constraint. + items: + format: string + type: string + type: array + type: object + type: array + hosts: + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + items: + format: string + type: string + type: array + notMethods: + items: + format: string + type: string + type: array + notPaths: + items: + format: string + type: string + type: array + notPorts: + items: + format: int32 + type: integer + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + items: + format: int32 + type: integer + type: array + services: + description: A list of service names. + items: + format: string + type: string + type: array + type: object + type: array + mode: + enum: + - ENFORCED + - PERMISSIVE + type: string + role: + format: string + type: string + roleRef: + description: Reference to the ServiceRole object. + properties: + kind: + description: The type of the role being referenced. + format: string + type: string + name: + description: The name of the ServiceRole object being referenced. + format: string + type: string + type: object + subjects: + description: List of subjects that are assigned the ServiceRole object. + items: + properties: + group: + format: string + type: string + groups: + items: + format: string + type: string + type: array + ips: + items: + format: string + type: string + type: array + names: + items: + format: string + type: string + type: array + namespaces: + items: + format: string + type: string + type: array + notGroups: + items: + format: string + type: string + type: array + notIps: + items: + format: string + type: string + type: array + notNames: + items: + format: string + type: string + type: array + notNamespaces: + items: + format: string + type: string + type: array + properties: + additionalProperties: + format: string + type: string + description: Optional. + type: object + user: + description: Optional. + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: rbac + package: istio.io.mixer + release: istio + name: serviceroles.rbac.istio.io +spec: + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: ServiceRole + plural: serviceroles + singular: servicerole + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + rules: + description: The set of access rules (permissions) that the role has. + items: + properties: + constraints: + description: Optional. + items: + properties: + key: + description: Key of the constraint. + format: string + type: string + values: + description: List of valid values for the constraint. + items: + format: string + type: string + type: array + type: object + type: array + hosts: + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + items: + format: string + type: string + type: array + notMethods: + items: + format: string + type: string + type: array + notPaths: + items: + format: string + type: string + type: array + notPorts: + items: + format: int32 + type: integer + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + items: + format: int32 + type: integer + type: array + services: + description: A list of service names. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + appendHeaders: + additionalProperties: + format: string + type: string + type: object + appendRequestHeaders: + additionalProperties: + format: string + type: string + type: object + appendResponseHeaders: + additionalProperties: + format: string + type: string + type: object + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - properties: + percent: {} + required: + - httpStatus + - properties: + percent: {} + required: + - grpcStatus + - properties: + percent: {} + required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percent: + description: Percentage of requests to be aborted with + the error code provided (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - properties: + percent: {} + required: + - fixedDelay + - properties: + percent: {} + required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + gateways: + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + uri: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A http rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + removeRequestHeaders: + items: + format: string + type: string + type: array + removeResponseHeaders: + items: + format: string + type: string + type: array + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A http rule can either redirect or forward (default) + traffic. + items: + properties: + appendRequestHeaders: + additionalProperties: + format: string + type: string + description: Use of `append_request_headers` is deprecated. + type: object + appendResponseHeaders: + additionalProperties: + format: string + type: string + description: Use of `append_response_headers` is deprecated. + type: object + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + removeRequestHeaders: + description: Use of `remove_request_headers` is deprecated. + items: + format: string + type: string + type: array + removeResponseHeaders: + description: Use of `remove_response_header` is deprecated. + items: + format: string + type: string + type: array + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests. + type: string + websocketUpgrade: + description: Deprecated. + type: boolean + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied to. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied to. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- + + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + plural: sidecars + singular: sidecar + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The ip to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: object + type: array + outboundTrafficPolicy: + description: This allows to configure the outbound traffic policy. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- + + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html' + properties: + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + values: + description: The allowed values for the attribute. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1beta1 + served: true + storage: true +--- + + +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-operator-managed: Reconcile + istio-injection: disabled +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio +--- diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/CertManager/CertManager.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/CertManager/CertManager.yaml new file mode 100644 index 0000000000..0dd40cde7f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/CertManager/CertManager.yaml @@ -0,0 +1 @@ +# CertManager component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Citadel/Citadel.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Citadel/Citadel.yaml new file mode 100644 index 0000000000..c1f4f7f67b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Citadel/Citadel.yaml @@ -0,0 +1 @@ +# Citadel component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Cni/Cni.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Cni/Cni.yaml new file mode 100644 index 0000000000..4fff880151 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Cni/Cni.yaml @@ -0,0 +1 @@ +# Cni component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/EgressGateway/EgressGateway.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/EgressGateway/EgressGateway.yaml new file mode 100644 index 0000000000..d039ac23fd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/EgressGateway/EgressGateway.yaml @@ -0,0 +1 @@ +# EgressGateway component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Galley/Galley.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Galley/Galley.yaml new file mode 100644 index 0000000000..e87a66ca41 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Galley/Galley.yaml @@ -0,0 +1,593 @@ +# Resources for Galley component + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + release: istio +rules: + # For reading Istio resources + - apiGroups: [ + "authentication.istio.io", + "config.istio.io", + "networking.istio.io", + "rbac.istio.io", + "security.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] + # For updating Istio resource statuses + - apiGroups: [ + "authentication.istio.io", + "config.istio.io", + "networking.istio.io", + "rbac.istio.io", + "security.istio.io"] + resources: ["*/status"] + verbs: ["update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["extensions","apps"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints", "namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["namespaces/finalizers"] + verbs: ["update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "list", "watch"] +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: istio-system + name: galley-envoy-config + labels: + app: galley + istio: galley + release: istio +data: + envoy.yaml.tmpl: |- + admin: + access_log_path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 15000 + + static_resources: + + clusters: + - name: in.9901 + http2_protocol_options: {} + connect_timeout: 1.000s + + hosts: + - socket_address: + address: 127.0.0.1 + port_value: 9901 + + circuit_breakers: + thresholds: + - max_connections: 100000 + max_pending_requests: 100000 + max_requests: 100000 + max_retries: 3 + + listeners: + - name: "15019" + address: + socket_address: + address: 0.0.0.0 + port_value: 15019 + filter_chains: + - filters: + - name: envoy.http_connection_manager + config: + codec_type: HTTP2 + stat_prefix: "15010" + http2_protocol_options: + max_concurrent_streams: 1073741824 + + access_log: + - name: envoy.file_access_log + config: + path: /dev/stdout + + http_filters: + - name: envoy.router + + route_config: + name: "15019" + + virtual_hosts: + - name: istio-galley + + domains: + - '*' + + routes: + - match: + prefix: / + route: + cluster: in.9901 + timeout: 0.000s + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-mesh-galley + namespace: istio-system + labels: + release: istio +data: + mesh: |- + {} +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: istio-system + labels: + release: istio +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley-istio-system + namespace: istio-system + labels: + app: galley + release: istio + istio: galley + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + sideEffects: None + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + - adapters + - handlers + - instances + - templates + - zipkins + failurePolicy: Fail + sideEffects: None +--- + + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: galley + istio: galley + release: istio + name: istio-galley + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + istio: galley + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: galley + chart: galley + heritage: Tiller + istio: galley + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/tmp/healthliveness + - --readinessProbePath=/tmp/healthready + - --readinessProbeInterval=1s + - --insecure=true + - --enable-validation=true + - --enable-reconcileWebhookConfiguration=true + - --enable-server=true + - --deployment-namespace=istio-system + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort=15014 + - --validation-port=9443 + - --log_output_level=default:info + - --validation.tls.clientCertificate=/etc/dnscerts/cert-chain.pem + - --validation.tls.privateKey=/etc/dnscerts/key.pem + - --validation.tls.caCertificates=/etc/dnscerts/root-cert.pem + image: gcr.io/gke-release/asm/galley:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/tmp/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + name: galley + ports: + - containerPort: 9443 + - containerPort: 15014 + - containerPort: 15019 + - containerPort: 9901 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/tmp/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 100m + volumeMounts: + - mountPath: /etc/dnscerts + name: dnscerts + readOnly: true + - mountPath: /etc/config + name: config + readOnly: true + - mountPath: /etc/mesh-config + name: mesh-config + readOnly: true + - args: + - proxy + - --serviceCluster + - istio-galley + - --templateFile + - /var/lib/istio/galley/envoy/envoy.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --trust-domain=issue-label-bot-dev.svc.id.goog + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/gke-release/asm/proxyv2:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 9902 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/lib/istio/galley/envoy + name: envoy-config + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + serviceAccountName: istio-galley-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: issue-label-bot-dev.svc.id.goog + expirationSeconds: 43200 + path: istio-token + - name: dnscerts + secret: + secretName: dns.istio-galley-service-account + - configMap: + name: galley-envoy-config + name: envoy-config + - configMap: + name: istio-galley-configuration + name: config + - configMap: + name: istio-mesh-galley + name: mesh-config + +--- + + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + release: istio + istio: galley +spec: + minAvailable: 1 + selector: + matchLabels: + app: galley + release: istio + istio: galley +--- + + +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + istio: galley + release: istio +spec: + ports: + - port: 443 + name: https-validation + targetPort: 9443 + - port: 15014 + name: http-monitoring + - port: 9901 + name: grpc-mcp + - port: 15019 + name: grpc-tls-mcp + selector: + istio: galley +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + namespace: istio-system + labels: + app: galley + release: istio +--- diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Grafana/Grafana.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Grafana/Grafana.yaml new file mode 100644 index 0000000000..5e5eed5e8b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Grafana/Grafana.yaml @@ -0,0 +1 @@ +# Grafana component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/IngressGateway/IngressGateway.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/IngressGateway/IngressGateway.yaml new file mode 100644 index 0000000000..cb5b6f19c2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/IngressGateway/IngressGateway.yaml @@ -0,0 +1,417 @@ +# Resources for IngressGateway component + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + +--- + + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + istio: ingressgateway + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - env: + - name: ENABLE_WORKLOAD_SDS + value: "false" + - name: ENABLE_INGRESS_GATEWAY_SDS + value: "true" + - name: INGRESS_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: gcr.io/gke-release/asm/node-agent-k8s:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: ingress-sds + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/run/ingress_gateway + name: ingressgatewaysdsudspath + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --connectTimeout + - 10s + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin.istio-system:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --stsPort=15463 + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + - istio-pilot.istio-system:15011 + - --trust-domain=issue-label-bot-dev.svc.id.goog + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: jlewi-dev_us-central1_kf-bp-0420-002 + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_USER_SDS + value: "true" + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + - name: GCP_METADATA + value: issue-label-bot-dev|976279526634|code-intelligence|us-central1 + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"istio-ingressgateway","istio":"ingressgateway"} + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: SDS_ENABLED + value: "true" + image: gcr.io/gke-release/asm/proxyv2:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15020 + - containerPort: 80 + - containerPort: 443 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15443 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 853 + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ingress_gateway + name: ingressgatewaysdsudspath + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + serviceAccountName: istio-ingressgateway-service-account + volumes: + - emptyDir: {} + name: ingressgatewaysdsudspath + - hostPath: + path: /var/run/sds + name: sdsudspath + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: issue-label-bot-dev.svc.id.goog + expirationSeconds: 43200 + path: istio-token + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs + +--- + + +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: ingressgateway + namespace: istio-system + labels: + release: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + # Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname +--- + + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: ingressgateway + namespace: istio-system + labels: + app: istio-ingressgateway + release: istio + istio: ingressgateway +spec: + minAvailable: 1 + selector: + matchLabels: + app: istio-ingressgateway + release: istio + istio: ingressgateway +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds + namespace: istio-system + labels: + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds + namespace: istio-system + labels: + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- + + +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-system + annotations: + labels: + app: istio-ingressgateway + release: istio + istio: ingressgateway +spec: + type: NodePort + selector: + app: istio-ingressgateway + ports: + - + name: status-port + port: 15020 + targetPort: 15020 + - + name: http2 + port: 80 + targetPort: 80 + - + name: https + port: 443 + - + name: kiali + port: 15029 + targetPort: 15029 + - + name: prometheus + port: 15030 + targetPort: 15030 + - + name: grafana + port: 15031 + targetPort: 15031 + - + name: tracing + port: 15032 + targetPort: 15032 + - + name: tls + port: 15443 + targetPort: 15443 +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + namespace: istio-system + labels: + app: istio-ingressgateway + release: istio +--- + + +apiVersion: networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default + namespace: istio-system + labels: + release: istio +spec: + egress: + - hosts: + - "*/*" +--- diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Injector/Injector.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Injector/Injector.yaml new file mode 100644 index 0000000000..8a4e90d696 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Injector/Injector.yaml @@ -0,0 +1,790 @@ +# Resources for Injector component + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: sidecar-injector + release: istio + istio: sidecar-injector +rules: +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["istio-sidecar-injector"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-istio-system"] + verbs: ["get", "list", "watch", "patch"] +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: sidecar-injector + release: istio + istio: sidecar-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: injector-mesh + namespace: istio-system + labels: + release: istio +data: + # This is the 'mesh' config, loaded by the sidecar injector. + # It is a different configmap from pilot to allow a-la-carte install of the injector and follow the model + # of reducing blast-radius of config changes and avoiding globals. + + # Note that injector uses a subset of the mesh config only - for clarity this is only generating the + # required config, i.e. the defaultConfig section. See injection-template .ProxyConfig settings. + + + mesh: |- + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "unix:/var/run/sds/uds_path" + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15011 +--- + + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + release: istio + name: istio-sidecar-injector + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + istio: sidecar-injector + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + istio: sidecar-injector + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --port=9443 + - --healthCheckInterval=2s + - --healthCheckFile=/tmp/health + - --reconcileWebhookConfig=true + - --webhookConfigName=istio-sidecar-injector + - --log_output_level=debug + image: gcr.io/gke-release/asm/sidecar_injector:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/tmp/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + name: sidecar-injector-webhook + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/tmp/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + readOnly: true + - mountPath: /etc/istio/certs + name: certs + readOnly: true + - mountPath: /etc/istio/inject + name: inject-config + readOnly: true + serviceAccountName: istio-sidecar-injector-service-account + volumes: + - configMap: + name: injector-mesh + name: config-volume + - name: certs + secret: + secretName: dns.istio-sidecar-injector-service-account + - configMap: + items: + - key: config + path: config + - key: values + path: values + name: istio-sidecar-injector + name: inject-config + +--- + + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + + labels: + app: sidecar-injector + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled +--- + + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecar-injector + release: istio + istio: sidecar-injector +spec: + minAvailable: 1 + selector: + matchLabels: + app: sidecar-injector + release: istio + istio: sidecar-injector +--- + + +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + release: istio + istio: sidecar-injector +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + istio: sidecar-injector +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + namespace: istio-system + labels: + app: sidecarInjectorWebhook + release: istio + istio: sidecar-injector +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + release: istio + app: sidecar-injector + istio: sidecar-injector +data: + values: |- + {"certmanager":{"enabled":false,"hub":"quay.io/jetstack","image":"cert-manager-controller","namespace":"istio-system","tag":"v0.6.2"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"namespace":"istio-system","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP","zvpn":{"enabled":true,"suffix":"global"}},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"namespace":"istio-system","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":true,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"NodePort","zvpn":{"enabled":true,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[{"dnsNames":["istio-galley.istio-system.svc","istio-galley.istio-system"],"secretName":"dns.istio-galley-service-account"},{"dnsNames":["istio-sidecar-injector.istio-system.svc","istio-sidecar-injector.istio-system"],"secretName":"dns.istio-sidecar-injector-service-account"}],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"gcr.io/gke-release/asm","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":false},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"jlewi-dev_us-central1_kf-bp-0420-002","meshNetworks":{},"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"env":{"GCP_METADATA":"issue-label-bot-dev|976279526634|code-intelligence|us-central1"},"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"0s","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":true,"token":{"aud":"issue-label-bot-dev.svc.id.goog"},"udsPath":"unix:/var/run/sds/uds_path"},"securityNamespace":"istio-system","sts":{"servicePort":15463},"tag":"1.4.7-asm.0","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"issue-label-bot-dev.svc.id.goog","useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.15"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":false,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":false,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[],"useMCP":true}},"nodeagent":{"enabled":true,"env":{"CA_ADDR":"meshca.googleapis.com:443","CA_PROVIDER":"GoogleCA","GKE_CLUSTER_URL":"https://container.googleapis.com/v1/projects/issue-label-bot-dev/locations/us-central1/clusters/code-intelligence","PLUGINS":"GoogleTokenExchange","VALID_TOKEN":true},"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":false,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"OFF","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1,"useMCP":true},"prometheus":{"contextPath":"/prometheus","enabled":false,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.12.0","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":false,"image":"citadel","namespace":"istio-system","selfSigned":true,"trustDomain":"cluster.local"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":true,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":false},"v2":{"enabled":true,"prometheus":{"enabled":false},"stackdriver":{"configOverride":{},"enabled":true,"logging":true,"monitoring":false,"topology":true}}},"tracing":{"enabled":false,"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.14"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} + + config: |- + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + template: | + {{- $cniDisabled := (not .Values.istio_cni.enabled) }} + {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }} + {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }} + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + {{- if $enableInitContainer }} + initContainers: + {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if $cniRepairEnabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + command: + {{- if $cniRepairEnabled }} + - istio-iptables-go + {{- else }} + - istio-iptables + {{- end }} + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - 1337 + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if $cniRepairEnabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .Values.global.proxy_init.resources }} + resources: + {{ toYaml .Values.global.proxy_init.resources | indent 4 }} + {{- else }} + resources: {} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not $cniRepairEnabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + readOnlyRootFilesystem: false + {{- if not $cniRepairEnabled }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --configPath + - "/etc/istio/proxy" + - --binaryPath + - "/usr/local/bin/envoy" + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --drainDuration + - "{{ formatDuration .ProxyConfig.DrainDuration }}" + - --parentShutdownDuration + - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" + - --discoveryAddress + - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" + {{- if eq .Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" + - --lightstepAccessToken + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" + - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} + - --lightstepCacertPath + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + - --zipkinAddress + - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" + {{- else if eq .Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" + {{- end }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + - --connectTimeout + - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" + {{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - "{{ .ProxyConfig.StatsdUdpAddress }}" + {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" + {{- end }} + {{- if .Values.global.proxy.envoyAccessLogService.enabled }} + - --envoyAccessLogServiceAddress + - "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}" + {{- end }} + - --proxyAdminPort + - "{{ .ProxyConfig.ProxyAdminPort }}" + {{ if gt .ProxyConfig.Concurrency 0 -}} + - --concurrency + - "{{ .ProxyConfig.Concurrency }}" + {{ end -}} + {{- if .Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + - --dnsRefreshRate + - {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }} + {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} + - --statusPort + - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" + - --applicationPorts + - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" + + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.proxy.env }} + {{- range $key, $val := .Values.global.proxy.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- if eq .Values.global.proxy.tracer "datadog" }} + {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- end }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{ if .ObjectMeta.Labels }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ toJSON .ObjectMeta.Labels }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{ .DeploymentMeta.Name }} + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: ISTIO_META_SDS_TOKEN_PATH + value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if .Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.trustDomain }}" + {{- end }} + {{- if eq .Values.global.proxy.tracer "stackdriver" }} + - name: STACKDRIVER_TRACING_ENABLED + value: "true" + - name: STACKDRIVER_TRACING_DEBUG + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}" + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations.Value }}" + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes.Value }}" + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents.Value }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + add: + - NET_ADMIN + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end}} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{ else -}} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{ end -}} + volumeMounts: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.sds.customTokenDirectory }} + - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" + name: custom-sds-token + readOnly: true + {{- end }} + {{- else }} + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + - emptyDir: + medium: Memory + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - name: sds-uds-path + hostPath: + path: /var/run/sds + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: custom-sds-token + secret: + secretName: sdstokensecret + {{- end }} + {{- else }} + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.podDNSSearchNamespaces }} + dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ render . }} + {{- end }} + {{- end }} + injectedAnnotations: +--- diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Kiali/Kiali.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Kiali/Kiali.yaml new file mode 100644 index 0000000000..b37bd72f9d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Kiali/Kiali.yaml @@ -0,0 +1 @@ +# Kiali component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/NodeAgent/NodeAgent.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/NodeAgent/NodeAgent.yaml new file mode 100644 index 0000000000..50b87bc275 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/NodeAgent/NodeAgent.yaml @@ -0,0 +1,133 @@ +# Resources for NodeAgent component + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-nodeagent-istio-system + labels: + app: istio-nodeagent + release: istio +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-nodeagent-istio-system + labels: + app: istio-nodeagent + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-nodeagent-istio-system +subjects: + - kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: istio-system +--- + + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: istio-nodeagent + namespace: istio-system + labels: + app: istio-nodeagent + istio: nodeagent + release: istio +spec: + selector: + matchLabels: + istio: nodeagent + template: + metadata: + labels: + app: istio-nodeagent + istio: nodeagent + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-nodeagent-service-account + containers: + - name: nodeagent + image: "gcr.io/gke-release/asm/node-agent-k8s:1.4.7-asm.0" + imagePullPolicy: IfNotPresent + args: + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + env: + - name: CA_ADDR + value: "meshca.googleapis.com:443" + - name: CA_PROVIDER + value: "GoogleCA" + - name: GKE_CLUSTER_URL + value: "https://container.googleapis.com/v1/projects/issue-label-bot-dev/locations/us-central1/clusters/code-intelligence" + - name: PLUGINS + value: "GoogleTokenExchange" + - name: VALID_TOKEN + value: "true" + - name: "TRUST_DOMAIN" + value: "issue-label-bot-dev.svc.id.goog" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: sdsudspath + hostPath: + path: /var/run/sds + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + updateStrategy: + type: RollingUpdate +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-nodeagent-service-account + namespace: istio-system + labels: + app: istio-nodeagent + release: istio +--- diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Pilot/Pilot.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Pilot/Pilot.yaml new file mode 100644 index 0000000000..f82ddbb5b3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Pilot/Pilot.yaml @@ -0,0 +1,1144 @@ +# Resources for Pilot component + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: pilot + release: istio + name: istio-pilot + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["security.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete"] +--- + + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: istio-system + name: pilot-envoy-config + labels: + release: istio +data: + envoy.yaml.tmpl: |- + admin: + access_log_path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 15000 + + static_resources: + clusters: + - name: in.15010 + http2_protocol_options: {} + connect_timeout: 1.000s + + hosts: + - socket_address: + address: 127.0.0.1 + port_value: 15010 + + circuit_breakers: + thresholds: + - max_connections: 100000 + max_pending_requests: 100000 + max_requests: 100000 + max_retries: 3 + + # TODO: telemetry using EDS + # TODO: other pilots using EDS, load balancing + # TODO: galley using EDS + + - name: out.galley.15019 + http2_protocol_options: {} + connect_timeout: 1.000s + type: STRICT_DNS + + circuit_breakers: + thresholds: + - max_connections: 100000 + max_pending_requests: 100000 + max_requests: 100000 + max_retries: 3 + hosts: + - socket_address: + address: istio-galley.istio-system + port_value: 15019 + tls_context: + common_tls_context: + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: + - spiffe://issue-label-bot-dev.svc.id.goog/ns/istio-system/sa/istio-galley-service-account + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + + listeners: + - name: "in.15011" + address: + socket_address: + address: 0.0.0.0 + port_value: 15011 + filter_chains: + - filters: + - name: envoy.http_connection_manager + #typed_config + #"@type": "type.googleapis.com/", + config: + codec_type: HTTP2 + stat_prefix: "15011" + http2_protocol_options: + max_concurrent_streams: 1073741824 + + access_log: + - name: envoy.file_access_log + config: + path: /dev/stdout + + http_filters: + - name: envoy.router + + route_config: + name: "15011" + + virtual_hosts: + - name: istio-pilot + + domains: + - '*' + + routes: + - match: + prefix: / + route: + cluster: in.15010 + timeout: 0.000s + decorator: + operation: xDS + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true + + + # Manual 'whitebox' mode + - name: "local.15019" + address: + socket_address: + address: 127.0.0.1 + port_value: 15019 + filter_chains: + - filters: + - name: envoy.http_connection_manager + config: + codec_type: HTTP2 + stat_prefix: "15019" + http2_protocol_options: + max_concurrent_streams: 1073741824 + + access_log: + - name: envoy.file_access_log + config: + path: /dev/stdout + + http_filters: + - name: envoy.router + + route_config: + name: "15019" + + virtual_hosts: + - name: istio-galley + + domains: + - '*' + + routes: + - match: + prefix: / + route: + cluster: out.galley.15019 + timeout: 0.000s +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + release: istio +data: + + meshNetworks: |- + # Network config + networks: {} + + values.yaml: |- + appNamespaces: [] + autoscaleEnabled: true + autoscaleMax: 5 + autoscaleMin: 1 + configMap: true + configNamespace: istio-config + cpu: + targetAverageUtilization: 80 + enableProtocolSniffingForInbound: false + enableProtocolSniffingForOutbound: false + enabled: true + env: {} + image: pilot + ingress: + ingressClass: istio + ingressControllerMode: "OFF" + ingressService: istio-ingressgateway + keepaliveMaxServerConnectionAge: 30m + meshNetworks: + networks: {} + namespace: istio-system + nodeSelector: {} + plugins: [] + podAnnotations: {} + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + policy: + enabled: false + replicaCount: 1 + resources: + requests: + cpu: 500m + memory: 2048Mi + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + tolerations: [] + traceSampling: 1 + useMCP: true + + mesh: |- + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "" + + accessLogFormat: "" + + accessLogEncoding: 'TEXT' + + enableEnvoyAccessLogService: false + # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server + reportBatchMaxEntries: 100 + # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server + reportBatchMaxTime: 1s + disableMixerHttpReports: true + + disablePolicyChecks: true + + # Automatic protocol detection uses a set of heuristics to + # determine whether the connection is using TLS or not (on the + # server side), as well as the application protocol being used + # (e.g., http vs tcp). These heuristics rely on the client sending + # the first bits of data. For server first protocols like MySQL, + # MongoDB, etc., Envoy will timeout on the protocol detection after + # the specified period, defaulting to non mTLS plain TCP + # traffic. Set this field to tweak the period that Envoy will wait + # for the client to send the first bits of data. (MUST BE >=1ms) + protocolDetectionTimeout: 0s + + # This is the k8s ingress service name, update if you used a different name + ingressService: "istio-ingressgateway" + ingressControllerMode: "OFF" + ingressClass: "istio" + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "issue-label-bot-dev.svc.id.goog" + + # The trust domain aliases represent the aliases of trust_domain. + # For example, if we have + # trustDomain: td1 + # trustDomainAliases: [“td2”, "td3"] + # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", + # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. + trustDomainAliases: + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "unix:/var/run/sds/uds_path" + + # If true, automatically configure client side mTLS settings to match the corresponding service's + # server side mTLS authentication policy, when destination rule for that service does not specify + # TLS settings. + enableAutoMtls: false + config_sources: + - address: localhost:15019 + + outboundTrafficPolicy: + mode: ALLOW_ANY + + # Configures DNS certificates provisioned through Chiron linked into Pilot. + # The DNS certificate provisioning is enabled by default now so it get tested. + # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release. + certificates: + - dnsNames: + - istio-galley.istio-system.svc + - istio-galley.istio-system + secretName: dns.istio-galley-service-account + - dnsNames: + - istio-sidecar-injector.istio-system.svc + - istio-sidecar-injector.istio-system + secretName: dns.istio-sidecar-injector-service-account + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15011 +--- + + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: pilot + istio: pilot + release: istio + name: istio-pilot + namespace: istio-system +spec: + selector: + matchLabels: + istio: pilot + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: pilot + chart: pilot + heritage: Tiller + istio: pilot + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --secureGrpcAddr + - "" + - --trust-domain=issue-label-bot-dev.svc.id.goog + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: CONFIG_NAMESPACE + value: istio-config + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "false" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "false" + image: gcr.io/gke-release/asm/pilot:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: discovery + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + resources: + requests: + cpu: 2000m + memory: 2048Mi + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + - args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-pilot + - --templateFile + - /var/lib/envoy/envoy.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --trust-domain=issue-label-bot-dev.svc.id.goog + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/gke-release/asm/proxyv2:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15011 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/lib/envoy + name: pilot-envoy-config + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + serviceAccountName: istio-pilot-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: issue-label-bot-dev.svc.id.goog + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + name: config-volume + - configMap: + name: pilot-envoy-config + name: pilot-envoy-config + +--- + + +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + release: istio +spec: + peers: + - mtls: + mode: PERMISSIVE +--- + + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: pilot + release: istio + istio: pilot +--- + + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: promsd-istio-system +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- nonResourceURLs: + - /metrics + verbs: + - get +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: promsd + namespace: istio-system +--- + + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + addonmanager.kubernetes.io/mode: Reconcile + k8s-app: istio + name: promsd-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: promsd-istio-system +subjects: +- kind: ServiceAccount + name: promsd + namespace: istio-system +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: promsd + namespace: istio-system +data: + prometheus.yml: |- + global: + scrape_interval: 15s + rule_files: + - '/etc/prometheus-rules/rules.yml' + scrape_configs: + - job_name: 'pilot' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: promsd-rules + namespace: istio-system +data: + rules.yml: |- + groups: + - name: recording_rules + rules: + - record: pilot_config_push_latency + expr: pilot_proxy_convergence_time_bucket + - record: pilot_xds_push_timeouts + expr: pilot_xds_push_context_errors + - record: pilot_errors_xds + expr: > + pilot_duplicate_envoy_clusters + pilot_conflict_outbound_listener_http_over_current_tcp + + pilot_conflict_outbound_listener_http_over_https + pilot_conflict_outbound_listener_tcp_over_current_http + + pilot_conflict_outbound_listener_tcp_over_current_tcp + + pilot_eds_no_instances + pilot_endpoint_not_ready + + pilot_total_xds_internal_errors + pilot_total_xds_rejects +--- + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: promsd-sidecar + namespace: istio-system +data: + sidecar.yml: |- + static_metadata: + - metric: pilot_xds_pushes + type: counter + - metric: pilot_config_push_latency + type: histogram + - metric: pilot_xds_push_timeouts + type: counter + - metric: pilot_errors_xds + type: counter + - metric: pilot_errors_internal + type: counter +--- + + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/scrape: "true" + labels: + app: promsd + name: promsd + namespace: istio-system +spec: + ports: + - name: http-prometheus + port: 9090 + protocol: TCP + selector: + app: promsd +--- + + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: promsd + namespace: istio-system +spec: + selector: + matchLabels: + app: promsd + template: + metadata: + labels: + app: promsd + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: promsd + containers: + - args: + - --prometheus.wal-directory=/data/wal + - --stackdriver.project-id= + - --stackdriver.kubernetes.location= + - --stackdriver.kubernetes.cluster-name= + - --stackdriver.use-gke-resource + - --stackdriver.metrics-prefix=container.googleapis.com/internal/addons/istio + - --config-file=/etc/prometheus-sidecar/sidecar.yml + - --filter=__name__=~"^(pilot_xds_pushes|pilot_xds_push_timeouts|pilot_errors_xds)$" + image: "gcr.io/gke-release/asm/stackdriver-prometheus-sidecar:1.4.7-asm.0" + env: + - name: DEBUG + value: "1" + imagePullPolicy: Always + name: sidecar + ports: + - containerPort: 9091 + name: sidecar + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data + name: data-volume + - mountPath: /etc/prometheus-sidecar + name: static-config-volume + - args: + - --storage.tsdb.retention=6h + - --storage.tsdb.path=/data + - --storage.tsdb.min-block-duration=15m + - --storage.tsdb.max-block-duration=4h + - --config.file=/etc/prometheus/prometheus.yml + image: "gcr.io/gke-release/asm/prometheus:1.4.7-asm.0" + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /-/healthy + port: 9090 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: promsd + ports: + - containerPort: 9090 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /-/ready + port: 9090 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/prometheus + name: config-volume + - mountPath: /etc/prometheus-rules + name: rules-config-volume + - mountPath: /etc/istio-certs + name: istio-certs + - mountPath: /data + name: data-volume + volumes: + - configMap: + defaultMode: 420 + name: promsd + name: config-volume + - configMap: + defaultMode: 420 + name: promsd-rules + name: rules-config-volume + - emptyDir: {} + name: data-volume + - configMap: + defaultMode: 420 + name: promsd-sidecar + name: static-config-volume + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + + +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + release: istio + istio: pilot +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + selector: + istio: pilot +--- + + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + namespace: istio-system + labels: + app: pilot + release: istio +--- + + +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.4 + namespace: istio-system +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: ANY # inbound, outbound, and gateway + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + configuration: envoy.wasm.metadata_exchange + vm_config: + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.metadata_exchange +--- + + +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.4 + namespace: istio-system +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + root_id: stackdriver_outbound + configuration: | + {"enable_mesh_edges_reporting": true, "disable_server_access_logging": false, "meshEdgesReportingDuration": "600s"} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.null.stackdriver + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + root_id: stackdriver_inbound + configuration: | + {"enable_mesh_edges_reporting": true, "disable_server_access_logging": false, "meshEdgesReportingDuration": "600s"} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.null.stackdriver + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + root_id: stackdriver_outbound + configuration: | + {"enable_mesh_edges_reporting": true, "disable_server_access_logging": false, "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.null.stackdriver +--- diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Policy/Policy.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Policy/Policy.yaml new file mode 100644 index 0000000000..bb7ae04a5c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Policy/Policy.yaml @@ -0,0 +1 @@ +# Policy component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Prometheus/Prometheus.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Prometheus/Prometheus.yaml new file mode 100644 index 0000000000..b4c368d91d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Prometheus/Prometheus.yaml @@ -0,0 +1 @@ +# Prometheus component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/PrometheusOperator/PrometheusOperator.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/PrometheusOperator/PrometheusOperator.yaml new file mode 100644 index 0000000000..ffc131a070 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/PrometheusOperator/PrometheusOperator.yaml @@ -0,0 +1 @@ +# PrometheusOperator component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Telemetry/Telemetry.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Telemetry/Telemetry.yaml new file mode 100644 index 0000000000..fe024d86ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Telemetry/Telemetry.yaml @@ -0,0 +1 @@ +# Telemetry component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/istio/Base/Tracing/Tracing.yaml b/kubeflow_clusters/code-intelligence/.build/istio/Base/Tracing/Tracing.yaml new file mode 100644 index 0000000000..c3846d692a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/istio/Base/Tracing/Tracing.yaml @@ -0,0 +1 @@ +# Tracing component is disabled. diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml new file mode 100644 index 0000000000..9791664258 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeflow/admission-webhook-cert + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: "" + service: + name: admission-webhook-service + namespace: kubeflow + path: /apply-poddefault + name: admission-webhook-deployment.kubeflow.org + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml new file mode 100644 index 0000000000..1e031ae88b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml @@ -0,0 +1,69 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebooks.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Notebook + plural: notebooks + singular: notebook + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + template: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + properties: + spec: + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions is an array of current conditions + items: + properties: + type: + description: Type of the confition/ + type: string + required: + - type + type: object + type: array + required: + - conditions + type: object + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + - name: v1 + served: true + storage: false diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml new file mode 100644 index 0000000000..808eb4db0c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml @@ -0,0 +1,56 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: poddefaults.kubeflow.org +spec: + group: kubeflow.org + names: + kind: PodDefault + plural: poddefaults + singular: poddefault + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + desc: + type: string + env: + items: + type: object + type: array + envFrom: + items: + type: object + type: array + selector: + type: object + serviceAccountName: + type: string + volumeMounts: + items: + type: object + type: array + volumes: + items: + type: object + type: array + required: + - selector + type: object + status: + type: object + type: object + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml new file mode 100644 index 0000000000..c299e91151 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml @@ -0,0 +1,158 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + kustomize.component: profiles + name: profiles.kubeflow.org +spec: + conversion: + strategy: None + group: kubeflow.org + names: + kind: Profile + plural: profiles + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + description: Profile is the Schema for the profiles API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProfileSpec defines the desired state of Profile + properties: + owner: + description: The profile owner + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + required: + - kind + - name + type: object + plugins: + items: + description: Plugin is for customize actions on different platform. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + spec: + type: object + type: object + type: array + resourceQuotaSpec: + description: Resourcequota that will be applied to target namespace + properties: + hard: + additionalProperties: + type: string + description: 'hard is the set of desired hard limits for each named + resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + scopeSelector: + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by scope + of the resources. + items: + description: A scoped-resource selector requirement is a selector + that contains values, a scope name, and an operator that + relates the scope name and values. + properties: + operator: + description: Represents a scope's relationship to a set + of values. Valid operators are In, NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector applies + to. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array + type: object + scopes: + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all objects. + items: + description: A ResourceQuotaScope defines a filter that must match + each object tracked by a quota + type: string + type: array + type: object + type: object + status: + description: ProfileStatus defines the observed state of Profile + properties: + conditions: + items: + properties: + message: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml new file mode 100644 index 0000000000..2dc516cbcc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml @@ -0,0 +1,45 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-job-crds + name: pytorchjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: PyTorchJob + plural: pytorchjobs + singular: pytorchjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + pytorchReplicaSpecs: + properties: + Master: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml new file mode 100644 index 0000000000..ebfcefbc9b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml @@ -0,0 +1,50 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-crds + name: tfjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: TFJob + plural: tfjobs + singular: tfjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + tfReplicaSpecs: + properties: + Chief: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + PS: + properties: + replicas: + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_centraldashboard.yaml new file mode 100644 index 0000000000..a77aa95832 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_centraldashboard.yaml @@ -0,0 +1,57 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + description: Provides a Dashboard UI for kubeflow + keywords: + - centraldashboard + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/centraldashboard + maintainers: + - email: prodonjs@gmail.com + name: Jason Prodonovich + - email: apverma@google.com + name: Apoorv Verma + - email: adhita94@gmail.com + name: Adhita Selvaraj + owners: + - email: prodonjs@gmail.com + name: Jason Prodonovich + - email: apverma@google.com + name: Apoorv Verma + - email: adhita94@gmail.com + name: Adhita Selvaraj + type: centraldashboard + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/instance: centraldashboard-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: centraldashboard + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_gpu-driver.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_gpu-driver.yaml new file mode 100644 index 0000000000..02b93d3a8a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_gpu-driver.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + name: gpu-driver + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: "" + keywords: + - gpu-driver + - kubeflow + links: + - description: About + url: "" + maintainers: [] + owners: [] + type: gpu-driver + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/instance: gpu-driver-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: gpu-driver + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml new file mode 100644 index 0000000000..be3f76b96d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml @@ -0,0 +1,55 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app: jupyter-web-app + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/name: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-web-app + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + description: Provides a UI which allows the user to create/conect/delete jupyter + notebooks. + keywords: + - jupyterhub + - jupyter ui + - notebooks + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/jupyter-web-app + - description: Docs + url: https://www.kubeflow.org/docs/notebooks + maintainers: + - email: kimwnasptd@arrikto.com + name: Kimonas Sotirchos + owners: + - email: kimwnasptd@arrikto.com + name: Kimonas Sotirchos + type: jupyter-web-app + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml new file mode 100644 index 0000000000..f462651b3b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml @@ -0,0 +1,46 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-notebook-controller + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + description: Notebooks controller allows users to create a custom resource \"Notebook\" + (jupyter notebook). + keywords: + - jupyter + - notebook + - notebook-controller + - jupyterhub + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/notebook-controller + maintainers: + - email: lunkai@google.com + name: Lun-kai Hsu + owners: + - email: lunkai@gogle.com + name: Lun-kai Hsu + type: notebook-controller + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/instance: notebook-controller-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: notebook-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_profiles-profiles.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_profiles-profiles.yaml new file mode 100644 index 0000000000..fc90772a0b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_profiles-profiles.yaml @@ -0,0 +1,44 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + kustomize.component: profiles + name: profiles-profiles + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: kubeflow.org + kind: Profile + descriptor: + description: "" + keywords: + - profiles + - kubeflow + links: + - description: profiles + url: https://github.com/kubeflow/kubeflow/tree/master/components/profile-controller + - description: kfam + url: https://github.com/kubeflow/kubeflow/tree/master/components/access-management + maintainers: + - email: kunming@google.com + name: Kunming Qu + owners: + - email: kunming@google.com + name: Kunming Qu + type: profiles + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: profiles + app.kubernetes.io/instance: profiles-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: profiles + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml new file mode 100644 index 0000000000..56a1457579 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml @@ -0,0 +1,46 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-job-crds + name: pytorch-job-crds + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + description: Pytorch-job-crds contains the "PyTorchJob" custom resource definition. + keywords: + - pytorchjob + - pytorch-operator + - pytorch-training + links: + - description: About + url: https://github.com/kubeflow/pytorch-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/ + maintainers: + - email: johnugeo@cisco.com + name: Johnu George + owners: + - email: johnugeo@cisco.com + name: Johnu George + type: pytorch-job-crds + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/instance: pytorch-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pytorch-job-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-operator.yaml new file mode 100644 index 0000000000..44ea79a4b8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_pytorch-operator.yaml @@ -0,0 +1,49 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + name: pytorch-operator + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + description: Pytorch-operator allows users to create and manage the "PyTorchJob" + custom resource. + keywords: + - pytorchjob + - pytorch-operator + - pytorch-training + links: + - description: About + url: https://github.com/kubeflow/pytorch-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/ + maintainers: + - email: johnugeo@cisco.com + name: Johnu George + owners: + - email: johnugeo@cisco.com + name: Johnu George + type: pytorch-operator + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/instance: pytorch-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pytorch-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-crds.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-crds.yaml new file mode 100644 index 0000000000..fc9715bb53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-crds.yaml @@ -0,0 +1,46 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-crds + name: tf-job-crds + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + description: Tf-job-crds contains the "TFJob" custom resource definition. + keywords: + - tfjob + - tf-operator + - tf-training + links: + - description: About + url: https://github.com/kubeflow/tf-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/ + maintainers: + - email: ricliu@google.com + name: Richard Liu + owners: + - email: ricliu@google.com + name: Richard Liu + type: tf-job-crds + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/instance: tf-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: tf-job-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-operator.yaml new file mode 100644 index 0000000000..6e38dd861e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_tf-job-operator.yaml @@ -0,0 +1,47 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + name: tf-job-operator + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + description: Tf-operator allows users to create and manage the "TFJob" custom + resource. + keywords: + - tfjob + - tf-operator + - tf-training + links: + - description: About + url: https://github.com/kubeflow/tf-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/ + maintainers: + - email: ricliu@google.com + name: Richard Liu + owners: + - email: ricliu@google.com + name: Richard Liu + type: tf-job-operator + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/instance: tf-job-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: tf-job-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_webhook.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_webhook.yaml new file mode 100644 index 0000000000..fcf807af27 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/app.k8s.io_v1beta1_application_webhook.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + name: webhook + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: StatefulSet + - group: core + kind: Service + - group: core + kind: ServiceAccount + descriptor: + description: injects volume, volume mounts, env vars into PodDefault + keywords: + - admission-webhook + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/admission-webhook + maintainers: [] + owners: [] + type: bootstrap + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: bootstrap + app.kubernetes.io/instance: webhook-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: webhook + app.kubernetes.io/part-of: webhook + app.kubernetes.io/version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_daemonset_nvidia-driver-installer.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_daemonset_nvidia-driver-installer.yaml new file mode 100644 index 0000000000..d3ca074496 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_daemonset_nvidia-driver-installer.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + k8s-app: nvidia-driver-installer + kustomize.component: gpu-driver + name: nvidia-driver-installer + namespace: kubeflow +spec: + selector: + matchLabels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + kustomize.component: gpu-driver + template: + metadata: + labels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + k8s-app: nvidia-driver-installer + kustomize.component: gpu-driver + name: nvidia-driver-installer + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-accelerator + operator: Exists + containers: + - image: gcr.io/google-containers/pause:2.0 + name: pause + hostNetwork: true + hostPID: true + initContainers: + - env: + - name: NVIDIA_INSTALL_DIR_HOST + value: /home/kubernetes/bin/nvidia + - name: NVIDIA_INSTALL_DIR_CONTAINER + value: /usr/local/nvidia + - name: ROOT_MOUNT_DIR + value: /root + image: cos-nvidia-installer:fixed + imagePullPolicy: Never + name: nvidia-driver-installer + resources: + requests: + cpu: 0.15 + securityContext: + privileged: true + volumeMounts: + - mountPath: /usr/local/nvidia + name: nvidia-install-dir-host + - mountPath: /dev + name: dev + - mountPath: /root + name: root-mount + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /dev + name: dev + - hostPath: + path: /home/kubernetes/bin/nvidia + name: nvidia-install-dir-host + - hostPath: + path: / + name: root-mount diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_admission-webhook-deployment.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_admission-webhook-deployment.yaml new file mode 100644 index 0000000000..8b8111f51b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_admission-webhook-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-deployment + namespace: kubeflow +spec: + selector: + matchLabels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + spec: + containers: + - args: + - --tlsCertFile=/etc/webhook/certs/tls.crt + - --tlsKeyFile=/etc/webhook/certs/tls.key + image: gcr.io/kubeflow-images-public/admission-webhook:vmaster-gaf96e4e3 + name: admission-webhook + volumeMounts: + - mountPath: /etc/webhook/certs + name: webhook-cert + readOnly: true + serviceAccountName: admission-webhook-service-account + volumes: + - name: webhook-cert + secret: + secretName: webhook-certs diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_centraldashboard.yaml new file mode 100644 index 0000000000..74ad9f2527 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_centraldashboard.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + spec: + containers: + - env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + image: gcr.io/kubeflow-images-public/centraldashboard + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 30 + periodSeconds: 30 + name: centraldashboard + ports: + - containerPort: 8082 + protocol: TCP + serviceAccountName: centraldashboard diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_jupyter-web-app-deployment.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_jupyter-web-app-deployment.yaml new file mode 100644 index 0000000000..2665cd2adb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_jupyter-web-app-deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-deployment + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + spec: + containers: + - env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + image: gcr.io/kubeflow-images-public/jupyter-web-app:vmaster-gd9be4b9e + name: jupyter-web-app + ports: + - containerPort: 5000 + volumeMounts: + - mountPath: /etc/config + name: config-volume + serviceAccountName: jupyter-web-app-service-account + volumes: + - configMap: + name: jupyter-web-app-jupyter-web-app-config-dhcbh64467 + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_notebook-controller-deployment.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_notebook-controller-deployment.yaml new file mode 100644 index 0000000000..44d27f8695 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_notebook-controller-deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-deployment + namespace: kubeflow +spec: + selector: + matchLabels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + spec: + containers: + - command: + - /manager + env: + - name: USE_ISTIO + valueFrom: + configMapKeyRef: + key: USE_ISTIO + name: notebook-controller-notebook-controller-config-h4d668t5tb + - name: ISTIO_GATEWAY + valueFrom: + configMapKeyRef: + key: ISTIO_GATEWAY + name: notebook-controller-notebook-controller-config-h4d668t5tb + image: gcr.io/kubeflow-images-public/notebook-controller:vmaster-gf39279c0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + name: manager + serviceAccountName: notebook-controller-service-account diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_profiles-deployment.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_profiles-deployment.yaml new file mode 100644 index 0000000000..91c32148b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_profiles-deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: profiles + name: profiles-deployment + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + kustomize.component: profiles + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + kustomize.component: profiles + spec: + containers: + - args: null + command: + - /manager + - -userid-header + - $(USERID_HEADER) + - -userid-prefix + - $(USERID_PREFIX) + - -workload-identity + - $(WORKLOAD_IDENTITY) + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + - name: WORKLOAD_IDENTITY + valueFrom: + configMapKeyRef: + key: gcp-sa + name: profiles-profiles-config-b8664685bd + image: gcr.io/kubeflow-images-public/profile-controller:vmaster-g34aa47c2 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + name: manager + ports: + - containerPort: 8080 + name: manager-http + protocol: TCP + - args: null + command: + - /access-management + - -cluster-admin + - $(CLUSTER_ADMIN) + - -userid-prefix + - $(USERID_PREFIX) + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + - name: CLUSTER_ADMIN + valueFrom: + configMapKeyRef: + key: admin + name: profiles-profiles-config-b8664685bd + image: gcr.io/kubeflow-images-public/kfam:vmaster-gf3e09203 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8081 + initialDelaySeconds: 30 + periodSeconds: 30 + name: kfam + ports: + - containerPort: 8081 + name: kfam-http + protocol: TCP + serviceAccountName: profiles-controller-service-account diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_pytorch-operator.yaml new file mode 100644 index 0000000000..8897df4a5e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_pytorch-operator.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + spec: + containers: + - command: + - /pytorch-operator.v1 + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/pytorch-operator:vmaster-g047cf0f + name: pytorch-operator + serviceAccountName: pytorch-operator diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_tf-job-operator.yaml new file mode 100644 index 0000000000..4c6c1acaf6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/apps_v1_deployment_tf-job-operator.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + spec: + containers: + - args: + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/tf_operator:vmaster-gd455e6ef + name: tf-job-operator + serviceAccountName: tf-job-operator diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml new file mode 100644 index 0000000000..c9e1f4f031 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + labels: + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + name: admission-webhook-cert + namespace: kubeflow +spec: + commonName: admission-webhook-service.kubeflow.svc + dnsNames: + - admission-webhook-service.kubeflow.svc + - admission-webhook-service.kubeflow.svc.cluster.local + isCA: true + issuerRef: + kind: ClusterIssuer + name: kubeflow-self-signing-issuer + secretName: webhook-certs diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml new file mode 100644 index 0000000000..9098b5ace2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml @@ -0,0 +1,9 @@ +apiVersion: kubeflow.org/v1beta1 +kind: Profile +metadata: + name: kubeflow-jlewi + namespace: kubeflow +spec: + owner: + kind: User + name: jlewi@google.com diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml new file mode 100644 index 0000000000..b08a52c193 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + labels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: centraldashboard.kubeflow.svc.cluster.local + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml new file mode 100644 index 0000000000..1aaf497f8a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-web-app + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /jupyter + match: + - uri: + prefix: /jupyter/ + rewrite: + uri: / + route: + - destination: + host: jupyter-web-app-service.kubeflow.svc.cluster.local + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml new file mode 100644 index 0000000000..1bfe3a5c76 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + labels: + kustomize.component: profiles + name: profiles-kfam + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /kfam + match: + - uri: + prefix: /kfam/ + rewrite: + uri: /kfam/ + route: + - destination: + host: profiles-kfam.kubeflow.svc.cluster.local + port: + number: 8081 diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml new file mode 100644 index 0000000000..3ed69a58a6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-cluster-role +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - watch + - list + - update + - create + - patch + - delete diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml new file mode 100644 index 0000000000..ae97df8cf3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml @@ -0,0 +1,15 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: admission-webhook-kubeflow-poddefaults-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml new file mode 100644 index 0000000000..09813d57ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml @@ -0,0 +1,15 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: admission-webhook-kubeflow-poddefaults-edit +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml new file mode 100644 index 0000000000..1a80b46609 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: admission-webhook-kubeflow-poddefaults-view +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml new file mode 100644 index 0000000000..7491bff88e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard +rules: +- apiGroups: + - "" + resources: + - events + - namespaces + - nodes + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml new file mode 100644 index 0000000000..e15e8b6e22 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml @@ -0,0 +1,57 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-cluster-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml new file mode 100644 index 0000000000..0ae2ffa5c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: jupyter-web-app-kubeflow-notebook-ui-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml new file mode 100644 index 0000000000..9cff1100a0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: jupyter-web-app-kubeflow-notebook-ui-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml new file mode 100644 index 0000000000..265ceff545 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: jupyter-web-app-kubeflow-notebook-ui-view +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml new file mode 100644 index 0000000000..0520bc0bc9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml @@ -0,0 +1,9 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml new file mode 100644 index 0000000000..7f472eddde --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml @@ -0,0 +1,11 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-edit +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml new file mode 100644 index 0000000000..d879f2f6c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-kubernetes-admin +rules: +- apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml new file mode 100644 index 0000000000..8343f92fda --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml @@ -0,0 +1,135 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-kubernetes-edit +rules: +- apiGroups: + - "" + resources: + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + - secrets + - services/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml new file mode 100644 index 0000000000..d8a396b9de --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml @@ -0,0 +1,125 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-kubernetes-view +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - services/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml new file mode 100644 index 0000000000..161f232e59 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml @@ -0,0 +1,14 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-pytorchjobs-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml new file mode 100644 index 0000000000..dc3ff5e791 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" + name: kubeflow-pytorchjobs-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml new file mode 100644 index 0000000000..39daa100ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-pytorchjobs-view +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml new file mode 100644 index 0000000000..03147422e8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml @@ -0,0 +1,14 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-tfjobs-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml new file mode 100644 index 0000000000..942e4a625a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" + name: kubeflow-tfjobs-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml new file mode 100644 index 0000000000..3ebf508e03 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-tfjobs-view +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml new file mode 100644 index 0000000000..5420a10679 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml @@ -0,0 +1,11 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-view +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml new file mode 100644 index 0000000000..41459ef302 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml @@ -0,0 +1,15 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: notebook-controller-kubeflow-notebooks-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml new file mode 100644 index 0000000000..3ae0c1cd8e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" + name: notebook-controller-kubeflow-notebooks-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml new file mode 100644 index 0000000000..9e28e08290 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: notebook-controller-kubeflow-notebooks-view +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml new file mode 100644 index 0000000000..02d880f8e2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml @@ -0,0 +1,54 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-role +rules: +- apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - '*' +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + - notebooks/finalizers + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml new file mode 100644 index 0000000000..48bed8ccb7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admission-webhook-cluster-role +subjects: +- kind: ServiceAccount + name: admission-webhook-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml new file mode 100644 index 0000000000..d06cac3fd8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml new file mode 100644 index 0000000000..925b70ec6f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: jupyter-web-app-cluster-role +subjects: +- kind: ServiceAccount + name: jupyter-web-app-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml new file mode 100644 index 0000000000..30d3f08b7e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: notebook-controller-role +subjects: +- kind: ServiceAccount + name: notebook-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml new file mode 100644 index 0000000000..663e87dbcd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + kustomize.component: profiles + name: profiles-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: profiles-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml new file mode 100644 index 0000000000..2bfa19ba0e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +rules: +- apiGroups: + - "" + - app.k8s.io + resources: + - applications + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml new file mode 100644 index 0000000000..c1c4c30793 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml new file mode 100644 index 0000000000..7cf4368025 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml new file mode 100644 index 0000000000..ac48bdc241 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + - tfjobs/finalizers + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml new file mode 100644 index 0000000000..cefdad39ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pytorch-operator +subjects: +- kind: ServiceAccount + name: pytorch-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml new file mode 100644 index 0000000000..b69f8e4e4b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tf-job-operator +subjects: +- kind: ServiceAccount + name: tf-job-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml new file mode 100644 index 0000000000..0c57d76f07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-notebook-role + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + - secrets + - services + verbs: + - '*' +- apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - '*' + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml new file mode 100644 index 0000000000..e07f869911 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-notebook-role-binding + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: jupyter-web-app-jupyter-notebook-role +subjects: +- kind: ServiceAccount + name: jupyter-notebook diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml new file mode 100644 index 0000000000..1dd6173c08 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + issuer: kubeflow-self-signing-issuer + namespace: kubeflow +kind: ConfigMap +metadata: + annotations: {} + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-admission-webhook-parameters + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml new file mode 100644 index 0000000000..7b5a74a1d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + profile-name: kubeflow-jlewi + user: jlewi@google.com +kind: ConfigMap +metadata: + name: default-install-config-6mcgbmmtg6 + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml new file mode 100644 index 0000000000..685cf43f45 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml @@ -0,0 +1,138 @@ +apiVersion: v1 +data: + spawner_ui_config.yaml: |- + # Configuration file for the Jupyter UI. + # + # Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' + # - The 'value' key contains the default value + # - The 'readOnly' key determines if the option will be available to users + # + # If the 'readOnly' key is present and set to 'true', the respective option + # will be disabled for users and only set by the admin. Also when a + # Notebook is POSTED to the API if a necessary field is not present then + # the value from the config will be used. + # + # If the 'readOnly' key is missing (defaults to 'false'), the respective option + # will be available for users to edit. + # + # Note that some values can be templated. Such values are the names of the + # Volumes as well as their StorageClass + spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + # The list of available standard container Images + options: + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-gpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-gpu:1.0.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + readOnly: false + cpu: + # CPU for user's Notebook + value: '0.5' + readOnly: false + memory: + # Memory for user's Notebook + value: 1.0Gi + readOnly: false + workspaceVolume: + # Workspace Volume to be attached to user's Notebook + # Each Workspace Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + value: + type: + # The Type of the Workspace Volume + # Supported values: 'New', 'Existing' + value: New + name: + # The Name of the Workspace Volume + # Note that this is a templated value. Special values: + # {notebook-name}: Replaced with the name of the Notebook. The frontend + # will replace this value as the user types the name + value: 'workspace-{notebook-name}' + size: + # The Size of the Workspace Volume (in Gi) + value: '10Gi' + mountPath: + # The Path that the Workspace Volume will be mounted + value: /home/jovyan + accessModes: + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + value: ReadWriteOnce + class: + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + value: '{none}' + readOnly: false + dataVolumes: + # List of additional Data Volumes to be attached to the user's Notebook + value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-2' + # size: + # value: '10Gi' + # mountPath: + # value: /home/jovyan/vol-2 + # accessModes: + # value: ReadWriteMany + # class: + # value: {none} + readOnly: false + gpus: + # Number of GPUs to be assigned to the Notebook Container + value: + # values: "none", "1", "2", "4", "8" + num: "none" + # Determines what the UI will show and send to the backend + vendors: + - limitsKey: "nvidia.com/gpu" + uiName: "NVIDIA" + # Values: "" or a `limits-key` from the vendors list + vendor: "" + readOnly: false + shm: + value: true + readOnly: false + configurations: + # List of labels to be selected, these are the labels from PodDefaults + # value: + # - add-gcp-secret + # - default-editor + value: [] + readOnly: false +kind: ConfigMap +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-web-app-config-dhcbh64467 + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml new file mode 100644 index 0000000000..9ba0edebb0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + clusterDomain: cluster.local + userid-header: X-Goog-Authenticated-User-Email + userid-prefix: 'accounts.google.com:' +kind: ConfigMap +metadata: + name: kubeflow-config-988m2m9m87 + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml new file mode 100644 index 0000000000..ca0dc1ba50 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + ISTIO_GATEWAY: kubeflow/kubeflow-gateway + USE_ISTIO: "true" +kind: ConfigMap +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-notebook-controller-config-h4d668t5tb + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml new file mode 100644 index 0000000000..1d95e3a196 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + admin: jlewi@google.com + gcp-sa: jl-stack-0409-204015-user@jlewi-dev.iam.gserviceaccount.com +kind: ConfigMap +metadata: + labels: + kustomize.component: profiles + name: profiles-profiles-config-b8664685bd + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_admission-webhook-service.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_admission-webhook-service.yaml new file mode 100644 index 0000000000..1636dc9520 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_admission-webhook-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-service + namespace: kubeflow +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_centraldashboard.yaml new file mode 100644 index 0000000000..3f50af45e4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_centraldashboard.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: centralui-mapping + prefix: / + rewrite: / + service: centraldashboard.$(namespace) + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8082 + selector: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + sessionAffinity: None + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_jupyter-web-app-service.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_jupyter-web-app-service.yaml new file mode 100644 index 0000000000..cbc5e87e29 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_jupyter-web-app-service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: webapp_mapping + prefix: /$(prefix)/ + service: jupyter-web-app-service.$(namespace) + add_request_headers: + x-forwarded-prefix: /jupyter + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + run: jupyter-web-app + name: jupyter-web-app-service + namespace: kubeflow +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 5000 + selector: + app: jupyter-web-app + kustomize.component: jupyter-web-app + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_notebook-controller-service.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_notebook-controller-service.yaml new file mode 100644 index 0000000000..a9f1b4b8e0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_notebook-controller-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-service + namespace: kubeflow +spec: + ports: + - port: 443 + selector: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_profiles-kfam.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_profiles-kfam.yaml new file mode 100644 index 0000000000..db1f50bd7d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_profiles-kfam.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + kustomize.component: profiles + name: profiles-kfam + namespace: kubeflow +spec: + ports: + - port: 8081 + selector: + kustomize.component: profiles diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_pytorch-operator.yaml new file mode 100644 index 0000000000..4114ea5f9f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_pytorch-operator.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8443" + prometheus.io/scrape: "true" + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + namespace: kubeflow +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_tf-job-operator.yaml new file mode 100644 index 0000000000..a13b8ac441 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_service_tf-job-operator.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8443" + prometheus.io/scrape: "true" + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + namespace: kubeflow +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_admission-webhook-service-account.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_admission-webhook-service-account.yaml new file mode 100644 index 0000000000..6f41ce954d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_admission-webhook-service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_centraldashboard.yaml new file mode 100644 index 0000000000..55deba785d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_centraldashboard.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml new file mode 100644 index 0000000000..926d7e9b7a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_notebook-controller-service-account.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_notebook-controller-service-account.yaml new file mode 100644 index 0000000000..d34df92177 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_notebook-controller-service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_profiles-controller-service-account.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_profiles-controller-service-account.yaml new file mode 100644 index 0000000000..881ccbf1bd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_profiles-controller-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + kustomize.component: profiles + name: profiles-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_pytorch-operator.yaml new file mode 100644 index 0000000000..3d3555c2b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_pytorch-operator.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-dashboard.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-dashboard.yaml new file mode 100644 index 0000000000..3e0982e277 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-dashboard.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-dashboard + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-dashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-operator.yaml new file mode 100644 index 0000000000..f7bf874b73 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-apps/~g_v1_serviceaccount_tf-job-operator.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-issuer/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml b/kubeflow_clusters/code-intelligence/.build/kubeflow-issuer/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml new file mode 100644 index 0000000000..ebe3e07bd7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-issuer/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: kubeflow-self-signing-issuer + namespace: cert-manager +spec: + selfSigned: {} diff --git a/kubeflow_clusters/code-intelligence/.build/kubeflow-istio b/kubeflow_clusters/code-intelligence/.build/kubeflow-istio new file mode 100644 index 0000000000..14eda9ee6d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/kubeflow-istio @@ -0,0 +1,181 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-istio-admin +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" + name: kubeflow-istio-edit +rules: +- apiGroups: + - istio.io + - networking.istio.io + resources: + - '*' + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-istio-view +rules: +- apiGroups: + - istio.io + - networking.istio.io + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: v1 +data: + clusterRbacConfig: ON_WITH_EXCLUSION + gatewaySelector: ingressgateway +kind: ConfigMap +metadata: + name: istio-parameters-cm9hckfgmb + namespace: kubeflow +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway + namespace: kubeflow +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP +--- +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: google-api-entry + namespace: kubeflow +spec: + hosts: + - www.googleapis.com + location: MESH_EXTERNAL + ports: + - name: https + number: 443 + protocol: HTTPS + resolution: DNS +--- +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: google-storage-api-entry + namespace: kubeflow +spec: + hosts: + - storage.googleapis.com + location: MESH_EXTERNAL + ports: + - name: https + number: 443 + protocol: HTTPS + resolution: DNS +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: google-api-vs + namespace: kubeflow +spec: + hosts: + - www.googleapis.com + tls: + - match: + - port: 443 + sni_hosts: + - www.googleapis.com + route: + - destination: + host: www.googleapis.com + port: + number: 443 + weight: 100 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: google-storage-api-vs + namespace: kubeflow +spec: + hosts: + - storage.googleapis.com + tls: + - match: + - port: 443 + sni_hosts: + - storage.googleapis.com + route: + - destination: + host: storage.googleapis.com + port: + number: 443 + weight: 100 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana-vs + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - method: + exact: GET + uri: + prefix: /istio/grafana/ + rewrite: + uri: / + route: + - destination: + host: grafana.istio-system.svc.cluster.local + port: + number: 3000 +--- +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default + namespace: kubeflow +spec: + exclusion: + namespaces: + - istio-system + mode: ON_WITH_EXCLUSION diff --git a/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml b/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml new file mode 100644 index 0000000000..de393b499c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml @@ -0,0 +1,17 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + kustomize.component: metacontroller + name: compositecontrollers.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: CompositeController + plural: compositecontrollers + shortNames: + - cc + - cctl + singular: compositecontroller + scope: Cluster + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml b/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml new file mode 100644 index 0000000000..c91596faa8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml @@ -0,0 +1,14 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + kustomize.component: metacontroller + name: controllerrevisions.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: ControllerRevision + plural: controllerrevisions + singular: controllerrevision + scope: Namespaced + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml b/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml new file mode 100644 index 0000000000..921d33b84c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/metacontroller/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml @@ -0,0 +1,17 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + kustomize.component: metacontroller + name: decoratorcontrollers.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: DecoratorController + plural: decoratorcontrollers + shortNames: + - dec + - decorators + singular: decoratorcontroller + scope: Cluster + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/.build/metacontroller/apps_v1_statefulset_metacontroller.yaml b/kubeflow_clusters/code-intelligence/.build/metacontroller/apps_v1_statefulset_metacontroller.yaml new file mode 100644 index 0000000000..5996633bf0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/metacontroller/apps_v1_statefulset_metacontroller.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: metacontroller + kustomize.component: metacontroller + name: metacontroller + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: metacontroller + kustomize.component: metacontroller + serviceName: "" + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: metacontroller + kustomize.component: metacontroller + spec: + containers: + - command: + - /usr/bin/metacontroller + - --logtostderr + - -v=4 + - --discovery-interval=20s + image: metacontroller/metacontroller:v0.3.0 + imagePullPolicy: Always + name: metacontroller + ports: + - containerPort: 2345 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: 500m + memory: 1Gi + securityContext: + allowPrivilegeEscalation: true + privileged: true + serviceAccountName: meta-controller-service + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/.build/metacontroller/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/.build/metacontroller/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml new file mode 100644 index 0000000000..1971a941c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/metacontroller/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + kustomize.component: metacontroller + name: meta-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: meta-controller-service + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/metacontroller/~g_v1_serviceaccount_meta-controller-service.yaml b/kubeflow_clusters/code-intelligence/.build/metacontroller/~g_v1_serviceaccount_meta-controller-service.yaml new file mode 100644 index 0000000000..5acb480f69 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/metacontroller/~g_v1_serviceaccount_meta-controller-service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + kustomize.component: metacontroller + name: meta-controller-service + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_cert-manager.yaml b/kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_cert-manager.yaml new file mode 100644 index 0000000000..c90416ff47 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_cert-manager.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_kubeflow.yaml b/kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_kubeflow.yaml new file mode 100644 index 0000000000..74058af2fc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/.build/namespaces/~g_v1_namespace_kubeflow.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: kubeflow + katib-metricscollector-injection: enabled + name: kubeflow diff --git a/kubeflow_clusters/code-intelligence/Kptfile b/kubeflow_clusters/code-intelligence/Kptfile new file mode 100644 index 0000000000..13078089aa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/Kptfile @@ -0,0 +1,11 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: code-intelligence +upstream: + type: git + git: + commit: 6f16dce8033c71dfe92d26075c62529a74d3097e + repo: https://github.com/kubeflow/gcp-blueprints + directory: /kubeflow + ref: master diff --git a/kubeflow_clusters/code-intelligence/Makefile b/kubeflow_clusters/code-intelligence/Makefile new file mode 100644 index 0000000000..4d4c7a478d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/Makefile @@ -0,0 +1,198 @@ +# The kname of the context for the management cluster +# These can be read using yq from the settings file. +# +# If you don't have yq +MGMTCTXT=$(shell yq r ./instance/settings.yaml mgmt-ctxt) +# The name of the context for your Kubeflow cluster +NAME=$(shell yq r ./instance/settings.yaml name) +PROJECT=$(shell yq r ./instance/settings.yaml project) + +KFCTXT=$(NAME) + +# Path to kustomize directories +GCP_CONFIG=./instance/gcp_config +KF_DIR=./instance/kustomize + +APP_DIR=. +MANIFESTS_DIR=./upstream/manifests + +# TODO(https://github.com/GoogleContainerTools/kpt/issues/539): +# Using a subdirectory fo the current directory breaks our ability to run kpt set . +# So as a hack we use a $(BUILD_DIR)/ directory in the parent directory. +BUILD_DIR=.build + +# The URL you want to fetch manifests from +#MANIFESTS_URL=https://github.com/kubeflow/manifests.git@master +MANIFESTS_URL=https://github.com/jlewi/manifests.git@fix_annotations + +ACM_MGMT_REPO=/home/jlewi/git_kubeflow-testing/acm-repos/kf-ci-management +ACM_KF_REPO=acm-repo + +# Print out the context +.PHONY: echo +echo-ctxt: + @echo MGMTCTXT=$(MGMTCTXT) + @echo KFCTXT=$(KFCTXT) + +# Get packages +.PHONY: get-pkg +get-pkg: + # TODO(jlewi): We should switch to using upstream kubeflow/manifests and pin + # to a specific version + # TODO(jlewi): We should think about how we layout packages in kubeflow/manifests so + # users don't end up pulling tests or other things they don't need. + mkdir -p ./upstream + kpt pkg get $(MANIFESTS_URL) $(MANIFESTS_DIR) + rm -rf $(MANIFESTS_DIR)/plugins + rm -rf $(MANIFESTS_DIR)/tests + # TODO(jlewi): Package appears to cause problems for kpt. We should delete in the upstream + # since its not needed anymore. + # https://github.com/GoogleContainerTools/kpt/issues/539 + rm -rf $(MANIFESTS_DIR)/common/ambassador + +.PHONY: update-pkg +update-pkg: + +.PHONY: apply-gcp +apply-gcp: hydrate-gcp + # Apply management resources + kubectl --context=$(MGMTCTXT) apply -f ./$(BUILD_DIR)/gcp_config + +.PHONY: apply-services +apply-services: hydrate-gcp + # Apply management resources + anthoscli apply --project=$(PROJECT) -f ./instance/gcp_config/enable-services.yaml + +.PHONY: apply-asm +apply-asm: hydrate-asm + # We need to apply the CRD definitions first + kubectl --context=${KFCTXT} apply --recursive=true -f ./$(BUILD_DIR)/istio/Base/Base.yaml + kubectl --context=${KFCTXT} apply --recursive=true -f ./$(BUILD_DIR)/istio/Base + # TODO(jlewi): Should we use the newer version in asm/asm + # istioctl manifest --context=${KFCTXT} apply -f ./manifests/gcp/v2/asm/istio-operator.yaml + # TODO(jlewi): Switch to anthoscli once it supports generating manifests + # anthoscli apply -f ./manifests/gcp/v2/asm/istio-operator.yaml + +.PHONY: apply-kubeflow +apply-kubeflow: hydrate-kubeflow + # Apply kubeflow apps + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/namespaces + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kubeflow-istio + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/metacontroller + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/application + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/cloud-endpoints + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/iap-ingress + # Due to https://github.com/jetstack/cert-manager/issues/2208 + # We need to skip validation on Kubernetes 1.14 + kubectl --context=$(KFCTXT) apply --validate=false -f ./$(BUILD_DIR)/cert-manager-crds + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/cert-manager-kube-system-resources + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/cert-manager + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kubeflow-apps + # Create the kubeflow-issuer last to give cert-manager time deploy + kubectl --context=$(KFCTXT) apply -f ./$(BUILD_DIR)/kubeflow-issuer + +# TODO(jlewi): If we use prune does that give us a complete upgrade solution? +# TODO(jlewi): Should we insert appropriate wait statements to wait for various services to +# be available before continuing? +.PHONY: apply +apply: clean-build check-name check-iap apply-gcp wait-gcp create-ctxt apply-asm apply-kubeflow iap-secret + +#***************************************************************************************** +# Hydrate rules + +.PHONY: hydrate-gcp +hydrate-gcp: + # *********************************************************************************** + # Hydrate cnrm + mkdir -p $(BUILD_DIR)/gcp_config + kustomize build -o $(BUILD_DIR)/gcp_config $(GCP_CONFIG) + +.PHONY: hydrate-asm +hydrate-asm: + #************************************************************************************ + # hydrate asm + istioctl manifest generate -f $(MANIFESTS_DIR)/gcp/v2/asm/istio-operator.yaml -o $(BUILD_DIR)/istio + +.PHONY: hydrate-kubeflow +hydrate-kubeflow: + #************************************************************************************ + # Hydrate kubeflow applications + mkdir -p $(BUILD_DIR)/namespaces + kustomize build --load_restrictor none -o $(BUILD_DIR)/namespaces ${KF_DIR}/namespaces + + mkdir -p $(BUILD_DIR)/application + kustomize build --load_restrictor none -o $(BUILD_DIR)/application $(KF_DIR)/application + mkdir -p $(BUILD_DIR)/cert-manager + kustomize build --load_restrictor none -o $(BUILD_DIR)/cert-manager $(KF_DIR)/cert-manager + mkdir -p $(BUILD_DIR)/cert-manager-crds + kustomize build --load_restrictor none -o $(BUILD_DIR)/cert-manager-crds $(KF_DIR)/cert-manager-crds + mkdir -p $(BUILD_DIR)/cert-manager-kube-system-resources + kustomize build --load_restrictor none -o $(BUILD_DIR)/cert-manager-kube-system-resources $(KF_DIR)/cert-manager-kube-system-resources + mkdir -p $(BUILD_DIR)/cloud-endpoints + kustomize build --load_restrictor none -o $(BUILD_DIR)/cloud-endpoints $(KF_DIR)/cloud-endpoints + mkdir -p $(BUILD_DIR)/iap-ingress + kustomize build --load_restrictor none -o $(BUILD_DIR)/iap-ingress $(KF_DIR)/iap-ingress + mkdir -p $(BUILD_DIR)/kubeflow-apps + kustomize build --load_restrictor none -o $(BUILD_DIR)/kubeflow-apps $(KF_DIR)/kubeflow-apps + mkdir -p $(BUILD_DIR)/kubeflow-apps + kustomize build --load_restrictor none -o $(BUILD_DIR)/kubeflow-istio $(KF_DIR)/kubeflow-istio + mkdir -p $(BUILD_DIR)/metacontroller + kustomize build --load_restrictor none -o $(BUILD_DIR)/metacontroller $(KF_DIR)/metacontroller + mkdir -p $(BUILD_DIR)/kubeflow-issuer + kustomize build --load_restrictor none -o $(BUILD_DIR)/kubeflow-issuer $(KF_DIR)/kubeflow-issuer + +# Hydrate all the application directories directories +# TODO(jlewi): We can't use a kustomization file to combine the top level packages +# because they might get vars conflicts. Also order is important when applying them. +.PHONY: hydrate +hydrate: clean-build hydrate-gcp hydrate-asm hydrate-kubeflow + + +#***************************************************************************************** +# Hydrate ACM repos +# These commands copy the configs to the appropriate acm repo +acm-gcp: hydrate-gcp + cp -r $(BUILD_DIR)/gcp_config/*.yaml $(ACM_MGMT_REPO)/namespaces/$(PROJECT) + +acm-kubeflow: hydrate-asm hydrate-kubeflow + rm -rf $(ACM_KF_REPO) + mkdir -p $(ACM_KF_REPO) + find $(BUILD_DIR) -name "*.yaml" -not -path "*/gcp_config/**" -exec cp {} $(ACM_KF_REPO)/ ";" + + +#***************************************************************************************** +.PHONY: clean-build +clean-build: + # Delete build because we want to prune any resources which are no longer defined in the manifests + rm -rf $(BUILD_DIR)/ + mkdir -p $(BUILD_DIR)/ + +# Make sure the name isn't too long. +.PHONY: check-name +check-name: + PROJECT=$(PROJECT) NAME=$(NAME) ./hack/check_domain_length.sh + +.PHONY: check-iap +check-iap: + ./hack/check_oauth_secret.sh + +# Create the iap secret from environment variables +# TODO(jlewi): How can we test to make sure CLIENT_ID is set so we don't create an empty secret. +.PHONY: iap-secret +iap-secret: check-iap + kubectl --context=$(KFCTXT) -n istio-system create secret generic kubeflow-oauth --from-literal=client_id=${CLIENT_ID} --from-literal=client_secret=${CLIENT_SECRET} + +.PHONY: wait-gcp +wait-gcp: + kubectl --context=$(MGMTCTXT) wait --for=condition=Ready --timeout=600s containercluster $(NAME) + +# Create a kubeconfig context for the kubeflow cluster +.PHONY: create-ctxt +create-ctxt: + PROJECT=$(shell yq r ./instance/settings.yaml project) \ + REGION=$(shell yq r ./instance/settings.yaml location) \ + NAME=$(NAME) ./hack/create_context.sh + +# Delete gcp resources +delete-gcp: + kubectl --context=$(MGMTCTXT) delete -f $(BUILD_DIR)/gcp_config diff --git a/kubeflow_clusters/code-intelligence/README.md b/kubeflow_clusters/code-intelligence/README.md new file mode 100644 index 0000000000..32eed912ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/README.md @@ -0,0 +1,194 @@ +# Kubeflow Blueprint + +This directory contains a blueprint for creating a Kubeflow deployment. + +## Prerequisites + +You must have created a management cluster and installed Config Connector. +If you don't have a management cluster follow the [instructions](../management/README.md) +for setting one up. + +Your management cluster must have a namespace setup to administer the GCP project where +Kubeflow will be deployped. Follow the [instructions](../management/README.md) to create +one if you haven't already. + + +## Install the required tools + +1. Install gcloud components + + ``` + gcloud components install kpt anthoscli beta + gcloud components update + ``` + +1. Install [yq](https://github.com/mikefarah/yq) + + ``` + GO111MODULE=on go get github.com/mikefarah/yq/v3 + ``` + + * If you don't have go installed you can download + a binary from [yq's GitHub releases](https://github.com/mikefarah/yq/releases). + +1. Follow these [instructions](https://cloud.google.com/service-mesh/docs/gke-install-new-cluster#download_the_installation_file) to + install istioctl + +## Fetch packages using kpt + +1. Fetch the blueprint + + ``` + kpt pkg get https://github.com/jlewi/kf-templates-gcp.git/kubeflow@master ./ + ``` + + * TODO(jlewi): Change to a Kubeflow repo + + +1. Change to the kubeflow directory + + ``` + cd kubeflow + ``` + +1. Fetch Kubeflow manifests + + ``` + make get-pkg + ``` + + * This generates an error per [GoogleContainerTools/kpt#539](https://github.com/GoogleContainerTools/kpt/issues/539) but it looks like + this can be ignored. + + * TODO(jlewi): This is giving an error like the one below but this can be ignored + + ``` + kpt pkg get https://github.com/jlewi/manifests.git@blueprints ./upstream + fetching package / from https://github.com/jlewi/manifests to upstream/manifests + Error: resources must be annotated with config.kubernetes.io/index to be written to files + ``` + +## Deploy Kubeflow + +1. Set the name of the KUBECONFIG context for the management cluster; this kubecontext will + be used to create CNRM resources for your Kubeflow deployment. + + ``` + kpt cfg set instance mgmt-ctxt ${MANAGEMENT_CONTEXT} + ``` + + * Follow the [instructions](../README.md) to create a kubecontext for your managment context + + * **Important** The context must set the namespace to the namespace in your CNRM cluster where you are creating + CNRM resources for the managed project. + +1. Pick a name for the Kubeflow deployment + + ``` + export KFNAME= + ``` + +1. Pick a location for the Kubeflow deployment + + ``` + export LOCATION= + export ZONE= + ``` + + * Location can be a zone or a region depending on whether you want a regional cluster + * We recommend creating regional clusters for higher availability + * The [cluster management fee](https://cloud.google.com/kubernetes-engine/pricing) is the same for regional + and zonal clusters + + * TODO(jlewi): Metadata and Pipelines are still using zonal disks what do we have to do make that work with regional clusters? For metadata + we could use CloudSQL. + +1. Set the values for the kubeflow deployment. + + ``` + kpt cfg set ./upstream/manifests/gcp name ${KFNAME} + kpt cfg set ./upstream/manifests/gcp gcloud.core.project ${MANAGED_PROJECT} + kpt cfg set ./upstream/manifests/gcp gcloud.compute.zone ${ZONE} + + kpt cfg set ./instance name ${KFNAME} + kpt cfg set ./instance location ${LOCATION} + kpt cfg set ./instance gcloud.core.project ${MANAGED_PROJECT} + ``` + + * TODO(https://github.com/GoogleContainerTools/kpt/issues/541): If annotations are null kpt chokes. We have such files in manifests which is + why we have a separate set statement for manifests once we fix that we should be able to just call it once on root + + * TODO(jlewi): Need to figure out what to do about disk for metadata and pipelines when using regional clusters?. Maybe just + use Cloud SQL? + +1. Set environment variables with OAuth Client ID and Secret for IAP + + ``` + export CLIENT_ID= + export CLIENT_SECRET= + ``` + + * TODO(jlewi): Add link for instructions on creating an OAuth client id + +1. Enable services + + ``` + make apply-services + ``` + + * **Important** This command will likely fail and you will need to rerun multiple times. This is + because this function tries to enable a bunch of services sequentially. However, + some of the services can't be enabled until previous services have been fully enabled which + takes time. + + * Retryable errors will look like the following but could mention different services and projects. + + ``` + Unexpected error: error reconciling objects: error reconciling CloudService:kubeflow-ci-deployment/mesh: error polling for operation: googleapi: Error 404: Request for host 'serviceusage.mtls.googleapis.com' and path '/v1/operations/acf.df31bb9e-783d-4c85-a02e-6a436b2af941?alt=json&prettyPrint=false' cannot be resolved. Please double check your request., notFound + ``` + + +1. Deploy Kubeflow + + ``` + make apply + ``` + +## Common Problems + +1. 502s and backend unhealthy + + * This is often the result of cont configuring ASM correctly (i.e. not specifying the correct + ServiceMessh or cluster name) + + * This usually manifests as the istio proxy in the istio ingressgateway from not being able to start + causing the health check failure. To troubleshoot + + 1. Get the pods for the istio-ingressgateway + + ``` + kubectl -n istio-system get pods -l app=istio-ingressgateway + ``` + + * Are all containers in the pod started? + + 1. Look at the logs for the pods + + ``` + kubectl -n istio-system log ${INGRESS_GATEWAY_POD} -c istio-proxy + ``` + + * Another common cause is failing to enable the ASM services. This will manifest with an error + like the following in the istio ingress logs. + + ``` + [Envoy (Epoch 0)] [2020-05-06 01:06:09.078][17][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:91] gRPC config stream closed: 7, Anthos Service Mesh Certificate Authority API has not been used in project 29647740582 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/meshca.googleapis.com/overview?project=29647740582 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry + ``` + + * To enable the services + + ``` + make apply-services + ``` + + * For more info refer to the instructions about enabling services. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Base.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Base.yaml new file mode 100644 index 0000000000..d3a6549380 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Base.yaml @@ -0,0 +1,5062 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: +- apiGroups: + - "config.istio.io" + - "rbac.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: +- kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer + release: istio + name: attributemanifests.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + attributes: + additionalProperties: + properties: + description: + description: A human-readable description of the attribute's purpose. + format: string + type: string + valueType: + description: The type of data carried by this attribute. + enum: + - VALUE_TYPE_UNSPECIFIED + - STRING + - INT64 + - DOUBLE + - BOOL + - TIMESTAMP + - IP_ADDRESS + - EMAIL_ADDRESS + - URI + - DNS_NAME + - DURATION + - STRING_MAP + type: string + type: object + description: The set of attributes this Istio component will be responsible + for producing at runtime. + type: object + name: + description: Name of the component producing these attributes. + format: string + type: string + revision: + description: The revision of this document. + format: string + type: string + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + heritage: Tiller + istio: rbac + release: istio + name: clusterrbacconfigs.rbac.istio.io +spec: + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + enforcementMode: + enum: + - ENFORCED + - PERMISSIVE + type: string + exclusion: + description: A list of services or namespaces that should not be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + inclusion: + description: A list of services or namespaces that should be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + mode: + description: Istio RBAC mode. + enum: + - "OFF" + - "ON" + - ON_WITH_INCLUSION + - ON_WITH_EXCLUSION + type: string + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutiveErrors: + format: int32 + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to SIDECAR_INBOUND context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + filters: + items: + properties: + filterConfig: + type: object + filterName: + description: The name of the filter to instantiate. + format: string + type: string + filterType: + description: The type of filter to instantiate. + enum: + - INVALID + - HTTP + - NETWORK + type: string + insertPosition: + description: Insert position in the filter chain. + properties: + index: + description: Position of this filter in the filter chain. + enum: + - FIRST + - LAST + - BEFORE + - AFTER + type: string + relativeTo: + format: string + type: string + type: object + listenerMatch: + properties: + address: + description: One or more IP addresses to which the listener + is bound. + items: + format: string + type: string + type: array + listenerProtocol: + description: Selects a class of listeners for the same protocol. + enum: + - ALL + - HTTP + - TCP + type: string + listenerType: + description: Inbound vs outbound sidecar listener or gateway + listener. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + portNamePrefix: + format: string + type: string + portNumber: + type: integer + type: object + type: object + type: array + workloadLabels: + additionalProperties: + format: string + type: string + description: Deprecated. + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + api_specs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + apiSpecs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed HTTPAPISpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + api_keys: + items: + oneOf: + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + apiKeys: + items: + oneOf: + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + patterns: + description: List of HTTP patterns to match. + items: + oneOf: + - required: + - uriTemplate + - required: + - regex + properties: + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + httpMethod: + format: string + type: string + regex: + format: string + type: string + uriTemplate: + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + name: meshpolicies.authentication.istio.io +spec: + group: authentication.istio.io + names: + categories: + - istio-io + - authentication-istio-io + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Authentication policy for Istio services. See more details + at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' + properties: + originIsOptional: + type: boolean + origins: + description: List of authentication methods that can be used for origin + authentication. + items: + properties: + jwt: + description: Jwt params for the method. + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + peerIsOptional: + type: boolean + peers: + description: List of authentication methods that can be used for peer + authentication. + items: + oneOf: + - required: + - mtls + - required: + - jwt + properties: + jwt: + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + mtls: + description: Set if mTLS is used. + properties: + allowTls: + description: WILL BE DEPRECATED, if set, will translates to + `TLS_PERMISSIVE` mode. + type: boolean + mode: + description: Defines the mode of mTLS authentication. + enum: + - STRICT + - PERMISSIVE + type: string + type: object + type: object + type: array + principalBinding: + description: Define whether peer or origin identity should be use for + principal. + enum: + - USE_PEER + - USE_ORIGIN + type: string + targets: + description: List rules to select workloads that the policy should be + applied on. + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: The name must be a short name from the service registry. + format: string + type: string + ports: + description: Specifies the ports. + items: + oneOf: + - required: + - number + - required: + - name + properties: + name: + format: string + type: string + number: + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + name: policies.authentication.istio.io +spec: + group: authentication.istio.io + names: + categories: + - istio-io + - authentication-istio-io + kind: Policy + plural: policies + singular: policy + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Authentication policy for Istio services. See more details + at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' + properties: + originIsOptional: + type: boolean + origins: + description: List of authentication methods that can be used for origin + authentication. + items: + properties: + jwt: + description: Jwt params for the method. + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + peerIsOptional: + type: boolean + peers: + description: List of authentication methods that can be used for peer + authentication. + items: + oneOf: + - required: + - mtls + - required: + - jwt + properties: + jwt: + properties: + audiences: + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + jwt_headers: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtHeaders: + description: JWT is sent in a request header. + items: + format: string + type: string + type: array + jwtParams: + description: JWT is sent in a query parameter. + items: + format: string + type: string + type: array + trigger_rules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + triggerRules: + items: + properties: + excluded_paths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + excludedPaths: + description: List of paths to be excluded from the request. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + included_paths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + includedPaths: + description: List of paths that the request must include. + items: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - suffix + - required: + - regex + properties: + exact: + description: exact string match. + format: string + type: string + prefix: + description: prefix-based match. + format: string + type: string + regex: + description: ECMAscript style regex-based match + as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). + format: string + type: string + suffix: + description: suffix-based match. + format: string + type: string + type: object + type: array + type: object + type: array + type: object + mtls: + description: Set if mTLS is used. + properties: + allowTls: + description: WILL BE DEPRECATED, if set, will translates to + `TLS_PERMISSIVE` mode. + type: boolean + mode: + description: Defines the mode of mTLS authentication. + enum: + - STRICT + - PERMISSIVE + type: string + type: object + type: object + type: array + principalBinding: + description: Define whether peer or origin identity should be use for + principal. + enum: + - USE_PEER + - USE_ORIGIN + type: string + targets: + description: List rules to select workloads that the policy should be + applied on. + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: The name must be a short name from the service registry. + format: string + type: string + ports: + description: Specifies the ports. + items: + oneOf: + - required: + - number + - required: + - name + properties: + name: + format: string + type: string + number: + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + quotaSpecs: + items: + properties: + name: + description: The short name of the QuotaSpec. + format: string + type: string + namespace: + description: Optional namespace of the QuotaSpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed QuotaSpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: Determines the quotas used for individual requests. + properties: + rules: + description: A list of Quota rules. + items: + properties: + match: + description: If empty, match all request. + items: + properties: + clause: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + description: Map of attribute names to StringMatch type. + type: object + type: object + type: array + quotas: + description: The list of quotas to charge. + items: + properties: + charge: + format: int32 + type: integer + quota: + format: string + type: string + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: rbac + package: istio.io.mixer + release: istio + name: rbacconfigs.rbac.istio.io +spec: + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + enforcementMode: + enum: + - ENFORCED + - PERMISSIVE + type: string + exclusion: + description: A list of services or namespaces that should not be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + inclusion: + description: A list of services or namespaces that should be enforced + by Istio RBAC policies. + properties: + namespaces: + description: A list of namespaces. + items: + format: string + type: string + type: array + services: + description: A list of services. + items: + format: string + type: string + type: array + type: object + mode: + description: Istio RBAC mode. + enum: + - "OFF" + - "ON" + - ON_WITH_INCLUSION + - ON_WITH_EXCLUSION + type: string + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer + release: istio + name: rules.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: rule + plural: rules + singular: rule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + actions: + description: The actions that will be executed when match evaluates + to `true`. + items: + properties: + handler: + description: Fully qualified name of the handler to invoke. + format: string + type: string + instances: + items: + format: string + type: string + type: array + name: + description: A handle to refer to the results of the action. + format: string + type: string + type: object + type: array + match: + description: Match is an attribute based predicate. + format: string + type: string + requestHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + responseHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + sampling: + properties: + random: + description: Provides filtering of actions based on random selection + per request. + properties: + attributeExpression: + description: Specifies an attribute expression to use to override + the numerator in the `percent_sampled` field. + format: string + type: string + percentSampled: + description: The default sampling rate, expressed as a percentage. + properties: + denominator: + description: Specifies the denominator. + enum: + - HUNDRED + - TEN_THOUSAND + type: string + numerator: + description: Specifies the numerator. + type: integer + type: object + useIndependentRandomness: + description: By default sampling will be based on the value + of the request header `x-request-id`. + type: boolean + type: object + rateLimit: + properties: + maxUnsampledEntries: + description: Number of entries to allow during the `sampling_duration` + before sampling is enforced. + format: int64 + type: integer + samplingDuration: + description: Window in which to enforce the sampling rate. + type: string + samplingRate: + description: The rate at which to sample entries once the unsampled + limit has been reached. + format: int64 + type: integer + type: object + type: object + type: object + type: object + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: rbac + package: istio.io.mixer + release: istio + name: servicerolebindings.rbac.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + actions: + items: + properties: + constraints: + description: Optional. + items: + properties: + key: + description: Key of the constraint. + format: string + type: string + values: + description: List of valid values for the constraint. + items: + format: string + type: string + type: array + type: object + type: array + hosts: + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + items: + format: string + type: string + type: array + notMethods: + items: + format: string + type: string + type: array + notPaths: + items: + format: string + type: string + type: array + notPorts: + items: + format: int32 + type: integer + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + items: + format: int32 + type: integer + type: array + services: + description: A list of service names. + items: + format: string + type: string + type: array + type: object + type: array + mode: + enum: + - ENFORCED + - PERMISSIVE + type: string + role: + format: string + type: string + roleRef: + description: Reference to the ServiceRole object. + properties: + kind: + description: The type of the role being referenced. + format: string + type: string + name: + description: The name of the ServiceRole object being referenced. + format: string + type: string + type: object + subjects: + description: List of subjects that are assigned the ServiceRole object. + items: + properties: + group: + format: string + type: string + groups: + items: + format: string + type: string + type: array + ips: + items: + format: string + type: string + type: array + names: + items: + format: string + type: string + type: array + namespaces: + items: + format: string + type: string + type: array + notGroups: + items: + format: string + type: string + type: array + notIps: + items: + format: string + type: string + type: array + notNames: + items: + format: string + type: string + type: array + notNamespaces: + items: + format: string + type: string + type: array + properties: + additionalProperties: + format: string + type: string + description: Optional. + type: object + user: + description: Optional. + format: string + type: string + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: mixer + chart: istio + heritage: Tiller + istio: rbac + package: istio.io.mixer + release: istio + name: serviceroles.rbac.istio.io +spec: + group: rbac.istio.io + names: + categories: + - istio-io + - rbac-istio-io + kind: ServiceRole + plural: serviceroles + singular: servicerole + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for Role Based Access Control. See more details + at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' + properties: + rules: + description: The set of access rules (permissions) that the role has. + items: + properties: + constraints: + description: Optional. + items: + properties: + key: + description: Key of the constraint. + format: string + type: string + values: + description: List of valid values for the constraint. + items: + format: string + type: string + type: array + type: object + type: array + hosts: + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + items: + format: string + type: string + type: array + notMethods: + items: + format: string + type: string + type: array + notPaths: + items: + format: string + type: string + type: array + notPorts: + items: + format: int32 + type: integer + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + items: + format: int32 + type: integer + type: array + services: + description: A list of service names. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + appendHeaders: + additionalProperties: + format: string + type: string + type: object + appendRequestHeaders: + additionalProperties: + format: string + type: string + type: object + appendResponseHeaders: + additionalProperties: + format: string + type: string + type: object + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - properties: + percent: {} + required: + - httpStatus + - properties: + percent: {} + required: + - grpcStatus + - properties: + percent: {} + required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percent: + description: Percentage of requests to be aborted with + the error code provided (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - properties: + percent: {} + required: + - fixedDelay + - properties: + percent: {} + required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + gateways: + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + uri: + oneOf: + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + format: string + type: string + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A http rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + removeRequestHeaders: + items: + format: string + type: string + type: array + removeResponseHeaders: + items: + format: string + type: string + type: array + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A http rule can either redirect or forward (default) + traffic. + items: + properties: + appendRequestHeaders: + additionalProperties: + format: string + type: string + description: Use of `append_request_headers` is deprecated. + type: object + appendResponseHeaders: + additionalProperties: + format: string + type: string + description: Use of `append_response_headers` is deprecated. + type: object + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + removeRequestHeaders: + description: Use of `remove_request_headers` is deprecated. + items: + format: string + type: string + type: array + removeResponseHeaders: + description: Use of `remove_response_header` is deprecated. + items: + format: string + type: string + type: array + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests. + type: string + websocketUpgrade: + description: Deprecated. + type: boolean + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied to. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied to. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + plural: sidecars + singular: sidecar + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The ip to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + type: object + type: object + type: array + outboundTrafficPolicy: + description: This allows to configure the outbound traffic policy. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1alpha3 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html' + properties: + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + values: + description: The allowed values for the attribute. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + type: object + versions: + - name: v1beta1 + served: true + storage: true +--- +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-operator-managed: Reconcile + istio-injection: disabled +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio diff --git a/kubeflow_clusters/code-intelligence/acm-repo/CertManager.yaml b/kubeflow_clusters/code-intelligence/acm-repo/CertManager.yaml new file mode 100644 index 0000000000..0dd40cde7f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/CertManager.yaml @@ -0,0 +1 @@ +# CertManager component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Citadel.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Citadel.yaml new file mode 100644 index 0000000000..c1f4f7f67b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Citadel.yaml @@ -0,0 +1 @@ +# Citadel component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Cni.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Cni.yaml new file mode 100644 index 0000000000..4fff880151 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Cni.yaml @@ -0,0 +1 @@ +# Cni component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/EgressGateway.yaml b/kubeflow_clusters/code-intelligence/acm-repo/EgressGateway.yaml new file mode 100644 index 0000000000..d039ac23fd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/EgressGateway.yaml @@ -0,0 +1 @@ +# EgressGateway component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Galley.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Galley.yaml new file mode 100644 index 0000000000..aac57b1bd0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Galley.yaml @@ -0,0 +1,565 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + release: istio +rules: +# For reading Istio resources +- apiGroups: ["authentication.istio.io", "config.istio.io", "networking.istio.io", + "rbac.istio.io", "security.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] + # For updating Istio resource statuses +- apiGroups: ["authentication.istio.io", "config.istio.io", "networking.istio.io", + "rbac.istio.io", "security.istio.io"] + resources: ["*/status"] + verbs: ["update"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints", "namespaces"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["namespaces/finalizers"] + verbs: ["update"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: +- kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: istio-system + name: galley-envoy-config + labels: + app: galley + istio: galley + release: istio +data: + envoy.yaml.tmpl: |- + admin: + access_log_path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 15000 + + static_resources: + + clusters: + - name: in.9901 + http2_protocol_options: {} + connect_timeout: 1.000s + + hosts: + - socket_address: + address: 127.0.0.1 + port_value: 9901 + + circuit_breakers: + thresholds: + - max_connections: 100000 + max_pending_requests: 100000 + max_requests: 100000 + max_retries: 3 + + listeners: + - name: "15019" + address: + socket_address: + address: 0.0.0.0 + port_value: 15019 + filter_chains: + - filters: + - name: envoy.http_connection_manager + config: + codec_type: HTTP2 + stat_prefix: "15010" + http2_protocol_options: + max_concurrent_streams: 1073741824 + + access_log: + - name: envoy.file_access_log + config: + path: /dev/stdout + + http_filters: + - name: envoy.router + + route_config: + name: "15019" + + virtual_hosts: + - name: istio-galley + + domains: + - '*' + + routes: + - match: + prefix: / + route: + cluster: in.9901 + timeout: 0.000s + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-mesh-galley + namespace: istio-system + labels: + release: istio +data: + mesh: |- + {} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: istio-system + labels: + release: istio +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley-istio-system + namespace: istio-system + labels: + app: galley + release: istio + istio: galley + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + sideEffects: None + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + - adapters + - handlers + - instances + - templates + - zipkins + failurePolicy: Fail + sideEffects: None +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: galley + istio: galley + release: istio + name: istio-galley + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + istio: galley + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: galley + chart: galley + heritage: Tiller + istio: galley + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/tmp/healthliveness + - --readinessProbePath=/tmp/healthready + - --readinessProbeInterval=1s + - --insecure=true + - --enable-validation=true + - --enable-reconcileWebhookConfiguration=true + - --enable-server=true + - --deployment-namespace=istio-system + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort=15014 + - --validation-port=9443 + - --log_output_level=default:info + - --validation.tls.clientCertificate=/etc/dnscerts/cert-chain.pem + - --validation.tls.privateKey=/etc/dnscerts/key.pem + - --validation.tls.caCertificates=/etc/dnscerts/root-cert.pem + image: gcr.io/gke-release/asm/galley:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/tmp/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + name: galley + ports: + - containerPort: 9443 + - containerPort: 15014 + - containerPort: 15019 + - containerPort: 9901 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/tmp/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 100m + volumeMounts: + - mountPath: /etc/dnscerts + name: dnscerts + readOnly: true + - mountPath: /etc/config + name: config + readOnly: true + - mountPath: /etc/mesh-config + name: mesh-config + readOnly: true + - args: + - proxy + - --serviceCluster + - istio-galley + - --templateFile + - /var/lib/istio/galley/envoy/envoy.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --trust-domain=issue-label-bot-dev.svc.id.goog + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/gke-release/asm/proxyv2:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 9902 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/lib/istio/galley/envoy + name: envoy-config + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + serviceAccountName: istio-galley-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: issue-label-bot-dev.svc.id.goog + expirationSeconds: 43200 + path: istio-token + - name: dnscerts + secret: + secretName: dns.istio-galley-service-account + - configMap: + name: galley-envoy-config + name: envoy-config + - configMap: + name: istio-galley-configuration + name: config + - configMap: + name: istio-mesh-galley + name: mesh-config +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + release: istio + istio: galley +spec: + minAvailable: 1 + selector: + matchLabels: + app: galley + release: istio + istio: galley +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + istio: galley + release: istio +spec: + ports: + - port: 443 + name: https-validation + targetPort: 9443 + - port: 15014 + name: http-monitoring + - port: 9901 + name: grpc-mcp + - port: 15019 + name: grpc-tls-mcp + selector: + istio: galley +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + namespace: istio-system + labels: + app: galley + release: istio diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Grafana.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Grafana.yaml new file mode 100644 index 0000000000..5e5eed5e8b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Grafana.yaml @@ -0,0 +1 @@ +# Grafana component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/IngressGateway.yaml b/kubeflow_clusters/code-intelligence/acm-repo/IngressGateway.yaml new file mode 100644 index 0000000000..037a80037b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/IngressGateway.yaml @@ -0,0 +1,389 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + istio: ingressgateway + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - env: + - name: ENABLE_WORKLOAD_SDS + value: "false" + - name: ENABLE_INGRESS_GATEWAY_SDS + value: "true" + - name: INGRESS_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: gcr.io/gke-release/asm/node-agent-k8s:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: ingress-sds + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/run/ingress_gateway + name: ingressgatewaysdsudspath + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --connectTimeout + - 10s + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin.istio-system:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --stsPort=15463 + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + - istio-pilot.istio-system:15011 + - --trust-domain=issue-label-bot-dev.svc.id.goog + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: jlewi-dev_us-central1_kf-bp-0420-002 + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_USER_SDS + value: "true" + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + - name: GCP_METADATA + value: issue-label-bot-dev|976279526634|code-intelligence|us-central1 + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"istio-ingressgateway","istio":"ingressgateway"} + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: SDS_ENABLED + value: "true" + image: gcr.io/gke-release/asm/proxyv2:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15020 + - containerPort: 80 + - containerPort: 443 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15443 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 853 + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ingress_gateway + name: ingressgatewaysdsudspath + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + serviceAccountName: istio-ingressgateway-service-account + volumes: + - emptyDir: {} + name: ingressgatewaysdsudspath + - hostPath: + path: /var/run/sds + name: sdsudspath + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: issue-label-bot-dev.svc.id.goog + expirationSeconds: 43200 + path: istio-token + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: ingressgateway + namespace: istio-system + labels: + release: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + # Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: ingressgateway + namespace: istio-system + labels: + app: istio-ingressgateway + release: istio + istio: ingressgateway +spec: + minAvailable: 1 + selector: + matchLabels: + app: istio-ingressgateway + release: istio + istio: ingressgateway +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds + namespace: istio-system + labels: + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds + namespace: istio-system + labels: + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + name: istio-ingressgateway + namespace: istio-system + labels: + app: istio-ingressgateway + release: istio + istio: ingressgateway +spec: + type: NodePort + selector: + app: istio-ingressgateway + ports: + - name: status-port + port: 15020 + targetPort: 15020 + - name: http2 + port: 80 + targetPort: 80 + - name: https + port: 443 + - name: kiali + port: 15029 + targetPort: 15029 + - name: prometheus + port: 15030 + targetPort: 15030 + - name: grafana + port: 15031 + targetPort: 15031 + - name: tracing + port: 15032 + targetPort: 15032 + - name: tls + port: 15443 + targetPort: 15443 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + namespace: istio-system + labels: + app: istio-ingressgateway + release: istio +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Sidecar +metadata: + name: default + namespace: istio-system + labels: + release: istio +spec: + egress: + - hosts: + - "*/*" diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Injector.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Injector.yaml new file mode 100644 index 0000000000..f43f4bc9a0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Injector.yaml @@ -0,0 +1,765 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: sidecar-injector + release: istio + istio: sidecar-injector +rules: +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["istio-sidecar-injector"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-istio-system"] + verbs: ["get", "list", "watch", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: sidecar-injector + release: istio + istio: sidecar-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: +- kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: injector-mesh + namespace: istio-system + labels: + release: istio +data: + # Note that injector uses a subset of the mesh config only - for clarity this is only generating the + # required config, i.e. the defaultConfig section. See injection-template .ProxyConfig settings. + mesh: |- + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "unix:/var/run/sds/uds_path" + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15011 + # This is the 'mesh' config, loaded by the sidecar injector. + # It is a different configmap from pilot to allow a-la-carte install of the injector and follow the model + # of reducing blast-radius of config changes and avoiding globals. +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + release: istio + name: istio-sidecar-injector + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + istio: sidecar-injector + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + istio: sidecar-injector + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --port=9443 + - --healthCheckInterval=2s + - --healthCheckFile=/tmp/health + - --reconcileWebhookConfig=true + - --webhookConfigName=istio-sidecar-injector + - --log_output_level=debug + image: gcr.io/gke-release/asm/sidecar_injector:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/tmp/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + name: sidecar-injector-webhook + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/tmp/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + readOnly: true + - mountPath: /etc/istio/certs + name: certs + readOnly: true + - mountPath: /etc/istio/inject + name: inject-config + readOnly: true + serviceAccountName: istio-sidecar-injector-service-account + volumes: + - configMap: + name: injector-mesh + name: config-volume + - name: certs + secret: + secretName: dns.istio-sidecar-injector-service-account + - configMap: + items: + - key: config + path: config + - key: values + path: values + name: istio-sidecar-injector + name: inject-config +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + labels: + app: sidecar-injector + release: istio +webhooks: +- name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecar-injector + release: istio + istio: sidecar-injector +spec: + minAvailable: 1 + selector: + matchLabels: + app: sidecar-injector + release: istio + istio: sidecar-injector +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + release: istio + istio: sidecar-injector +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + istio: sidecar-injector +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + namespace: istio-system + labels: + app: sidecarInjectorWebhook + release: istio + istio: sidecar-injector +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + release: istio + app: sidecar-injector + istio: sidecar-injector +data: + values: |- + {"certmanager":{"enabled":false,"hub":"quay.io/jetstack","image":"cert-manager-controller","namespace":"istio-system","tag":"v0.6.2"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"namespace":"istio-system","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP","zvpn":{"enabled":true,"suffix":"global"}},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"namespace":"istio-system","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":true,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"NodePort","zvpn":{"enabled":true,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[{"dnsNames":["istio-galley.istio-system.svc","istio-galley.istio-system"],"secretName":"dns.istio-galley-service-account"},{"dnsNames":["istio-sidecar-injector.istio-system.svc","istio-sidecar-injector.istio-system"],"secretName":"dns.istio-sidecar-injector-service-account"}],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"gcr.io/gke-release/asm","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":false},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"jlewi-dev_us-central1_kf-bp-0420-002","meshNetworks":{},"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"env":{"GCP_METADATA":"issue-label-bot-dev|976279526634|code-intelligence|us-central1"},"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"0s","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":true,"token":{"aud":"issue-label-bot-dev.svc.id.goog"},"udsPath":"unix:/var/run/sds/uds_path"},"securityNamespace":"istio-system","sts":{"servicePort":15463},"tag":"1.4.7-asm.0","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"issue-label-bot-dev.svc.id.goog","useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.15"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":false,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":false,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[],"useMCP":true}},"nodeagent":{"enabled":true,"env":{"CA_ADDR":"meshca.googleapis.com:443","CA_PROVIDER":"GoogleCA","GKE_CLUSTER_URL":"https://container.googleapis.com/v1/projects/issue-label-bot-dev/locations/us-central1/clusters/code-intelligence","PLUGINS":"GoogleTokenExchange","VALID_TOKEN":true},"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":false,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"OFF","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1,"useMCP":true},"prometheus":{"contextPath":"/prometheus","enabled":false,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.12.0","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":false,"image":"citadel","namespace":"istio-system","selfSigned":true,"trustDomain":"cluster.local"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":true,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":false},"v2":{"enabled":true,"prometheus":{"enabled":false},"stackdriver":{"configOverride":{},"enabled":true,"logging":true,"monitoring":false,"topology":true}}},"tracing":{"enabled":false,"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.14"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} + config: |- + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + template: | + {{- $cniDisabled := (not .Values.istio_cni.enabled) }} + {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }} + {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }} + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + {{- if $enableInitContainer }} + initContainers: + {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if $cniRepairEnabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + command: + {{- if $cniRepairEnabled }} + - istio-iptables-go + {{- else }} + - istio-iptables + {{- end }} + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - 1337 + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if $cniRepairEnabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .Values.global.proxy_init.resources }} + resources: + {{ toYaml .Values.global.proxy_init.resources | indent 4 }} + {{- else }} + resources: {} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not $cniRepairEnabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + readOnlyRootFilesystem: false + {{- if not $cniRepairEnabled }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --configPath + - "/etc/istio/proxy" + - --binaryPath + - "/usr/local/bin/envoy" + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --drainDuration + - "{{ formatDuration .ProxyConfig.DrainDuration }}" + - --parentShutdownDuration + - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" + - --discoveryAddress + - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" + {{- if eq .Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" + - --lightstepAccessToken + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" + - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} + - --lightstepCacertPath + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + - --zipkinAddress + - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" + {{- else if eq .Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" + {{- end }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + - --connectTimeout + - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" + {{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - "{{ .ProxyConfig.StatsdUdpAddress }}" + {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" + {{- end }} + {{- if .Values.global.proxy.envoyAccessLogService.enabled }} + - --envoyAccessLogServiceAddress + - "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}" + {{- end }} + - --proxyAdminPort + - "{{ .ProxyConfig.ProxyAdminPort }}" + {{ if gt .ProxyConfig.Concurrency 0 -}} + - --concurrency + - "{{ .ProxyConfig.Concurrency }}" + {{ end -}} + {{- if .Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + - --dnsRefreshRate + - {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }} + {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} + - --statusPort + - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" + - --applicationPorts + - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" + + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.proxy.env }} + {{- range $key, $val := .Values.global.proxy.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- if eq .Values.global.proxy.tracer "datadog" }} + {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- end }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{ if .ObjectMeta.Labels }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ toJSON .ObjectMeta.Labels }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{ .DeploymentMeta.Name }} + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: ISTIO_META_SDS_TOKEN_PATH + value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if .Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.trustDomain }}" + {{- end }} + {{- if eq .Values.global.proxy.tracer "stackdriver" }} + - name: STACKDRIVER_TRACING_ENABLED + value: "true" + - name: STACKDRIVER_TRACING_DEBUG + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}" + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations.Value }}" + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes.Value }}" + - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS + value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents.Value }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + add: + - NET_ADMIN + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end}} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{ else -}} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{ end -}} + volumeMounts: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.sds.customTokenDirectory }} + - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" + name: custom-sds-token + readOnly: true + {{- end }} + {{- else }} + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + - emptyDir: + medium: Memory + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - name: sds-uds-path + hostPath: + path: /var/run/sds + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: custom-sds-token + secret: + secretName: sdstokensecret + {{- end }} + {{- else }} + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.podDNSSearchNamespaces }} + dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ render . }} + {{- end }} + {{- end }} + injectedAnnotations: diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Kiali.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Kiali.yaml new file mode 100644 index 0000000000..b37bd72f9d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Kiali.yaml @@ -0,0 +1 @@ +# Kiali component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/NodeAgent.yaml b/kubeflow_clusters/code-intelligence/acm-repo/NodeAgent.yaml new file mode 100644 index 0000000000..66db72359b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/NodeAgent.yaml @@ -0,0 +1,124 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-nodeagent-istio-system + labels: + app: istio-nodeagent + release: istio +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-nodeagent-istio-system + labels: + app: istio-nodeagent + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-nodeagent-istio-system +subjects: +- kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: istio-system +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: istio-nodeagent + namespace: istio-system + labels: + app: istio-nodeagent + istio: nodeagent + release: istio +spec: + selector: + matchLabels: + istio: nodeagent + template: + metadata: + labels: + app: istio-nodeagent + istio: nodeagent + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-nodeagent-service-account + containers: + - name: nodeagent + image: "gcr.io/gke-release/asm/node-agent-k8s:1.4.7-asm.0" + imagePullPolicy: IfNotPresent + args: + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + env: + - name: CA_ADDR + value: "meshca.googleapis.com:443" + - name: CA_PROVIDER + value: "GoogleCA" + - name: GKE_CLUSTER_URL + value: "https://container.googleapis.com/v1/projects/issue-label-bot-dev/locations/us-central1/clusters/code-intelligence" + - name: PLUGINS + value: "GoogleTokenExchange" + - name: VALID_TOKEN + value: "true" + - name: "TRUST_DOMAIN" + value: "issue-label-bot-dev.svc.id.goog" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: sdsudspath + hostPath: + path: /var/run/sds + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + updateStrategy: + type: RollingUpdate +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-nodeagent-service-account + namespace: istio-system + labels: + app: istio-nodeagent + release: istio diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Pilot.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Pilot.yaml new file mode 100644 index 0000000000..f3df06af34 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Pilot.yaml @@ -0,0 +1,1098 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: pilot + release: istio + name: istio-pilot + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["security.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: +- kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: istio-system + name: pilot-envoy-config + labels: + release: istio +data: + envoy.yaml.tmpl: |- + admin: + access_log_path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 15000 + + static_resources: + clusters: + - name: in.15010 + http2_protocol_options: {} + connect_timeout: 1.000s + + hosts: + - socket_address: + address: 127.0.0.1 + port_value: 15010 + + circuit_breakers: + thresholds: + - max_connections: 100000 + max_pending_requests: 100000 + max_requests: 100000 + max_retries: 3 + + # TODO: telemetry using EDS + # TODO: other pilots using EDS, load balancing + # TODO: galley using EDS + + - name: out.galley.15019 + http2_protocol_options: {} + connect_timeout: 1.000s + type: STRICT_DNS + + circuit_breakers: + thresholds: + - max_connections: 100000 + max_pending_requests: 100000 + max_requests: 100000 + max_retries: 3 + hosts: + - socket_address: + address: istio-galley.istio-system + port_value: 15019 + tls_context: + common_tls_context: + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: + - spiffe://issue-label-bot-dev.svc.id.goog/ns/istio-system/sa/istio-galley-service-account + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + + listeners: + - name: "in.15011" + address: + socket_address: + address: 0.0.0.0 + port_value: 15011 + filter_chains: + - filters: + - name: envoy.http_connection_manager + #typed_config + #"@type": "type.googleapis.com/", + config: + codec_type: HTTP2 + stat_prefix: "15011" + http2_protocol_options: + max_concurrent_streams: 1073741824 + + access_log: + - name: envoy.file_access_log + config: + path: /dev/stdout + + http_filters: + - name: envoy.router + + route_config: + name: "15011" + + virtual_hosts: + - name: istio-pilot + + domains: + - '*' + + routes: + - match: + prefix: / + route: + cluster: in.15010 + timeout: 0.000s + decorator: + operation: xDS + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: unix:/var/run/sds/uds_path + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: /var/run/secrets/tokens/istio-token + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true + + + # Manual 'whitebox' mode + - name: "local.15019" + address: + socket_address: + address: 127.0.0.1 + port_value: 15019 + filter_chains: + - filters: + - name: envoy.http_connection_manager + config: + codec_type: HTTP2 + stat_prefix: "15019" + http2_protocol_options: + max_concurrent_streams: 1073741824 + + access_log: + - name: envoy.file_access_log + config: + path: /dev/stdout + + http_filters: + - name: envoy.router + + route_config: + name: "15019" + + virtual_hosts: + - name: istio-galley + + domains: + - '*' + + routes: + - match: + prefix: / + route: + cluster: out.galley.15019 + timeout: 0.000s +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + release: istio +data: + meshNetworks: |- + # Network config + networks: {} + values.yaml: |- + appNamespaces: [] + autoscaleEnabled: true + autoscaleMax: 5 + autoscaleMin: 1 + configMap: true + configNamespace: istio-config + cpu: + targetAverageUtilization: 80 + enableProtocolSniffingForInbound: false + enableProtocolSniffingForOutbound: false + enabled: true + env: {} + image: pilot + ingress: + ingressClass: istio + ingressControllerMode: "OFF" + ingressService: istio-ingressgateway + keepaliveMaxServerConnectionAge: 30m + meshNetworks: + networks: {} + namespace: istio-system + nodeSelector: {} + plugins: [] + podAnnotations: {} + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + policy: + enabled: false + replicaCount: 1 + resources: + requests: + cpu: 500m + memory: 2048Mi + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + tolerations: [] + traceSampling: 1 + useMCP: true + mesh: |- + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "" + + accessLogFormat: "" + + accessLogEncoding: 'TEXT' + + enableEnvoyAccessLogService: false + # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server + reportBatchMaxEntries: 100 + # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server + reportBatchMaxTime: 1s + disableMixerHttpReports: true + + disablePolicyChecks: true + + # Automatic protocol detection uses a set of heuristics to + # determine whether the connection is using TLS or not (on the + # server side), as well as the application protocol being used + # (e.g., http vs tcp). These heuristics rely on the client sending + # the first bits of data. For server first protocols like MySQL, + # MongoDB, etc., Envoy will timeout on the protocol detection after + # the specified period, defaulting to non mTLS plain TCP + # traffic. Set this field to tweak the period that Envoy will wait + # for the client to send the first bits of data. (MUST BE >=1ms) + protocolDetectionTimeout: 0s + + # This is the k8s ingress service name, update if you used a different name + ingressService: "istio-ingressgateway" + ingressControllerMode: "OFF" + ingressClass: "istio" + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "issue-label-bot-dev.svc.id.goog" + + # The trust domain aliases represent the aliases of trust_domain. + # For example, if we have + # trustDomain: td1 + # trustDomainAliases: [“td2”, "td3"] + # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", + # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. + trustDomainAliases: + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "unix:/var/run/sds/uds_path" + + # If true, automatically configure client side mTLS settings to match the corresponding service's + # server side mTLS authentication policy, when destination rule for that service does not specify + # TLS settings. + enableAutoMtls: false + config_sources: + - address: localhost:15019 + + outboundTrafficPolicy: + mode: ALLOW_ANY + + # Configures DNS certificates provisioned through Chiron linked into Pilot. + # The DNS certificate provisioning is enabled by default now so it get tested. + # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release. + certificates: + - dnsNames: + - istio-galley.istio-system.svc + - istio-galley.istio-system + secretName: dns.istio-galley-service-account + - dnsNames: + - istio-sidecar-injector.istio-system.svc + - istio-sidecar-injector.istio-system + secretName: dns.istio-sidecar-injector-service-account + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15011 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: pilot + istio: pilot + release: istio + name: istio-pilot + namespace: istio-system +spec: + selector: + matchLabels: + istio: pilot + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: pilot + chart: pilot + heritage: Tiller + istio: pilot + release: istio + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --secureGrpcAddr + - "" + - --trust-domain=issue-label-bot-dev.svc.id.goog + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: CONFIG_NAMESPACE + value: istio-config + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "false" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "false" + image: gcr.io/gke-release/asm/pilot:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: discovery + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + resources: + requests: + cpu: 2000m + memory: 2048Mi + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + - args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-pilot + - --templateFile + - /var/lib/envoy/envoy.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --trust-domain=issue-label-bot-dev.svc.id.goog + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/gke-release/asm/proxyv2:1.4.7-asm.0 + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15011 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/lib/envoy + name: pilot-envoy-config + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + serviceAccountName: istio-pilot-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: issue-label-bot-dev.svc.id.goog + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + name: config-volume + - configMap: + name: pilot-envoy-config + name: pilot-envoy-config +--- +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + release: istio +spec: + peers: + - mtls: + mode: PERMISSIVE +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: pilot + release: istio + istio: pilot +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: promsd-istio-system +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: promsd + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + addonmanager.kubernetes.io/mode: Reconcile + k8s-app: istio + name: promsd-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: promsd-istio-system +subjects: +- kind: ServiceAccount + name: promsd + namespace: istio-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: promsd + namespace: istio-system +data: + prometheus.yml: |- + global: + scrape_interval: 15s + rule_files: + - '/etc/prometheus-rules/rules.yml' + scrape_configs: + - job_name: 'pilot' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: promsd-rules + namespace: istio-system +data: + rules.yml: |- + groups: + - name: recording_rules + rules: + - record: pilot_config_push_latency + expr: pilot_proxy_convergence_time_bucket + - record: pilot_xds_push_timeouts + expr: pilot_xds_push_context_errors + - record: pilot_errors_xds + expr: > + pilot_duplicate_envoy_clusters + pilot_conflict_outbound_listener_http_over_current_tcp + + pilot_conflict_outbound_listener_http_over_https + pilot_conflict_outbound_listener_tcp_over_current_http + + pilot_conflict_outbound_listener_tcp_over_current_tcp + + pilot_eds_no_instances + pilot_endpoint_not_ready + + pilot_total_xds_internal_errors + pilot_total_xds_rejects +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: promsd-sidecar + namespace: istio-system +data: + sidecar.yml: |- + static_metadata: + - metric: pilot_xds_pushes + type: counter + - metric: pilot_config_push_latency + type: histogram + - metric: pilot_xds_push_timeouts + type: counter + - metric: pilot_errors_xds + type: counter + - metric: pilot_errors_internal + type: counter +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/scrape: "true" + labels: + app: promsd + name: promsd + namespace: istio-system +spec: + ports: + - name: http-prometheus + port: 9090 + protocol: TCP + selector: + app: promsd +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: promsd + namespace: istio-system +spec: + selector: + matchLabels: + app: promsd + template: + metadata: + labels: + app: promsd + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: promsd + containers: + - args: + - --prometheus.wal-directory=/data/wal + - --stackdriver.project-id= + - --stackdriver.kubernetes.location= + - --stackdriver.kubernetes.cluster-name= + - --stackdriver.use-gke-resource + - --stackdriver.metrics-prefix=container.googleapis.com/internal/addons/istio + - --config-file=/etc/prometheus-sidecar/sidecar.yml + - --filter=__name__=~"^(pilot_xds_pushes|pilot_xds_push_timeouts|pilot_errors_xds)$" + image: "gcr.io/gke-release/asm/stackdriver-prometheus-sidecar:1.4.7-asm.0" + env: + - name: DEBUG + value: "1" + imagePullPolicy: Always + name: sidecar + ports: + - containerPort: 9091 + name: sidecar + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data + name: data-volume + - mountPath: /etc/prometheus-sidecar + name: static-config-volume + - args: + - --storage.tsdb.retention=6h + - --storage.tsdb.path=/data + - --storage.tsdb.min-block-duration=15m + - --storage.tsdb.max-block-duration=4h + - --config.file=/etc/prometheus/prometheus.yml + image: "gcr.io/gke-release/asm/prometheus:1.4.7-asm.0" + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /-/healthy + port: 9090 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: promsd + ports: + - containerPort: 9090 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /-/ready + port: 9090 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/prometheus + name: config-volume + - mountPath: /etc/prometheus-rules + name: rules-config-volume + - mountPath: /etc/istio-certs + name: istio-certs + - mountPath: /data + name: data-volume + volumes: + - configMap: + defaultMode: 420 + name: promsd + name: config-volume + - configMap: + defaultMode: 420 + name: promsd-rules + name: rules-config-volume + - emptyDir: {} + name: data-volume + - configMap: + defaultMode: 420 + name: promsd-sidecar + name: static-config-volume + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + release: istio + istio: pilot +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + selector: + istio: pilot +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + namespace: istio-system + labels: + app: pilot + release: istio +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.4 + namespace: istio-system +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: ANY # inbound, outbound, and gateway + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + configuration: envoy.wasm.metadata_exchange + vm_config: + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.metadata_exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.4 + namespace: istio-system +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + root_id: stackdriver_outbound + configuration: | + {"enable_mesh_edges_reporting": true, "disable_server_access_logging": false, "meshEdgesReportingDuration": "600s"} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.null.stackdriver + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + root_id: stackdriver_inbound + configuration: | + {"enable_mesh_edges_reporting": true, "disable_server_access_logging": false, "meshEdgesReportingDuration": "600s"} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.null.stackdriver + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '1\.4.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.wasm + config: + config: + root_id: stackdriver_outbound + configuration: | + {"enable_mesh_edges_reporting": true, "disable_server_access_logging": false, "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + inline_string: envoy.wasm.null.stackdriver diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Policy.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Policy.yaml new file mode 100644 index 0000000000..bb7ae04a5c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Policy.yaml @@ -0,0 +1 @@ +# Policy component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Prometheus.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Prometheus.yaml new file mode 100644 index 0000000000..b4c368d91d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Prometheus.yaml @@ -0,0 +1 @@ +# Prometheus component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/PrometheusOperator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/PrometheusOperator.yaml new file mode 100644 index 0000000000..ffc131a070 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/PrometheusOperator.yaml @@ -0,0 +1 @@ +# PrometheusOperator component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Telemetry.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Telemetry.yaml new file mode 100644 index 0000000000..fe024d86ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Telemetry.yaml @@ -0,0 +1 @@ +# Telemetry component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/Tracing.yaml b/kubeflow_clusters/code-intelligence/acm-repo/Tracing.yaml new file mode 100644 index 0000000000..c3846d692a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/Tracing.yaml @@ -0,0 +1 @@ +# Tracing component is disabled. diff --git a/kubeflow_clusters/code-intelligence/acm-repo/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/acm-repo/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml new file mode 100644 index 0000000000..9791664258 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_admission-webhook-mutating-webhook-configuration.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeflow/admission-webhook-cert + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: "" + service: + name: admission-webhook-service + namespace: kubeflow + path: /apply-poddefault + name: admission-webhook-deployment.kubeflow.org + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml new file mode 100644 index 0000000000..bd5a7b2938 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_applications.app.k8s.io.yaml @@ -0,0 +1,233 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: applications.app.k8s.io +spec: + group: app.k8s.io + names: + kind: Application + plural: applications + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + addOwnerRef: + type: boolean + assemblyPhase: + type: string + componentKinds: + items: + type: object + type: array + descriptor: + properties: + description: + type: string + icons: + items: + properties: + size: + type: string + src: + type: string + type: + type: string + required: + - src + type: object + type: array + keywords: + items: + type: string + type: array + links: + items: + properties: + description: + type: string + url: + type: string + type: object + type: array + maintainers: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + notes: + type: string + owners: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + type: + type: string + version: + type: string + type: object + info: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + ingressRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + host: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + secretKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + serviceRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + port: + format: int32 + type: integer + resourceVersion: + type: string + uid: + type: string + type: object + type: + type: string + type: object + type: object + type: array + selector: + type: object + type: object + status: + properties: + components: + items: + properties: + group: + type: string + kind: + type: string + link: + type: string + name: + type: string + status: + type: string + type: object + type: array + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + lastUpdateTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + - status + type: object + type: array + observedGeneration: + format: int64 + type: integer + type: object + version: v1beta1 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml new file mode 100644 index 0000000000..0b81ee91ef --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificaterequests.cert-manager.io.yaml @@ -0,0 +1,181 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertificateRequest is a type to represent a Certificate Signing + Request + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateRequestSpec defines the desired state of CertificateRequest + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + format: byte + type: string + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + type: object + status: + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + format: byte + type: string + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + format: byte + type: string + conditions: + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml new file mode 100644 index 0000000000..6a46d9446b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_certificates.cert-manager.io.yaml @@ -0,0 +1,235 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + to be valid. + properties: + commonName: + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. + items: + type: string + type: array + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + enum: + - rsa + - ecdsa + type: string + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + enum: + - pkcs1 + - pkcs8 + type: string + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + organization: + description: Organization is the organization to be used on the Certificate + items: + type: string + type: array + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + items: + type: string + type: array + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + items: + description: CertificateCondition contains condition information for + an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + lastFailureTime: + format: date-time + type: string + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml new file mode 100644 index 0000000000..32c452b7c2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_challenges.acme.cert-manager.io.yaml @@ -0,0 +1,1369 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: challenges.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME + server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" + are defined. Supported values are (case-insensitive): + ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or + ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ""tsigSecretSecretRef"" is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ""tsigKeyName"" is defined, this field is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml new file mode 100644 index 0000000000..2d6992c7b2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_cloudendpoints.ctl.isla.solutions.yaml @@ -0,0 +1,20 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloudendpoints.ctl.isla.solutions +spec: + group: ctl.isla.solutions + names: + kind: CloudEndpoint + plural: cloudendpoints + shortNames: + - cloudep + - ce + singular: cloudendpoint + scope: Namespaced + version: v1 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml new file mode 100644 index 0000000000..7691a8e2fd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_clusterissuers.cert-manager.io.yaml @@ -0,0 +1,1655 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml new file mode 100644 index 0000000000..de393b499c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_compositecontrollers.metacontroller.k8s.io.yaml @@ -0,0 +1,17 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + kustomize.component: metacontroller + name: compositecontrollers.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: CompositeController + plural: compositecontrollers + shortNames: + - cc + - cctl + singular: compositecontroller + scope: Cluster + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml new file mode 100644 index 0000000000..c91596faa8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_controllerrevisions.metacontroller.k8s.io.yaml @@ -0,0 +1,14 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + kustomize.component: metacontroller + name: controllerrevisions.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: ControllerRevision + plural: controllerrevisions + singular: controllerrevision + scope: Namespaced + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml new file mode 100644 index 0000000000..921d33b84c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_decoratorcontrollers.metacontroller.k8s.io.yaml @@ -0,0 +1,17 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + kustomize.component: metacontroller + name: decoratorcontrollers.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: DecoratorController + plural: decoratorcontrollers + shortNames: + - dec + - decorators + singular: decoratorcontroller + scope: Cluster + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml new file mode 100644 index 0000000000..d529bff171 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_issuers.cert-manager.io.yaml @@ -0,0 +1,1655 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml new file mode 100644 index 0000000000..1e031ae88b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_notebooks.kubeflow.org.yaml @@ -0,0 +1,69 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebooks.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Notebook + plural: notebooks + singular: notebook + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + template: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + properties: + spec: + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions is an array of current conditions + items: + properties: + type: + description: Type of the confition/ + type: string + required: + - type + type: object + type: array + required: + - conditions + type: object + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + - name: v1 + served: true + storage: false diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml new file mode 100644 index 0000000000..12b262c51e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_orders.acme.cert-manager.io.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml new file mode 100644 index 0000000000..808eb4db0c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_poddefaults.kubeflow.org.yaml @@ -0,0 +1,56 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: poddefaults.kubeflow.org +spec: + group: kubeflow.org + names: + kind: PodDefault + plural: poddefaults + singular: poddefault + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + desc: + type: string + env: + items: + type: object + type: array + envFrom: + items: + type: object + type: array + selector: + type: object + serviceAccountName: + type: string + volumeMounts: + items: + type: object + type: array + volumes: + items: + type: object + type: array + required: + - selector + type: object + status: + type: object + type: object + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml new file mode 100644 index 0000000000..c299e91151 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_profiles.kubeflow.org.yaml @@ -0,0 +1,158 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + kustomize.component: profiles + name: profiles.kubeflow.org +spec: + conversion: + strategy: None + group: kubeflow.org + names: + kind: Profile + plural: profiles + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + description: Profile is the Schema for the profiles API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProfileSpec defines the desired state of Profile + properties: + owner: + description: The profile owner + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + required: + - kind + - name + type: object + plugins: + items: + description: Plugin is for customize actions on different platform. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + spec: + type: object + type: object + type: array + resourceQuotaSpec: + description: Resourcequota that will be applied to target namespace + properties: + hard: + additionalProperties: + type: string + description: 'hard is the set of desired hard limits for each named + resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + scopeSelector: + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by scope + of the resources. + items: + description: A scoped-resource selector requirement is a selector + that contains values, a scope name, and an operator that + relates the scope name and values. + properties: + operator: + description: Represents a scope's relationship to a set + of values. Valid operators are In, NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector applies + to. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array + type: object + scopes: + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all objects. + items: + description: A ResourceQuotaScope defines a filter that must match + each object tracked by a quota + type: string + type: array + type: object + type: object + status: + description: ProfileStatus defines the observed state of Profile + properties: + conditions: + items: + properties: + message: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml new file mode 100644 index 0000000000..2dc516cbcc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_pytorchjobs.kubeflow.org.yaml @@ -0,0 +1,45 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-job-crds + name: pytorchjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: PyTorchJob + plural: pytorchjobs + singular: pytorchjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + pytorchReplicaSpecs: + properties: + Master: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml new file mode 100644 index 0000000000..ebfcefbc9b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apiextensions.k8s.io_v1beta1_customresourcedefinition_tfjobs.kubeflow.org.yaml @@ -0,0 +1,50 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-crds + name: tfjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: TFJob + plural: tfjobs + singular: tfjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + tfReplicaSpecs: + properties: + Chief: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + PS: + properties: + replicas: + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml new file mode 100644 index 0000000000..b4baf2abab --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_application-controller-kubeflow.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: application-controller-kubeflow + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: app.k8s.io + kind: Application + descriptor: + description: application that aggregates all kubeflow applications + keywords: + - kubeflow + links: + - description: About + url: https://kubeflow.org + maintainers: + - email: jlewi@google.com + name: Jeremy Lewi + - email: kam.d.kasravi@intel.com + name: Kam Kasravi + owners: + - email: jlewi@google.com + name: Jeremy Lewi + type: kubeflow + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: kubeflow + app.kubernetes.io/instance: kubeflow-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: kubeflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_centraldashboard.yaml new file mode 100644 index 0000000000..a77aa95832 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_centraldashboard.yaml @@ -0,0 +1,57 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + description: Provides a Dashboard UI for kubeflow + keywords: + - centraldashboard + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/centraldashboard + maintainers: + - email: prodonjs@gmail.com + name: Jason Prodonovich + - email: apverma@google.com + name: Apoorv Verma + - email: adhita94@gmail.com + name: Adhita Selvaraj + owners: + - email: prodonjs@gmail.com + name: Jason Prodonovich + - email: apverma@google.com + name: Apoorv Verma + - email: adhita94@gmail.com + name: Adhita Selvaraj + type: centraldashboard + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/instance: centraldashboard-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: centraldashboard + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cert-manager.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cert-manager.yaml new file mode 100644 index 0000000000..b03bf759df --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cert-manager.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/name: cert-manager + name: cert-manager + namespace: cert-manager +spec: + componentKinds: + - group: rbac + kind: ClusterRole + - group: rbac + kind: ClusterRoleBinding + - group: core + kind: Namespace + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + description: Automatically provision and manage TLS certificates in Kubernetes + https://jetstack.io. + keywords: + - cert-manager + links: + - description: About + url: https://github.com/jetstack/cert-manager + type: "" + version: v0.10.0 + selector: + matchLabels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: cert-manager + app.kubernetes.io/part-of: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cloud-endpoints.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cloud-endpoints.yaml new file mode 100644 index 0000000000..fc8a1cdd3f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_cloud-endpoints.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + name: cloud-endpoints + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: "" + keywords: + - cloud-endpoints + - kubeflow + links: + - description: About + url: "" + maintainers: [] + owners: [] + type: cloud-endpoints + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/instance: cloud-endpoints-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: cloud-endpoints + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_gpu-driver.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_gpu-driver.yaml new file mode 100644 index 0000000000..02b93d3a8a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_gpu-driver.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + name: gpu-driver + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: "" + keywords: + - gpu-driver + - kubeflow + links: + - description: About + url: "" + maintainers: [] + owners: [] + type: gpu-driver + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/instance: gpu-driver-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: gpu-driver + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_iap-ingress.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_iap-ingress.yaml new file mode 100644 index 0000000000..a35a7711ff --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_iap-ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + kustomize.component: iap-ingress + name: iap-ingress + namespace: istio-system +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: "" + keywords: + - iap-ingress + - kubeflow + links: + - description: About + url: "" + maintainers: [] + owners: [] + type: iap-ingress + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: iap-ingress + app.kubernetes.io/instance: iap-ingress-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: iap-ingress + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml new file mode 100644 index 0000000000..be3f76b96d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_jupyter-web-app-jupyter-web-app.yaml @@ -0,0 +1,55 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app: jupyter-web-app + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/name: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-web-app + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + description: Provides a UI which allows the user to create/conect/delete jupyter + notebooks. + keywords: + - jupyterhub + - jupyter ui + - notebooks + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/jupyter-web-app + - description: Docs + url: https://www.kubeflow.org/docs/notebooks + maintainers: + - email: kimwnasptd@arrikto.com + name: Kimonas Sotirchos + owners: + - email: kimwnasptd@arrikto.com + name: Kimonas Sotirchos + type: jupyter-web-app + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml new file mode 100644 index 0000000000..f462651b3b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_notebook-controller-notebook-controller.yaml @@ -0,0 +1,46 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-notebook-controller + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + description: Notebooks controller allows users to create a custom resource \"Notebook\" + (jupyter notebook). + keywords: + - jupyter + - notebook + - notebook-controller + - jupyterhub + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/notebook-controller + maintainers: + - email: lunkai@google.com + name: Lun-kai Hsu + owners: + - email: lunkai@gogle.com + name: Lun-kai Hsu + type: notebook-controller + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/instance: notebook-controller-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: notebook-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_profiles-profiles.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_profiles-profiles.yaml new file mode 100644 index 0000000000..fc90772a0b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_profiles-profiles.yaml @@ -0,0 +1,44 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + kustomize.component: profiles + name: profiles-profiles + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: kubeflow.org + kind: Profile + descriptor: + description: "" + keywords: + - profiles + - kubeflow + links: + - description: profiles + url: https://github.com/kubeflow/kubeflow/tree/master/components/profile-controller + - description: kfam + url: https://github.com/kubeflow/kubeflow/tree/master/components/access-management + maintainers: + - email: kunming@google.com + name: Kunming Qu + owners: + - email: kunming@google.com + name: Kunming Qu + type: profiles + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: profiles + app.kubernetes.io/instance: profiles-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: profiles + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml new file mode 100644 index 0000000000..56a1457579 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-job-crds.yaml @@ -0,0 +1,46 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-job-crds + name: pytorch-job-crds + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + description: Pytorch-job-crds contains the "PyTorchJob" custom resource definition. + keywords: + - pytorchjob + - pytorch-operator + - pytorch-training + links: + - description: About + url: https://github.com/kubeflow/pytorch-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/ + maintainers: + - email: johnugeo@cisco.com + name: Johnu George + owners: + - email: johnugeo@cisco.com + name: Johnu George + type: pytorch-job-crds + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/instance: pytorch-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pytorch-job-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-operator.yaml new file mode 100644 index 0000000000..44ea79a4b8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_pytorch-operator.yaml @@ -0,0 +1,49 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + name: pytorch-operator + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + description: Pytorch-operator allows users to create and manage the "PyTorchJob" + custom resource. + keywords: + - pytorchjob + - pytorch-operator + - pytorch-training + links: + - description: About + url: https://github.com/kubeflow/pytorch-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/ + maintainers: + - email: johnugeo@cisco.com + name: Johnu George + owners: + - email: johnugeo@cisco.com + name: Johnu George + type: pytorch-operator + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/instance: pytorch-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pytorch-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-crds.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-crds.yaml new file mode 100644 index 0000000000..fc9715bb53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-crds.yaml @@ -0,0 +1,46 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-crds + name: tf-job-crds + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + description: Tf-job-crds contains the "TFJob" custom resource definition. + keywords: + - tfjob + - tf-operator + - tf-training + links: + - description: About + url: https://github.com/kubeflow/tf-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/ + maintainers: + - email: ricliu@google.com + name: Richard Liu + owners: + - email: ricliu@google.com + name: Richard Liu + type: tf-job-crds + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/instance: tf-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: tf-job-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-operator.yaml new file mode 100644 index 0000000000..6e38dd861e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_tf-job-operator.yaml @@ -0,0 +1,47 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + name: tf-job-operator + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + description: Tf-operator allows users to create and manage the "TFJob" custom + resource. + keywords: + - tfjob + - tf-operator + - tf-training + links: + - description: About + url: https://github.com/kubeflow/tf-operator + - description: Docs + url: https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/ + maintainers: + - email: ricliu@google.com + name: Richard Liu + owners: + - email: ricliu@google.com + name: Richard Liu + type: tf-job-operator + version: v1 + selector: + matchLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/instance: tf-job-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: tf-job-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_webhook.yaml b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_webhook.yaml new file mode 100644 index 0000000000..fcf807af27 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/app.k8s.io_v1beta1_application_webhook.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + labels: + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + name: webhook + namespace: kubeflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: StatefulSet + - group: core + kind: Service + - group: core + kind: ServiceAccount + descriptor: + description: injects volume, volume mounts, env vars into PodDefault + keywords: + - admission-webhook + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/admission-webhook + maintainers: [] + owners: [] + type: bootstrap + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: bootstrap + app.kubernetes.io/instance: webhook-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: webhook + app.kubernetes.io/part-of: webhook + app.kubernetes.io/version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_daemonset_nvidia-driver-installer.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_daemonset_nvidia-driver-installer.yaml new file mode 100644 index 0000000000..d3ca074496 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_daemonset_nvidia-driver-installer.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + k8s-app: nvidia-driver-installer + kustomize.component: gpu-driver + name: nvidia-driver-installer + namespace: kubeflow +spec: + selector: + matchLabels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + kustomize.component: gpu-driver + template: + metadata: + labels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver + k8s-app: nvidia-driver-installer + kustomize.component: gpu-driver + name: nvidia-driver-installer + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-accelerator + operator: Exists + containers: + - image: gcr.io/google-containers/pause:2.0 + name: pause + hostNetwork: true + hostPID: true + initContainers: + - env: + - name: NVIDIA_INSTALL_DIR_HOST + value: /home/kubernetes/bin/nvidia + - name: NVIDIA_INSTALL_DIR_CONTAINER + value: /usr/local/nvidia + - name: ROOT_MOUNT_DIR + value: /root + image: cos-nvidia-installer:fixed + imagePullPolicy: Never + name: nvidia-driver-installer + resources: + requests: + cpu: 0.15 + securityContext: + privileged: true + volumeMounts: + - mountPath: /usr/local/nvidia + name: nvidia-install-dir-host + - mountPath: /dev + name: dev + - mountPath: /root + name: root-mount + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /dev + name: dev + - hostPath: + path: /home/kubernetes/bin/nvidia + name: nvidia-install-dir-host + - hostPath: + path: / + name: root-mount diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_admission-webhook-deployment.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_admission-webhook-deployment.yaml new file mode 100644 index 0000000000..8b8111f51b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_admission-webhook-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-deployment + namespace: kubeflow +spec: + selector: + matchLabels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + spec: + containers: + - args: + - --tlsCertFile=/etc/webhook/certs/tls.crt + - --tlsKeyFile=/etc/webhook/certs/tls.key + image: gcr.io/kubeflow-images-public/admission-webhook:vmaster-gaf96e4e3 + name: admission-webhook + volumeMounts: + - mountPath: /etc/webhook/certs + name: webhook-cert + readOnly: true + serviceAccountName: admission-webhook-service-account + volumes: + - name: webhook-cert + secret: + secretName: webhook-certs diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_centraldashboard.yaml new file mode 100644 index 0000000000..74ad9f2527 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_centraldashboard.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + spec: + containers: + - env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + image: gcr.io/kubeflow-images-public/centraldashboard + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 30 + periodSeconds: 30 + name: centraldashboard + ports: + - containerPort: 8082 + protocol: TCP + serviceAccountName: centraldashboard diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..8fa50c740b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_cloud-endpoints-controller.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + spec: + containers: + - image: gcr.io/cloud-solutions-group/cloud-endpoints-controller:0.2.1 + imagePullPolicy: Always + name: cloud-endpoints-controller + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 80 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + serviceAccountName: kf-admin + terminationGracePeriodSeconds: 5 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_iap-enabler.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_iap-enabler.yaml new file mode 100644 index 0000000000..364925986b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_iap-enabler.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: iap-ingress + name: iap-enabler + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + kustomize.component: iap-ingress + template: + metadata: + labels: + kustomize.component: iap-ingress + service: iap-enabler + spec: + containers: + - command: + - bash + - /var/envoy-config/setup_backend.sh + env: + - name: NAMESPACE + value: istio-system + - name: SERVICE + value: istio-ingressgateway + - name: INGRESS_NAME + value: envoy-ingress + - name: ENVOY_ADMIN + value: http://localhost:8001 + - name: USE_ISTIO + value: "true" + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: iap + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + restartPolicy: Always + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_jupyter-web-app-deployment.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_jupyter-web-app-deployment.yaml new file mode 100644 index 0000000000..2665cd2adb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_jupyter-web-app-deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-deployment + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + spec: + containers: + - env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + image: gcr.io/kubeflow-images-public/jupyter-web-app:vmaster-gd9be4b9e + name: jupyter-web-app + ports: + - containerPort: 5000 + volumeMounts: + - mountPath: /etc/config + name: config-volume + serviceAccountName: jupyter-web-app-service-account + volumes: + - configMap: + name: jupyter-web-app-jupyter-web-app-config-dhcbh64467 + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_notebook-controller-deployment.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_notebook-controller-deployment.yaml new file mode 100644 index 0000000000..44d27f8695 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_notebook-controller-deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-deployment + namespace: kubeflow +spec: + selector: + matchLabels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + spec: + containers: + - command: + - /manager + env: + - name: USE_ISTIO + valueFrom: + configMapKeyRef: + key: USE_ISTIO + name: notebook-controller-notebook-controller-config-h4d668t5tb + - name: ISTIO_GATEWAY + valueFrom: + configMapKeyRef: + key: ISTIO_GATEWAY + name: notebook-controller-notebook-controller-config-h4d668t5tb + image: gcr.io/kubeflow-images-public/notebook-controller:vmaster-gf39279c0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + name: manager + serviceAccountName: notebook-controller-service-account diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_profiles-deployment.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_profiles-deployment.yaml new file mode 100644 index 0000000000..91c32148b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_profiles-deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: profiles + name: profiles-deployment + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + kustomize.component: profiles + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + kustomize.component: profiles + spec: + containers: + - args: null + command: + - /manager + - -userid-header + - $(USERID_HEADER) + - -userid-prefix + - $(USERID_PREFIX) + - -workload-identity + - $(WORKLOAD_IDENTITY) + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + - name: WORKLOAD_IDENTITY + valueFrom: + configMapKeyRef: + key: gcp-sa + name: profiles-profiles-config-b8664685bd + image: gcr.io/kubeflow-images-public/profile-controller:vmaster-g34aa47c2 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + name: manager + ports: + - containerPort: 8080 + name: manager-http + protocol: TCP + - args: null + command: + - /access-management + - -cluster-admin + - $(CLUSTER_ADMIN) + - -userid-prefix + - $(USERID_PREFIX) + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + key: userid-header + name: kubeflow-config-988m2m9m87 + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + key: userid-prefix + name: kubeflow-config-988m2m9m87 + - name: CLUSTER_ADMIN + valueFrom: + configMapKeyRef: + key: admin + name: profiles-profiles-config-b8664685bd + image: gcr.io/kubeflow-images-public/kfam:vmaster-gf3e09203 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8081 + initialDelaySeconds: 30 + periodSeconds: 30 + name: kfam + ports: + - containerPort: 8081 + name: kfam-http + protocol: TCP + serviceAccountName: profiles-controller-service-account diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_pytorch-operator.yaml new file mode 100644 index 0000000000..8897df4a5e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_pytorch-operator.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + spec: + containers: + - command: + - /pytorch-operator.v1 + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/pytorch-operator:vmaster-g047cf0f + name: pytorch-operator + serviceAccountName: pytorch-operator diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_tf-job-operator.yaml new file mode 100644 index 0000000000..4c6c1acaf6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_tf-job-operator.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + spec: + containers: + - args: + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/tf_operator:vmaster-gd455e6ef + name: tf-job-operator + serviceAccountName: tf-job-operator diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_whoami-app.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_whoami-app.yaml new file mode 100644 index 0000000000..883255b6ba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_deployment_whoami-app.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: iap-ingress + name: whoami-app + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + kustomize.component: iap-ingress + template: + metadata: + labels: + app: whoami + kustomize.component: iap-ingress + spec: + containers: + - env: + - name: PORT + value: "8081" + image: gcr.io/cloud-solutions-group/esp-sample-app:1.0.0 + name: app + ports: + - containerPort: 8081 + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_application-controller-stateful-set.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_application-controller-stateful-set.yaml new file mode 100644 index 0000000000..5ee7182fe6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_application-controller-stateful-set.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: application-controller-stateful-set + namespace: kubeflow +spec: + selector: + matchLabels: + app: application-controller + serviceName: application-controller-service + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: application-controller + spec: + containers: + - command: + - /root/manager + env: + - name: project + value: $(project) + image: gcr.io/kubeflow-images-public/kubernetes-sigs/application:1.0-beta + imagePullPolicy: Always + name: manager + serviceAccountName: application-controller-service-account + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_backend-updater.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_backend-updater.yaml new file mode 100644 index 0000000000..e32e111e7c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_backend-updater.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + kustomize.component: iap-ingress + service: backend-updater + name: backend-updater + namespace: istio-system +spec: + selector: + matchLabels: + kustomize.component: iap-ingress + service: backend-updater + serviceName: backend-updater + template: + metadata: + labels: + kustomize.component: iap-ingress + service: backend-updater + spec: + containers: + - command: + - bash + - /var/envoy-config/update_backend.sh + env: + - name: NAMESPACE + value: istio-system + - name: SERVICE + value: istio-ingressgateway + - name: INGRESS_NAME + value: envoy-ingress + - name: USE_ISTIO + value: "true" + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: backend-updater + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_metacontroller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_metacontroller.yaml new file mode 100644 index 0000000000..5996633bf0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/apps_v1_statefulset_metacontroller.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: metacontroller + kustomize.component: metacontroller + name: metacontroller + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: metacontroller + kustomize.component: metacontroller + serviceName: "" + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: metacontroller + kustomize.component: metacontroller + spec: + containers: + - command: + - /usr/bin/metacontroller + - --logtostderr + - -v=4 + - --discovery-interval=20s + image: metacontroller/metacontroller:v0.3.0 + imagePullPolicy: Always + name: metacontroller + ports: + - containerPort: 2345 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: 500m + memory: 1Gi + securityContext: + allowPrivilegeEscalation: true + privileged: true + serviceAccountName: meta-controller-service + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml b/kubeflow_clusters/code-intelligence/acm-repo/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml new file mode 100644 index 0000000000..97c00be2ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/authentication.istio.io_v1alpha1_policy_ingress-jwt.yaml @@ -0,0 +1,25 @@ +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + labels: + kustomize.component: iap-ingress + name: ingress-jwt + namespace: istio-system +spec: + origins: + - jwt: + audiences: + - /projects/976279526634/global/backendServices/8988274149225518131 + issuer: https://cloud.google.com/iap + jwksUri: https://www.gstatic.com/iap/verify/public_key-jwk + jwtHeaders: + - x-goog-iap-jwt-assertion + trigger_rules: + - excluded_paths: + - exact: /healthz/ready + - prefix: /.well-known/acme-challenge + principalBinding: USE_ORIGIN + targets: + - name: istio-ingressgateway + ports: + - number: 80 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml b/kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml new file mode 100644 index 0000000000..c9e1f4f031 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_certificate_admission-webhook-cert.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + labels: + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + name: admission-webhook-cert + namespace: kubeflow +spec: + commonName: admission-webhook-service.kubeflow.svc + dnsNames: + - admission-webhook-service.kubeflow.svc + - admission-webhook-service.kubeflow.svc.cluster.local + isCA: true + issuerRef: + kind: ClusterIssuer + name: kubeflow-self-signing-issuer + secretName: webhook-certs diff --git a/kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml b/kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml new file mode 100644 index 0000000000..eaf9703000 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/cert-manager.io_v1alpha2_clusterissuer_kubeflow-self-signing-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: kubeflow-self-signing-issuer +spec: + selfSigned: {} diff --git a/kubeflow_clusters/code-intelligence/acm-repo/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml b/kubeflow_clusters/code-intelligence/acm-repo/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml new file mode 100644 index 0000000000..831df7cde3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/cloud.google.com_v1beta1_backendconfig_iap-backendconfig.yaml @@ -0,0 +1,13 @@ +apiVersion: cloud.google.com/v1beta1 +kind: BackendConfig +metadata: + labels: + kustomize.component: iap-ingress + name: iap-backendconfig + namespace: istio-system +spec: + iap: + enabled: true + oauthclientCredentials: + secretName: kubeflow-oauth + timeoutSec: 3600 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml b/kubeflow_clusters/code-intelligence/acm-repo/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml new file mode 100644 index 0000000000..4ea397a526 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/ctl.isla.solutions_v1_cloudendpoint_code-intelligence.yaml @@ -0,0 +1,12 @@ +apiVersion: ctl.isla.solutions/v1 +kind: CloudEndpoint +metadata: + labels: + kustomize.component: iap-ingress + name: code-intelligence + namespace: istio-system +spec: + project: issue-label-bot-dev + targetIngress: + name: envoy-ingress + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/acm-repo/extensions_v1beta1_ingress_envoy-ingress.yaml b/kubeflow_clusters/code-intelligence/acm-repo/extensions_v1beta1_ingress_envoy-ingress.yaml new file mode 100644 index 0000000000..869fe56f77 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/extensions_v1beta1_ingress_envoy-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + kubernetes.io/ingress.global-static-ip-name: code-intelligence-ip + networking.gke.io/managed-certificates: gke-certificate + labels: + kustomize.component: iap-ingress + name: envoy-ingress + namespace: istio-system +spec: + rules: + - host: code-intelligence.endpoints.issue-label-bot-dev.cloud.goog + http: + paths: + - backend: + serviceName: istio-ingressgateway + servicePort: 80 + path: /* diff --git a/kubeflow_clusters/code-intelligence/acm-repo/kaniko/namespace.yaml b/kubeflow_clusters/code-intelligence/acm-repo/kaniko/namespace.yaml new file mode 100644 index 0000000000..a1cf4dca67 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/kaniko/namespace.yaml @@ -0,0 +1,10 @@ +# Create a namespace for the development chatbot. +apiVersion: v1 +kind: Namespace +metadata: + name: kaniko + labels: + # Disable istio sidecar injection because that interferes with + # kaniko + istio-injection: disabled + diff --git a/kubeflow_clusters/code-intelligence/acm-repo/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml b/kubeflow_clusters/code-intelligence/acm-repo/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml new file mode 100644 index 0000000000..230ec207d7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/kubeflow.org_v1beta1_profile_kubeflow-jlewi.yaml @@ -0,0 +1,8 @@ +apiVersion: kubeflow.org/v1beta1 +kind: Profile +metadata: + name: kubeflow-jlewi +spec: + owner: + kind: User + name: jlewi@google.com diff --git a/kubeflow_clusters/code-intelligence/acm-repo/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..34ddb1a44c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/metacontroller.k8s.io_v1alpha1_compositecontroller_cloud-endpoints-controller.yaml @@ -0,0 +1,25 @@ +apiVersion: metacontroller.k8s.io/v1alpha1 +kind: CompositeController +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller +spec: + childResources: [] + clientConfig: + service: + caBundle: '...' + name: cloud-endpoints-controller + namespace: kubeflow + generateSelector: true + hooks: + sync: + webhook: + url: http://cloud-endpoints-controller.kubeflow/sync + parentResource: + apiVersion: ctl.isla.solutions/v1 + resource: cloudendpoints + resyncPeriodSeconds: 2 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml b/kubeflow_clusters/code-intelligence/acm-repo/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml new file mode 100644 index 0000000000..eb07cd0acc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/networking.gke.io_v1beta1_managedcertificate_gke-certificate.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.gke.io/v1beta1 +kind: ManagedCertificate +metadata: + labels: + kustomize.component: iap-ingress + name: gke-certificate + namespace: istio-system +spec: + domains: + - code-intelligence.endpoints.issue-label-bot-dev.cloud.goog diff --git a/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml new file mode 100644 index 0000000000..84aa754d99 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_centraldashboard.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + labels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + gateways: + - istio-system/ingressgateway + hosts: + - '*' + http: + - match: + - uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: centraldashboard.kubeflow.svc.cluster.local + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml b/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml new file mode 100644 index 0000000000..1aaf497f8a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_jupyter-web-app-jupyter-web-app.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-web-app + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /jupyter + match: + - uri: + prefix: /jupyter/ + rewrite: + uri: / + route: + - destination: + host: jupyter-web-app-service.kubeflow.svc.cluster.local + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml b/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml new file mode 100644 index 0000000000..1bfe3a5c76 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/networking.istio.io_v1alpha3_virtualservice_profiles-kfam.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + labels: + kustomize.component: profiles + name: profiles-kfam + namespace: kubeflow +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /kfam + match: + - uri: + prefix: /kfam/ + rewrite: + uri: /kfam/ + route: + - destination: + host: profiles-kfam.kubeflow.svc.cluster.local + port: + number: 8081 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml new file mode 100644 index 0000000000..3ed69a58a6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-cluster-role.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-cluster-role +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - watch + - list + - update + - create + - patch + - delete diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml new file mode 100644 index 0000000000..ae97df8cf3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-admin.yaml @@ -0,0 +1,15 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: admission-webhook-kubeflow-poddefaults-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml new file mode 100644 index 0000000000..09813d57ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-edit.yaml @@ -0,0 +1,15 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: admission-webhook-kubeflow-poddefaults-edit +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml new file mode 100644 index 0000000000..1a80b46609 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_admission-webhook-kubeflow-poddefaults-view.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: admission-webhook-kubeflow-poddefaults-view +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml new file mode 100644 index 0000000000..1186eacf3c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_application-controller-cluster-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: application-controller-cluster-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update + - patch + - watch +- apiGroups: + - app.k8s.io + resources: + - '*' + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml new file mode 100644 index 0000000000..7491bff88e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_centraldashboard.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard +rules: +- apiGroups: + - "" + resources: + - events + - namespaces + - nodes + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml new file mode 100644 index 0000000000..e15e8b6e22 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-cluster-role.yaml @@ -0,0 +1,57 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-cluster-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml new file mode 100644 index 0000000000..0ae2ffa5c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-admin.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: jupyter-web-app-kubeflow-notebook-ui-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml new file mode 100644 index 0000000000..9cff1100a0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-edit.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: jupyter-web-app-kubeflow-notebook-ui-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml new file mode 100644 index 0000000000..265ceff545 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_jupyter-web-app-kubeflow-notebook-ui-view.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: jupyter-web-app-kubeflow-notebook-ui-view +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml new file mode 100644 index 0000000000..0520bc0bc9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-admin.yaml @@ -0,0 +1,9 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml new file mode 100644 index 0000000000..7f472eddde --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-edit.yaml @@ -0,0 +1,11 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-edit +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml new file mode 100644 index 0000000000..d879f2f6c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-admin.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-kubernetes-admin +rules: +- apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml new file mode 100644 index 0000000000..8343f92fda --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-edit.yaml @@ -0,0 +1,135 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-kubernetes-edit +rules: +- apiGroups: + - "" + resources: + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + - secrets + - services/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml new file mode 100644 index 0000000000..d8a396b9de --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-kubernetes-view.yaml @@ -0,0 +1,125 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-kubernetes-view +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - services/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml new file mode 100644 index 0000000000..161f232e59 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-admin.yaml @@ -0,0 +1,14 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-pytorchjobs-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml new file mode 100644 index 0000000000..dc3ff5e791 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-edit.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" + name: kubeflow-pytorchjobs-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml new file mode 100644 index 0000000000..39daa100ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-pytorchjobs-view.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-pytorchjobs-view +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml new file mode 100644 index 0000000000..03147422e8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-admin.yaml @@ -0,0 +1,14 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-tfjobs-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml new file mode 100644 index 0000000000..942e4a625a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-edit.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" + name: kubeflow-tfjobs-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml new file mode 100644 index 0000000000..3ebf508e03 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-tfjobs-view.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-tfjobs-view +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml new file mode 100644 index 0000000000..5420a10679 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_kubeflow-view.yaml @@ -0,0 +1,11 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-view +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml new file mode 100644 index 0000000000..41459ef302 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-admin.yaml @@ -0,0 +1,15 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: notebook-controller-kubeflow-notebooks-admin +rules: [] diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml new file mode 100644 index 0000000000..3ae0c1cd8e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-edit.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" + name: notebook-controller-kubeflow-notebooks-edit +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml new file mode 100644 index 0000000000..9e28e08290 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-kubeflow-notebooks-view.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: notebook-controller-kubeflow-notebooks-view +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml new file mode 100644 index 0000000000..02d880f8e2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrole_notebook-controller-role.yaml @@ -0,0 +1,54 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-role +rules: +- apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - '*' +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + - notebooks/finalizers + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml new file mode 100644 index 0000000000..48bed8ccb7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_admission-webhook-cluster-role-binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admission-webhook-cluster-role +subjects: +- kind: ServiceAccount + name: admission-webhook-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml new file mode 100644 index 0000000000..625b542472 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_application-controller-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: application-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: application-controller-cluster-role +subjects: +- kind: ServiceAccount + name: application-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml new file mode 100644 index 0000000000..d06cac3fd8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_centraldashboard.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml new file mode 100644 index 0000000000..925b70ec6f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_jupyter-web-app-cluster-role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: jupyter-web-app-cluster-role +subjects: +- kind: ServiceAccount + name: jupyter-web-app-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml new file mode 100644 index 0000000000..1971a941c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_meta-controller-cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + kustomize.component: metacontroller + name: meta-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: meta-controller-service + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml new file mode 100644 index 0000000000..30d3f08b7e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_notebook-controller-role-binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: notebook-controller-role +subjects: +- kind: ServiceAccount + name: notebook-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml new file mode 100644 index 0000000000..663e87dbcd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_clusterrolebinding_profiles-cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + kustomize.component: profiles + name: profiles-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: profiles-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml new file mode 100644 index 0000000000..2bfa19ba0e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_role_centraldashboard.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +rules: +- apiGroups: + - "" + - app.k8s.io + resources: + - applications + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml new file mode 100644 index 0000000000..c1c4c30793 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1_rolebinding_centraldashboard.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..b9160d2c7c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_cloud-endpoints-controller.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + verbs: + - get + - list +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml new file mode 100644 index 0000000000..8577c94071 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_kf-admin-iap.yaml @@ -0,0 +1,41 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + kustomize.component: iap-ingress + name: kf-admin-iap +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - get + - list + - patch + - update +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - update + - patch +- apiGroups: + - authentication.istio.io + resources: + - policies + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml new file mode 100644 index 0000000000..7cf4368025 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_pytorch-operator.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml new file mode 100644 index 0000000000..ac48bdc241 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrole_tf-job-operator.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + - tfjobs/finalizers + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..04dc8c0284 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_cloud-endpoints-controller.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cloud-endpoints-controller +subjects: +- kind: ServiceAccount + name: kf-admin + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml new file mode 100644 index 0000000000..f59f8f4df3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_kf-admin-iap.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + kustomize.component: iap-ingress + name: kf-admin-iap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kf-admin-iap +subjects: +- kind: ServiceAccount + name: kf-admin + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml new file mode 100644 index 0000000000..cefdad39ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_pytorch-operator.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pytorch-operator +subjects: +- kind: ServiceAccount + name: pytorch-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml new file mode 100644 index 0000000000..b69f8e4e4b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_clusterrolebinding_tf-job-operator.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tf-job-operator +subjects: +- kind: ServiceAccount + name: tf-job-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml new file mode 100644 index 0000000000..c37a3b7497 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager-cainjector:leaderelection.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: cainjector + kustomize.component: cert-manager + name: cert-manager-cainjector:leaderelection + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - update + - patch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml new file mode 100644 index 0000000000..542fbcbd59 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_cert-manager:leaderelection.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: cert-manager + kustomize.component: cert-manager + name: cert-manager:leaderelection + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - update + - patch diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml new file mode 100644 index 0000000000..0c57d76f07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_role_jupyter-web-app-jupyter-notebook-role.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-notebook-role + namespace: kubeflow +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + - secrets + - services + verbs: + - '*' +- apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - '*' + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml new file mode 100644 index 0000000000..a47a2fe74f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-cainjector:leaderelection.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: cainjector + kustomize.component: cert-manager + name: cert-manager-cainjector:leaderelection + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-cainjector:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-cainjector + namespace: cert-manager diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml new file mode 100644 index 0000000000..f7ec38a254 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager-webhook:webhook-authentication-reader.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: webhook + kustomize.component: cert-manager + name: cert-manager-webhook:webhook-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml new file mode 100644 index 0000000000..25a7fde904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_cert-manager:leaderelection.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: cert-manager + kustomize.component: cert-manager + name: cert-manager:leaderelection + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml new file mode 100644 index 0000000000..e07f869911 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.authorization.k8s.io_v1beta1_rolebinding_jupyter-web-app-jupyter-notebook-role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-notebook-role-binding + namespace: kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: jupyter-web-app-jupyter-notebook-role +subjects: +- kind: ServiceAccount + name: jupyter-notebook diff --git a/kubeflow_clusters/code-intelligence/acm-repo/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml b/kubeflow_clusters/code-intelligence/acm-repo/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml new file mode 100644 index 0000000000..b667030386 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/rbac.istio.io_v1alpha1_clusterrbacconfig_default.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default +spec: + exclusion: + namespaces: + - istio-system + mode: ON_WITH_EXCLUSION diff --git a/kubeflow_clusters/code-intelligence/acm-repo/v1_namespace_chatbot-dev.yaml b/kubeflow_clusters/code-intelligence/acm-repo/v1_namespace_chatbot-dev.yaml new file mode 100644 index 0000000000..f7e397027f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/v1_namespace_chatbot-dev.yaml @@ -0,0 +1,5 @@ +# Create a namespace for the development chatbot. +apiVersion: v1 +kind: Namespace +metadata: + name: chatbot-dev diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml new file mode 100644 index 0000000000..9ea0d8d5c4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_admission-webhook-admission-webhook-parameters.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + issuer: kubeflow-self-signing-issuer + namespace: kubeflow +kind: ConfigMap +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-admission-webhook-parameters + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cert-manager-kube-params-parameters.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cert-manager-kube-params-parameters.yaml new file mode 100644 index 0000000000..d8e47f2a94 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cert-manager-kube-params-parameters.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + certManagerNamespace: cert-manager +kind: ConfigMap +metadata: + labels: + kustomize.component: cert-manager + name: cert-manager-kube-params-parameters + namespace: kube-system diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cloud-endpoints-parameters.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cloud-endpoints-parameters.yaml new file mode 100644 index 0000000000..0d685cf7f0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_cloud-endpoints-parameters.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + namespace: kubeflow + secretName: admin-gcp-sa +kind: ConfigMap +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-parameters + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml new file mode 100644 index 0000000000..7b5a74a1d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_default-install-config-6mcgbmmtg6.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + profile-name: kubeflow-jlewi + user: jlewi@google.com +kind: ConfigMap +metadata: + name: default-install-config-6mcgbmmtg6 + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_envoy-config.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_envoy-config.yaml new file mode 100644 index 0000000000..1cfaa4903b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_envoy-config.yaml @@ -0,0 +1,128 @@ +apiVersion: v1 +data: + healthcheck_route.yaml: | + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: default-routes + namespace: $(namespace) + spec: + hosts: + - "*" + gateways: + - kubeflow-gateway + http: + - match: + - uri: + exact: /healthz + route: + - destination: + port: + number: 80 + host: whoami-app.kubeflow.svc.cluster.local + - match: + - uri: + exact: /whoami + route: + - destination: + port: + number: 80 + host: whoami-app.kubeflow.svc.cluster.local + --- + apiVersion: networking.istio.io/v1alpha3 + kind: Gateway + metadata: + name: kubeflow-gateway + namespace: $(namespace) + spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + setup_backend.sh: "#!/usr/bin/env bash\n#\n# A simple shell script to configure + the JWT audience used with ISTIO\nset -x\n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nPROJECT_NUM=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id)\nif + [ -z ${PROJECT_NUM} ]; then\n echo Error unable to fetch PROJECT_NUM from compute + metadata\n exit 1\nfi\n\n# Activate the service account\nif [ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" + ]; then\n # As of 0.7.0 we should be using workload identity and never setting + GOOGLE_APPLICATION_CREDENTIALS.\n # But we kept this for backwards compatibility + but can remove later.\n gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}\nfi\n\n# + Print out the config for debugging\ngcloud config list\ngcloud auth list\n\nset_jwt_policy + () {\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[?(@.name==\"http2\")].nodePort}')\n + \ echo \"node port is ${NODE_PORT}\"\n\n BACKEND_NAME=\"\"\n while [[ -z ${BACKEND_NAME} + ]]; do\n BACKENDS=$(kubectl --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} + -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n echo + \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n BACKEND_ID=\"\"\n while [[ + -z ${BACKEND_ID} ]]; do\n BACKEND_ID=$(gcloud compute --project=${PROJECT} + backend-services list --filter=name~${BACKEND_NAME} --format='value(id)')\n echo + \"Waiting for backend id PROJECT=${PROJECT} NAMESPACE=${NAMESPACE} SERVICE=${SERVICE} + filter=name~${BACKEND_NAME}\"\n sleep 2\n done\n echo BACKEND_ID=${BACKEND_ID}\n\n + \ JWT_AUDIENCE=\"/projects/${PROJECT_NUM}/global/backendServices/${BACKEND_ID}\"\n + \ \n # Use kubectl patch.\n echo patch JWT audience: ${JWT_AUDIENCE}\n kubectl + -n ${NAMESPACE} patch policy ingress-jwt --type json -p '[{\"op\": \"replace\", + \"path\": \"/spec/origins/0/jwt/audiences/0\", \"value\": \"'${JWT_AUDIENCE}'\"}]'\n\n + \ echo \"Clearing lock on service annotation\"\n kubectl patch svc \"${SERVICE}\" + -p \"{\\\"metadata\\\": { \\\"annotations\\\": {\\\"backendlock\\\": \\\"\\\" + }}}\"\n}\n\nwhile true; do\n set_jwt_policy\n # Every 5 minutes recheck the + JWT policy and reset it if the backend has changed for some reason.\n # This + follows Kubernetes level based design.\n # We have at least one report see \n + \ # https://github.com/kubeflow/kubeflow/issues/4342#issuecomment-544653657\n + \ # of the backend id changing over time.\n sleep 300\ndone\n" + update_backend.sh: "#!/bin/bash\n#\n# A simple shell script to configure the health + checks by using gcloud.\nset -x\n\n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nif [[ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" ]]; then\n # + TODO(jlewi): As of 0.7 we should always be using workload identity. We can remove + it post 0.7.0 once we have workload identity\n # fully working\n # Activate + the service account, allow 5 retries\n for i in {1..5}; do gcloud auth activate-service-account + --key-file=${GOOGLE_APPLICATION_CREDENTIALS} && break || sleep 10; done\nfi \n\nset_health_check + () {\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[?(@.name==\"http2\")].nodePort}')\n + \ echo node port is ${NODE_PORT}\n\n while [[ -z ${BACKEND_NAME} ]]; do\n BACKENDS=$(kubectl + --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n + \ echo \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n while [[ -z ${BACKEND_SERVICE} + ]];\n do BACKEND_SERVICE=$(gcloud --project=${PROJECT} compute backend-services + list --filter=name~${BACKEND_NAME} --uri);\n echo \"Waiting for the backend-services + resource PROJECT=${PROJECT} BACKEND_NAME=${BACKEND_NAME} SERVICE=${SERVICE}...\";\n + \ sleep 2;\n done\n\n while [[ -z ${HEALTH_CHECK_URI} ]];\n do HEALTH_CHECK_URI=$(gcloud + compute --project=${PROJECT} health-checks list --filter=name~${BACKEND_NAME} + --uri);\n echo \"Waiting for the healthcheck resource PROJECT=${PROJECT} NODEPORT=${NODE_PORT} + SERVICE=${SERVICE}...\";\n sleep 2;\n done\n\n echo health check URI is ${HEALTH_CHECK_URI}\n\n + \ # Since we create the envoy-ingress ingress object before creating the envoy\n + \ # deployment object, healthcheck will not be configured correctly in the GCP\n + \ # load balancer. It will default the healthcheck request path to a value of\n + \ # / instead of the intended /healthz.\n # Manually update the healthcheck request + path to /healthz\n if [[ ${HEALTHCHECK_PATH} ]]; then\n # This is basic auth\n + \ echo Running health checks update ${HEALTH_CHECK_URI} with ${HEALTHCHECK_PATH}\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --request-path=${HEALTHCHECK_PATH}\n else\n # /healthz/ready is the health + check path for istio-ingressgateway\n echo Running health checks update ${HEALTH_CHECK_URI} + with /healthz/ready\n gcloud --project=${PROJECT} compute health-checks update + http ${HEALTH_CHECK_URI} --request-path=/healthz/ready\n # We need the nodeport + for istio-ingressgateway status-port\n STATUS_NODE_PORT=$(kubectl -n istio-system + get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name==\"status-port\")].nodePort}')\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --port=${STATUS_NODE_PORT}\n fi \n}\n\nwhile true; do\n set_health_check\n + \ echo \"Backend updated successfully. Waiting 1 hour before updating again.\"\n + \ sleep 3600\ndone\n" +kind: ConfigMap +metadata: + labels: + kustomize.component: iap-ingress + name: envoy-config + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml new file mode 100644 index 0000000000..14b9b50761 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_iap-ingress-config-c2924ch89c.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + appName: code-intelligence + hostname: code-intelligence.endpoints.issue-label-bot-dev.cloud.goog + ingressName: envoy-ingress + ipName: code-intelligence-ip + istioNamespace: istio-system + oauthSecretName: kubeflow-oauth + project: issue-label-bot-dev + tlsSecretName: envoy-ingress-tls +kind: ConfigMap +metadata: + labels: + kustomize.component: iap-ingress + name: iap-ingress-config-c2924ch89c + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_ingress-bootstrap-config.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_ingress-bootstrap-config.yaml new file mode 100644 index 0000000000..024ac69f43 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_ingress-bootstrap-config.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +data: + ingress_bootstrap.sh: | + #!/usr/bin/env bash + + set -x + set -e + + # This is a workaround until this is resolved: https://github.com/kubernetes/ingress-gce/pull/388 + # The long-term solution is to use a managed SSL certificate on GKE once the feature is GA. + + # The ingress is initially created without a tls spec. + # Wait until cert-manager generates the certificate using the http-01 challenge on the GCLB ingress. + # After the certificate is obtained, patch the ingress with the tls spec to enable SSL on the GCLB. + + # Wait for certificate. + until kubectl -n ${NAMESPACE} get secret ${TLS_SECRET_NAME} 2>/dev/null; do + echo "Waiting for certificate..." + sleep 2 + done + + kubectl -n ${NAMESPACE} patch ingress ${INGRESS_NAME} --type='json' -p '[{"op": "add", "path": "/spec/tls", "value": [{"secretName": "'${TLS_SECRET_NAME}'", "hosts":["'${TLS_HOST_NAME}'"]}]}]' + + echo "Done" +kind: ConfigMap +metadata: + labels: + kustomize.component: iap-ingress + name: ingress-bootstrap-config + namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml new file mode 100644 index 0000000000..685cf43f45 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_jupyter-web-app-jupyter-web-app-config-dhcbh64467.yaml @@ -0,0 +1,138 @@ +apiVersion: v1 +data: + spawner_ui_config.yaml: |- + # Configuration file for the Jupyter UI. + # + # Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' + # - The 'value' key contains the default value + # - The 'readOnly' key determines if the option will be available to users + # + # If the 'readOnly' key is present and set to 'true', the respective option + # will be disabled for users and only set by the admin. Also when a + # Notebook is POSTED to the API if a necessary field is not present then + # the value from the config will be used. + # + # If the 'readOnly' key is missing (defaults to 'false'), the respective option + # will be available for users to edit. + # + # Note that some values can be templated. Such values are the names of the + # Volumes as well as their StorageClass + spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + # The list of available standard container Images + options: + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-gpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-gpu:1.0.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + readOnly: false + cpu: + # CPU for user's Notebook + value: '0.5' + readOnly: false + memory: + # Memory for user's Notebook + value: 1.0Gi + readOnly: false + workspaceVolume: + # Workspace Volume to be attached to user's Notebook + # Each Workspace Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + value: + type: + # The Type of the Workspace Volume + # Supported values: 'New', 'Existing' + value: New + name: + # The Name of the Workspace Volume + # Note that this is a templated value. Special values: + # {notebook-name}: Replaced with the name of the Notebook. The frontend + # will replace this value as the user types the name + value: 'workspace-{notebook-name}' + size: + # The Size of the Workspace Volume (in Gi) + value: '10Gi' + mountPath: + # The Path that the Workspace Volume will be mounted + value: /home/jovyan + accessModes: + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + value: ReadWriteOnce + class: + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + value: '{none}' + readOnly: false + dataVolumes: + # List of additional Data Volumes to be attached to the user's Notebook + value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-2' + # size: + # value: '10Gi' + # mountPath: + # value: /home/jovyan/vol-2 + # accessModes: + # value: ReadWriteMany + # class: + # value: {none} + readOnly: false + gpus: + # Number of GPUs to be assigned to the Notebook Container + value: + # values: "none", "1", "2", "4", "8" + num: "none" + # Determines what the UI will show and send to the backend + vendors: + - limitsKey: "nvidia.com/gpu" + uiName: "NVIDIA" + # Values: "" or a `limits-key` from the vendors list + vendor: "" + readOnly: false + shm: + value: true + readOnly: false + configurations: + # List of labels to be selected, these are the labels from PodDefaults + # value: + # - add-gcp-secret + # - default-editor + value: [] + readOnly: false +kind: ConfigMap +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-jupyter-web-app-config-dhcbh64467 + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml new file mode 100644 index 0000000000..9ba0edebb0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_kubeflow-config-988m2m9m87.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + clusterDomain: cluster.local + userid-header: X-Goog-Authenticated-User-Email + userid-prefix: 'accounts.google.com:' +kind: ConfigMap +metadata: + name: kubeflow-config-988m2m9m87 + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml new file mode 100644 index 0000000000..ca0dc1ba50 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_notebook-controller-notebook-controller-config-h4d668t5tb.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + ISTIO_GATEWAY: kubeflow/kubeflow-gateway + USE_ISTIO: "true" +kind: ConfigMap +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-notebook-controller-config-h4d668t5tb + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml new file mode 100644 index 0000000000..1d95e3a196 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_configmap_profiles-profiles-config-b8664685bd.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + admin: jlewi@google.com + gcp-sa: jl-stack-0409-204015-user@jlewi-dev.iam.gserviceaccount.com +kind: ConfigMap +metadata: + labels: + kustomize.component: profiles + name: profiles-profiles-config-b8664685bd + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_cert-manager.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_cert-manager.yaml new file mode 100644 index 0000000000..c90416ff47 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_cert-manager.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_kubeflow.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_kubeflow.yaml new file mode 100644 index 0000000000..74058af2fc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_namespace_kubeflow.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: kubeflow + katib-metricscollector-injection: enabled + name: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_admission-webhook-service.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_admission-webhook-service.yaml new file mode 100644 index 0000000000..1636dc9520 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_admission-webhook-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-service + namespace: kubeflow +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_application-controller-service.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_application-controller-service.yaml new file mode 100644 index 0000000000..0c6322990d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_application-controller-service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: application-controller-service + namespace: kubeflow +spec: + ports: + - port: 443 diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_centraldashboard.yaml new file mode 100644 index 0000000000..3f50af45e4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_centraldashboard.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: centralui-mapping + prefix: / + rewrite: / + service: centraldashboard.$(namespace) + labels: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8082 + selector: + app: centraldashboard + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + sessionAffinity: None + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_cloud-endpoints-controller.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_cloud-endpoints-controller.yaml new file mode 100644 index 0000000000..3dde7ad13e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_cloud-endpoints-controller.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: cloud-endpoints-controller + namespace: kubeflow +spec: + ports: + - name: http + port: 80 + selector: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_jupyter-web-app-service.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_jupyter-web-app-service.yaml new file mode 100644 index 0000000000..cbc5e87e29 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_jupyter-web-app-service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: webapp_mapping + prefix: /$(prefix)/ + service: jupyter-web-app-service.$(namespace) + add_request_headers: + x-forwarded-prefix: /jupyter + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + run: jupyter-web-app + name: jupyter-web-app-service + namespace: kubeflow +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 5000 + selector: + app: jupyter-web-app + kustomize.component: jupyter-web-app + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_notebook-controller-service.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_notebook-controller-service.yaml new file mode 100644 index 0000000000..a9f1b4b8e0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_notebook-controller-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-service + namespace: kubeflow +spec: + ports: + - port: 443 + selector: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_profiles-kfam.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_profiles-kfam.yaml new file mode 100644 index 0000000000..db1f50bd7d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_profiles-kfam.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + kustomize.component: profiles + name: profiles-kfam + namespace: kubeflow +spec: + ports: + - port: 8081 + selector: + kustomize.component: profiles diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_pytorch-operator.yaml new file mode 100644 index 0000000000..4114ea5f9f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_pytorch-operator.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8443" + prometheus.io/scrape: "true" + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + namespace: kubeflow +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_tf-job-operator.yaml new file mode 100644 index 0000000000..a13b8ac441 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_tf-job-operator.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8443" + prometheus.io/scrape: "true" + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + namespace: kubeflow +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_whoami-app.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_whoami-app.yaml new file mode 100644 index 0000000000..a1e526a478 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_service_whoami-app.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: whoami + kustomize.component: iap-ingress + name: whoami-app + namespace: istio-system +spec: + ports: + - port: 80 + targetPort: 8081 + selector: + app: whoami + kustomize.component: iap-ingress + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_admission-webhook-service-account.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_admission-webhook-service-account.yaml new file mode 100644 index 0000000000..6f41ce954d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_admission-webhook-service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: admission-webhook + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + kustomize.component: admission-webhook + name: admission-webhook-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_application-controller-service-account.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_application-controller-service-account.yaml new file mode 100644 index 0000000000..05af566f47 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_application-controller-service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: application-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_centraldashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_centraldashboard.yaml new file mode 100644 index 0000000000..55deba785d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_centraldashboard.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml new file mode 100644 index 0000000000..926d7e9b7a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_jupyter-web-app-service-account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_kf-admin.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_kf-admin.yaml new file mode 100644 index 0000000000..4779c0ee5d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_kf-admin.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com + labels: + app: cloud-endpoints-controller + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints + kustomize.component: cloud-endpoints + name: kf-admin + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_meta-controller-service.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_meta-controller-service.yaml new file mode 100644 index 0000000000..5acb480f69 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_meta-controller-service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + kustomize.component: metacontroller + name: meta-controller-service + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_notebook-controller-service-account.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_notebook-controller-service-account.yaml new file mode 100644 index 0000000000..d34df92177 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_notebook-controller-service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller + name: notebook-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_profiles-controller-service-account.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_profiles-controller-service-account.yaml new file mode 100644 index 0000000000..881ccbf1bd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_profiles-controller-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + kustomize.component: profiles + name: profiles-controller-service-account + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_pytorch-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_pytorch-operator.yaml new file mode 100644 index 0000000000..3d3555c2b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_pytorch-operator.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: pytorch-operator + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator + kustomize.component: pytorch-operator + name: pytorch-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-dashboard.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-dashboard.yaml new file mode 100644 index 0000000000..3e0982e277 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-dashboard.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-dashboard + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-dashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-operator.yaml b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-operator.yaml new file mode 100644 index 0000000000..f7bf874b73 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/acm-repo/~g_v1_serviceaccount_tf-job-operator.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-operator + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator + kustomize.component: tf-job-operator + name: tf-job-operator + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/configsync/config-management-operator.yaml b/kubeflow_clusters/code-intelligence/configsync/config-management-operator.yaml new file mode 100644 index 0000000000..28eb2f48c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/configsync/config-management-operator.yaml @@ -0,0 +1,258 @@ +# ----- configmanagement_v1_configmanagement.yaml ----- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: configmanagements.configmanagement.gke.io +spec: + group: configmanagement.gke.io + names: + kind: ConfigManagement + plural: configmanagements + scope: Cluster + # NOTE TO MAINTAINERS: controller-gen will try to remove these and + # replace it with `version: v1`. Don't let that happen, see + # https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definition-versioning + versions: + - name: v1 + served: true + storage: true + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + clusterName: + description: ClusterName, if defined, sets the name for this cluster. If + unset, the cluster is considered to be unnamed, and cannot use ClusterSelectors. + type: string + configConnector: + description: ConfigConnector deploys the GCP Config Connector components + as recognized by the "cnrm.cloud.google.com/system" label set to "true". + properties: + enabled: + description: 'Enable or disable the Config Connector. Default: + false.' + type: boolean + type: object + git: + description: Git contains configuration specific to importing policies + from a Git repo. + properties: + policyDir: + description: 'PolicyDir is the absolute path of the directory that + contains the local policy. Default: the root directory of the + repo.' + type: string + proxy: + description: Proxy is a struct that contains options for configuring + access to the Git repo via a proxy. Only has an effect when secretType + is one of ("cookiefile", "none"). Optional. + properties: + httpProxy: + description: HTTPProxy defines a HTTP_PROXY env variable used + to access the Git repo. If both HTTPProxy and HTTPSProxy + are specified, HTTPProxy will be ignored. Optional. + type: string + httpsProxy: + description: HTTPSProxy defines a HTTPS_PROXY env variable used + to access the Git repo. If both HTTPProxy and HTTPSProxy + are specified, HTTPProxy will be ignored. Optional. + type: string + type: object + secretType: + description: SecretType is the type of secret configured for access + to the Git repo. Must be one of ssh, cookiefile, gcenode, token, + or none. Required. The validation of this is case-sensitive. + pattern: ^(ssh|cookiefile|gcenode|token|none)$ + type: string + syncBranch: + description: 'SyncBranch is the branch to sync from. Default: "master".' + type: string + syncRepo: + pattern: ^(((https?|git|ssh):\/\/)|git@) + type: string + syncRev: + description: 'SyncRev is the git revision (tag or hash) to check + out. Default: HEAD.' + type: string + syncWait: + description: 'SyncWaitSeconds is the time duration in seconds between + consecutive syncs. Default: 15 seconds. Note that SyncWaitSecs + is not a time.Duration on purpose. This provides a reminder to + developers that customers specify this value using using integers + like "3" in their ConfigManagement YAML. However, time.Duration + is at a nanosecond granularity, and it''s easy to introduce a + bug where it looks like the code is dealing with seconds but its + actually nanoseconds (or vice versa).' + format: int64 + type: integer + type: object + policyController: + description: Policy Controller enables PolicyController components as + recognized by the "gatekeeper.sh/manifest" label set to "true". + properties: + auditIntervalSeconds: + description: AuditIntervalSeconds. The number of seconds between + audit runs. Defaults to 60 seconds. To disable audit, set this + to 0. + format: int64 + type: integer + enabled: + description: 'Enable or disable the Policy Controller. Default: + false.' + type: boolean + exemptableNamespaces: + description: ExemptableNamespaces. The namespaces in this list are + able to have the admission.gatekeeper.sh/ignore label set. When + the label is set, Policy Controller will not be called for that + namespace or any resources contained in it. `gatekeeper-system` + is always exempted. + items: + type: string + type: array + referentialRulesEnabled: + description: 'ReferentialRulesEnabled. If true, Policy Controller + will allow `data.inventory` references in the contents of ConstraintTemplate + Rego. No effect unless policyController is enabled. Default: + false.' + type: boolean + templateLibraryInstalled: + description: 'TemplateLibraryInstalled. If true, a set of default + ConstraintTemplates will be deployed to the cluster. ConstraintTemplates + will not be deployed if this is explicitly set to false or if + policyController is not enabled. Default: true.' + type: boolean + type: object + sourceFormat: + description: SourceFormat specifies how the repository is formatted. + See documentation for specifics of what these options do. Must be + one of hierarchy, unstructured. Optional. Set to hierarchy if not + specified. The validation of this is case-sensitive. + pattern: ^(hierarchy|unstructured|)$ + type: string + type: object + status: + properties: + configManagementVersion: + description: ConfigManagementVersion is the semantic version number + of the config management system enforced by the currently running + config management operator. + type: string + errors: + items: + type: string + type: array + healthy: + type: boolean + required: + - healthy + type: object + required: + - metadata + - spec +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# ----- addons_rolebinding_rbac.yaml ----- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: config-management-operator + name: config-management-operator + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: config-management-operator +subjects: +- kind: ServiceAccount + name: config-management-operator + namespace: kube-system +--- +# ----- addons_role_rbac.yaml ----- +# The Nomos system creates RBAC rules, so it requires +# full cluster-admin access. Thus, the operator needs +# to be able to grant tha permission to the installed +# Nomos components. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: config-management-operator + name: config-management-operator +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +# ----- manager.yaml ----- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: config-management-operator + name: config-management-operator + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: config-management-operator + namespace: kube-system + labels: + k8s-app: config-management-operator +spec: + strategy: + type: Recreate + # must be null due to 3-way merge, as + # rollingUpdate added to the resource by default by the APIServer + rollingUpdate: null + selector: + matchLabels: + k8s-app: config-management-operator + component: config-management-operator + template: + metadata: + labels: + k8s-app: config-management-operator + component: config-management-operator + spec: + containers: + - command: + - /manager + - --private-registry= + name: manager + image: gcr.io/config-management-release/config-management-operator:20200409021017-op + resources: + requests: + cpu: 100m + memory: 20Mi + serviceAccount: config-management-operator +--- +# ----- namespace.yaml ----- +apiVersion: v1 +kind: Namespace +metadata: + name: config-management-system + labels: + configmanagement.gke.io/system: "true" diff --git a/kubeflow_clusters/code-intelligence/configsync/config-management.yaml b/kubeflow_clusters/code-intelligence/configsync/config-management.yaml new file mode 100644 index 0000000000..3dd8887cdc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/configsync/config-management.yaml @@ -0,0 +1,20 @@ +apiVersion: configmanagement.gke.io/v1 +kind: ConfigManagement +metadata: + name: config-management + annotations: + gke.io/cluster: "gke://issue-label-bot-dev/us-central1/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} +spec: + clusterName: "gke://issue-label-bot-dev/us-central1/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} + git: + # TODO(jlewi): We should change this to branch master on kubeflow/code-intelligence + syncRepo: "https://github.com/jlewi/code-intelligence.git" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"source_repo","value":"https://github.com/jlewi/community-infra.git"}]}} + syncBranch: chatbot + secretType: none + policyDir: "/kubeflow_clusters/code-intelligence/acm-repo" # {"$ref":"#/definitions/io.k8s.cli.setters.sync-repo-dir"} + # We don't want to install cloud config connector + configConnector: + enabled: false + # We use an unstruuctured repository because we don't have good tools + # right now to reorganize our K8s resources in the layout required by structured repositories. + sourceFormat: unstructured diff --git a/kubeflow_clusters/code-intelligence/hack/check_domain_length.sh b/kubeflow_clusters/code-intelligence/hack/check_domain_length.sh new file mode 100755 index 0000000000..3d7619c27a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/hack/check_domain_length.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# +# A simple bash script to check that when using CloudEnpoints +# to create an endpoint we don't endup with a domain +# that exceeds the maximum allowed length of 62 characters. +# The domain will be ${NAME}.endpoints.${PROJECT}.cloud.goog\ +# +# Run this as PROJECT=${PROJECT} NAME=${NAME} ./check_domain_length +domain=${NAME}.endpoints.${PROJECT}.cloud.goog + +if [ ${#domain} -gt 62 ]; then + echo The ${domain} exceeds is ${#domain} characters long which exceeds the maximum length of 62 characters + echo choose a shorter name for your deployment + exit 1 +fi \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/hack/check_oauth_secret.sh b/kubeflow_clusters/code-intelligence/hack/check_oauth_secret.sh new file mode 100755 index 0000000000..df6f1c12ec --- /dev/null +++ b/kubeflow_clusters/code-intelligence/hack/check_oauth_secret.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# +# Check if CLIENT_ID and CLIENT_SECRET are set + +if [ -z "$CLIENT_ID" ] || [ -z "$CLIENT_SECRET" ]; then + echo "Error: Environment variables CLIENT_ID and CLIENT_SECRET must be set to the OAuth client id and secret to be used with IAP" + exit 1 +fi \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/hack/create_context.sh b/kubeflow_clusters/code-intelligence/hack/create_context.sh new file mode 100755 index 0000000000..24df8eb948 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/hack/create_context.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# +# A simple helper script to create a kubeconfig context for a particular cluster. +# +# usage +# PROJECT= REGION= NAME= +# +# TODO(jlewi): Support zonal clusters as well +set -x + +# Default namespace to kubeflow +NAMESPACE=${NAMESPACE:-kubeflow} +echo Checking if context ${NAME} exists + +kubectl config use-context ${NAME} + +RESULT=$? + +if [ ${RESULT} -eq 0 ]; then +echo kubeconfig context ${NAME} already exists +exit 0 +fi + +set -ex + +# TODO test if the context already exists and if it does do nothing +gcloud --project=${PROJECT} container clusters get-credentials \ + --region=${REGION} ${NAME} + +# Rename the context +kubectl config rename-context $(kubectl config current-context) ${NAME} + +# Set the namespace to the host project +kubectl config set-context --current --namespace=${NAMESPACE} \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/instance/README.md b/kubeflow_clusters/code-intelligence/instance/README.md new file mode 100644 index 0000000000..845498c417 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/README.md @@ -0,0 +1,8 @@ +# Overlays + +* This directory defines overlays of the vendored packages that customize + Kubeflow for your particular use case + +* These customizations are stored as overlays("patches") ontop of the vendored + packages to make it easy to upgrade the vendored packages while + preserving your modfications. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/instance/gcp_config/cluster_patch.yaml b/kubeflow_clusters/code-intelligence/instance/gcp_config/cluster_patch.yaml new file mode 100644 index 0000000000..8b24fda859 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/gcp_config/cluster_patch.yaml @@ -0,0 +1,31 @@ +# Define a patch to define user specific values for the cluster +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + clusterName: "issue-label-bot-dev/us-central1/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} + labels: + mesh_id: "issue-label-bot-dev_us-central1_code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} + name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} +spec: + location: us-central1 # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"location","value":"us-central1"}}} + workloadIdentityConfig: + identityNamespace: issue-label-bot-dev.svc.id.goog # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + nodeConfig: + serviceAccountRef: + name: code-intelligence-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"code-intelligence"}]}} + clusterAutoscaling: + enabled: true + autoProvisioningDefaults: + oauthScopes: + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring + - https://www.googleapis.com/auth/devstorage.read_only + serviceAccountRef: + name: code-intelligence-vm + resourceLimits: + - resourceType: cpu + maximum: 128 + - resourceType: memory + maximum: 2000 + - resourceType: nvidia-tesla-k80 + maximum: 16 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/instance/gcp_config/enable-services.yaml b/kubeflow_clusters/code-intelligence/instance/gcp_config/enable-services.yaml new file mode 100644 index 0000000000..408584afd0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/gcp_config/enable-services.yaml @@ -0,0 +1,98 @@ +# GKE +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: gke + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: container.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: compute + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: compute.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: monitoring + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: monitoring.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: logging + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: logging.googleapis.com + +# TODO(jlewi): Does order matter? +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: meshca + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: meshca.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: meshtelemetry + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: meshtelemetry.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: mesh + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: meshconfig.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: iamcredentials + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: iamcredentials.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: anthos + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: anthos.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: gkeconnect + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: gkeconnect.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: gkehub + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: gkehub.googleapis.com +--- +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: resourcemanager + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +spec: + service: cloudresourcemanager.googleapis.com diff --git a/kubeflow_clusters/code-intelligence/instance/gcp_config/iam_policy.yaml b/kubeflow_clusters/code-intelligence/instance/gcp_config/iam_policy.yaml new file mode 100644 index 0000000000..61ca9052d6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/gcp_config/iam_policy.yaml @@ -0,0 +1,25 @@ +# kf-admin binding in namespace kubeflow +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-wi # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"jlewi-dev"}]}} +spec: + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: code-intelligence-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"jlewi-dev"}]}} + member: serviceAccount:issue-label-bot-dev.svc.id.goog[kubeflow/kf-admin] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/iam.workloadIdentityUser +--- +# kf-admin binding in namespace istio-system +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-istio-wi # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"jlewi-dev"}]}} +spec: + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: code-intelligence-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"jlewi-dev"}]}} + member: serviceAccount:issue-label-bot-dev.svc.id.goog[istio-system/kf-admin] # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/iam.workloadIdentityUser diff --git a/kubeflow_clusters/code-intelligence/instance/gcp_config/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/gcp_config/kustomization.yaml new file mode 100644 index 0000000000..7ed4ec1e9d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/gcp_config/kustomization.yaml @@ -0,0 +1,16 @@ +# This package defines the overlays of all GCP infra +# config +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# namespace should match the project. +# This assumes we are running CNRM in namespace mode and namespaces match project names. +namespace: issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +# TODO(jlewi): do not commit the labels auto-deploy and purpose; they were added +# as part of autodeployment testing. +commonLabels: + kf-name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} +resources: +- ../../upstream/manifests/gcp/v2/cnrm +- iam_policy.yaml +patchesStrategicMerge: +- cluster_patch.yaml diff --git a/kubeflow_clusters/code-intelligence/instance/gcp_config/nodepool_patch.yaml b/kubeflow_clusters/code-intelligence/instance/gcp_config/nodepool_patch.yaml new file mode 100644 index 0000000000..cdf4c4b8b8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/gcp_config/nodepool_patch.yaml @@ -0,0 +1,11 @@ +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerNodePool +metadata: + clusterName: "issue-label-bot-dev/us-central1/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} + name: code-intelligence-cpu-pool-v1 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + nodeConfig: + serviceAccountRef: + name: code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + clusterRef: + name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/application/kustomization.yaml new file mode 100644 index 0000000000..f67a8753c4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/application/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/application/v3 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-crds/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-crds/kustomization.yaml new file mode 100644 index 0000000000..ddda2a0d19 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-crds/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/cert-manager/cert-manager-crds/base # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-kube-system-resources/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-kube-system-resources/kustomization.yaml new file mode 100644 index 0000000000..f3bd32a65d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager-kube-system-resources/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/cert-manager/cert-manager-kube-system-resources/base # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager/kustomization.yaml new file mode 100644 index 0000000000..390b1724ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/cert-manager/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/cert-manager/cert-manager/v3 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/kustomization.yaml new file mode 100644 index 0000000000..7637c7fc35 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/gcp/cloud-endpoints/overlays/application # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} +patchesStrategicMerge: +- service-accounts.yaml diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/service-accounts.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/service-accounts.yaml new file mode 100644 index 0000000000..d9e8981b93 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/cloud-endpoints/service-accounts.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kf-admin + annotations: + iam.gke.io/gcp-service-account: code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/iap-ingress-config.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/iap-ingress-config.yaml new file mode 100755 index 0000000000..63535b0587 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/iap-ingress-config.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + appName: code-intelligence # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + hostname: code-intelligence.endpoints.issue-label-bot-dev.cloud.goog # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + ipName: code-intelligence-ip # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + project: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +kind: ConfigMap +metadata: + creationTimestamp: null + name: iap-ingress-config diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/kustomization.yaml new file mode 100644 index 0000000000..90c52447d8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +patchesStrategicMerge: +- iap-ingress-config.yaml +- service-accounts.yaml +resources: +- ../../../upstream/manifests/gcp/iap-ingress/v3 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} +- ../../../upstream/manifests/istio/iap-gateway/base # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/service-accounts.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/service-accounts.yaml new file mode 100644 index 0000000000..d9e8981b93 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/iap-ingress/service-accounts.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kf-admin + annotations: + iam.gke.io/gcp-service-account: code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/default-install-config.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/default-install-config.yaml new file mode 100755 index 0000000000..53f78801ce --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/default-install-config.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + profile-name: kubeflow-jlewi + user: jlewi@google.com +kind: ConfigMap +metadata: + creationTimestamp: null + name: default-install-config diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/kustomization.yaml new file mode 100644 index 0000000000..27e8377fdc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +patchesStrategicMerge: +- profiles-config.yaml +- default-install-config.yaml +resources: +- ../../../upstream/manifests/stacks/gcp # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/profiles-config.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/profiles-config.yaml new file mode 100755 index 0000000000..a1f2d1432e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/profiles-config.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + admin: jlewi@google.com + gcp-sa: jl-stack-0409-204015-user@jlewi-dev.iam.gserviceaccount.com +kind: ConfigMap +metadata: + creationTimestamp: null + name: profiles-config diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/service-accounts.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/service-accounts.yaml new file mode 100644 index 0000000000..f223308384 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-apps/service-accounts.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kf-admin + annotations: + iam.gke.io/gcp-service-account: kf-kcc-0415-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-kcc-0415-001"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-issuer/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-issuer/kustomization.yaml new file mode 100644 index 0000000000..57f7e77175 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-issuer/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/cert-manager/cert-manager/kubeflow-issuer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-istio/kustomization.yaml new file mode 100644 index 0000000000..ecf7a4bb63 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/kubeflow-istio/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/istio/istio/base # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/metacontroller/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/metacontroller/kustomization.yaml new file mode 100644 index 0000000000..4078d5af5a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/metacontroller/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../upstream/manifests/metacontroller/base # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"kustomize_manifests_path","value":"../../../upstream/manifests"}]}} diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/kustomization.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/kustomization.yaml new file mode 100644 index 0000000000..a010c146f5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespaces.yaml diff --git a/kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/namespaces.yaml b/kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/namespaces.yaml new file mode 100644 index 0000000000..5e14408d5e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/kustomize/namespaces/namespaces.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + control-plane: kubeflow + katib-metricscollector-injection: enabled +--- +# TODO(jlewi): This is also defined in the cert-manager package but it doesn't get +# created in the right order. +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/kubeflow_clusters/code-intelligence/instance/settings.yaml b/kubeflow_clusters/code-intelligence/instance/settings.yaml new file mode 100644 index 0000000000..063ed853e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/instance/settings.yaml @@ -0,0 +1,6 @@ +# Name of kubeconfig contexts for various +# TODO(jlewi): Add kpt setters? +mgmt-ctxt: MANAGEMENT-CTXT # {"type":"string","x-kustomize":{"partialSetters":[{"name":"mgmt-ctxt","value":"MANAGEMENT-CTXT"}]}} +project: issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +location: us-central1 # {"type":"string","x-kustomize":{"partialSetters":[{"name":"location","value":"us-central1"}]}} +name: code-intelligence # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"code-intelligence"}]}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/Kptfile b/kubeflow_clusters/code-intelligence/upstream/manifests/Kptfile new file mode 100644 index 0000000000..0d2849f94b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/Kptfile @@ -0,0 +1,11 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: code-intelligence +upstream: + type: git + git: + commit: 193ca31ca0e32dfe3af082546d55e871e8a99521 + repo: https://github.com/jlewi/manifests + directory: / + ref: fix_annotations diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/LICENSE b/kubeflow_clusters/code-intelligence/upstream/manifests/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/OWNERS new file mode 100644 index 0000000000..d3fd2baf65 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/OWNERS @@ -0,0 +1,18 @@ +approvers: + - abhi-g + - animeshsingh + - ashahba + - gabrielwen + - hougangliu + - IronPan + - jlewi + - kkasravi + - kunmingg + - lluunn + - richardsliu + - swiftdiaries + - terrytangyuan + - yanniszark + - zhenghuiwang +reviewers: + - krishnadurai diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/README.md new file mode 100644 index 0000000000..729074fdac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/README.md @@ -0,0 +1,239 @@ +# Manifests + +This repo contains [kustomize](https://kustomize.io/) packages for deploying Kubeflow applications. + + +If you are a contributor authoring or editing the packages please see [Best Practices](./docs/KustomizeBestPractices.md). + + +# Obsolete information + +The information below is obsolete. It pertains to using `kfctl` to generate `kustomization.yaml`. This was how things worked through Kubeflow 1.0.0. + +As described in [kubeflow/manifests#1062](https://github.com/kubeflow/manifests/issues/1062) we are working on fixing this in Kubeflow 1.1.0. + + +## Organization +Subdirectories within the repo hold kustomize targets (base or overlay subdirectory). Overlays contain additional functionality and multiple overlays may be mixed into the base (described below). Both base and overlay targets are processed by kfctl during generate and apply phases and is detailed in [Kfctl Processing](#kfctl-processing). + +See [Best Practices](./docs/KustomizeBestPractices.md) for details on how kustomize targets are created. + + +## Kfctl Processing +Kfctl traverses directories under manifests/kfdef to find and build kustomize targets based on the configuration file `app.yaml`. The contents of app.yaml is the result of running kustomize on the base and specific overlays in the kubeflow/manifests [kfdef](https://github.com/kubeflow/manifests/tree/master/kfdef) directory. The overlays reflect what options are chosen when calling `kfctl init...`. The kustomize package manager in kfctl will then read app.yaml and apply the packages, components and componentParams to kustomize in the following way: + +- **packages** + - are always top-level directories under the manifests repo +- **components** + - are also directories but may be a subdirectory in a package. + - a component may also be a package if there is a base or overlay in the top level directory. + - otherwise a component is a sub-directory under the package directory. + - in all cases a component's name in app.yaml must match the directory name. + - components are output as `.yaml` under the kustomize subdirectory during `kfctl generate...`. + - in order to output a component, a kustomization.yaml is created above the base or overlay directory and inherits common parameters, namespace and labels of the base or overlay. Additionally it adds the namespace and an application label. +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: + - /{base|overlay/} +commonLabels: + app.kubernetes.io/name: +namespace: + +``` +- **component parameters** + - are applied to a component's params.env file. There must be an entry whose key matches the component parameter. The params.env file is used to generate a ConfigMap. Entries in params.env are resolved as kustomize vars or referenced in a deployment or statefulset env section in which case no var definition is needed. + +### Multiple overlays + +Kfctl may combine more than one overlay during `kfctl generate ...`. An example is shown below where the profiles target in [manifests](https://github.com/kubeflow/manifests/tree/master/profiles) can include either debug changes in the Deployment or Device information in the Namespace (the devices overlay is not fully integrated with the Profile-controller at this point in time and is intended as an example) or **both**. + +``` +profiles +├── base +│   └── kustomization.yaml +└── overlays + ├── debug + │   └── kustomization.yaml + └── devices + └── kustomization.yaml +``` + +#### What are Multiple Overlays? + +Normally kustomize provides the ability to overlay a 'base' set of resources with changes that are merged into the base from resources that are located under an overlays subdirectory. For example +if the kustomize [target](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/glossary.md#target) is named foo there will be a foo/base and possibly one or more overlays such as foo/overlays/bar. A kustomization.yaml file is found in both foo/base and foo/overlays/bar. Running `kustomize build` in foo/base will generate resources as defined in kustomization.yaml. Running `kustomize build` in foo/overlays/bar will generate resources - some of which will overlay the resources in foo/base. + +Kustomize doesn't provide for an easy way to combine more than one overlay for example foo/overlays/bar, foo/overlays/baz. However this is an open feature request in kustomize [issues](https://github.com/kubernetes-sigs/kustomize/issues/759). The ability to combine more than one overlay is key to handling components like tf-job-operator which has several types of overlays that can 'mix-in' whether a TFJob is submitted to a namespace or cluster-wide and whether the TFJob uses gang-scheduling. + +#### Merging multiple overlays + +Since each overlay includes '../../base' as its base set of resources - combining several overlays where each includes '../../base' will cause `kustomize build` to abort, complaining that it recursed on base. The approach is to create a kustomization.yaml at the target level that includes base and the contents of each overlay's kustomization file. This requires some path corrections and some awareness of the behavior of configMapGenerator, secretMapGenerator and how they are copied from each overlay. This kustomization.yaml can be constructed manually, but is integrated within kfctl via the app.yaml file. Using tf-job-operator as an example, if its componentParams has the following +``` + componentParams: + tf-job-operator: + - name: overlay + value: cluster + - name: overlay + - value: gangscheduled +``` + +Then the result will be to combine these overlays eg 'mixin' an overlays in the kustomization.yaml file. + +#### Merging multiple overlays to generate app.yaml + +In the past when `kfctl init ...` was called it would download the kubeflow repo under `/.cache` and read one of the config files under `.cache/kubeflow//bootstrap/config`. These config files define packages, components and component parameters (among other things). Each config file is a compatible k8 resource of kind *KfDef*. The config files are: + +- kfctl_default.yaml +- kfctl_basic_auth.yaml +- kfctl_iap.yaml + +Both kfctl_basic_auth.yaml and kfctl_iap.yaml contained the contents of kfctl_default.yaml plus additional changes specific to using kfctl_basic_auth.yaml when --use_basic_auth is passed in or kfctl_iap.yaml when --platform gcp is passed in . This has been refactored to use kustomize where the config/base holds kfctl_default and additional overlays add to the base. The directory now looks like: + +``` +. +└── config + ├── base + │   ├── kfctl_default.yaml + │   └── kustomization.yaml + └── overlays + ├── basic_auth + │   ├── kfctl_default-patch.yaml + │   ├── kfctl_default.yaml + │   └── kustomization.yaml + ├── gcp + │   ├── kfctl_default-patch.yaml + │   ├── kfctl_default.yaml + │   └── kustomization.yaml + ├── ksonnet + │   ├── kfctl_default-patch.yaml + │   ├── kfctl_default.yaml + │   └── kustomization.yaml + └── kustomize + ├── kfctl_default-patch.yaml + ├── kfctl_default.yaml + └── kustomization.yaml +``` + +Where ksonnet and kustomize hold differing ways of handling the pipeline manifest. + +Based on the cli args to `kfctl init...`, the correct overlays will be merged to produce an app.yaml. +The original files have been left as is until UI integration can be completed in a separate PR + +### Using kustomize + +Generating yaml output for any target can be done using kustomize in the following way: + +#### Install kustomize + +`go get -u github.com/kubernetes-sigs/kustomize` + +### Run kustomize + +#### Example + +```bash +git clone https://github.com/kubeflow/manifests +cd manifests//base +kustomize build | tee +``` + +Kustomize inputs to kfctl based on app.yaml which is derived from files under kfdef/ such as [kfdef/kfctl_k8s_istio.yaml](https://github.com/kubeflow/manifests/blob/master/kfdef/kfctl_k8s_istio.yaml): + +``` +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + ...... + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: johnDoe@acme.com + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master +``` + +Outputs from kfctl (no platform specified): +``` +kustomize +├── api-service +│   ├── base +│   │   ├── config-map.yaml +│   │   ├── deployment.yaml +│   │   ├── kustomization.yaml +│   │   ├── role-binding.yaml +│   │   ├── role.yaml +│   │   ├── service-account.yaml +│   │   └── service.yaml +│   ├── kustomization.yaml +│   └── overlays +│   └── application +│   ├── application.yaml +│   └── kustomization.yaml +├── argo +│   ├── base +│   │   ├── cluster-role-binding.yaml +│   │   ├── cluster-role.yaml +│   │   ├── config-map.yaml +│   │   ├── crd.yaml +│   │   ├── deployment.yaml +│   │   ├── kustomization.yaml +│   │   ├── params.env +│   │   ├── params.yaml +│   │   ├── service-account.yaml +│   │   └── service.yaml +│   ├── kustomization.yaml +│   └── overlays +│   ├── application +│   │   ├── application.yaml +│   │   └── kustomization.yaml +│   └── istio +│   ├── kustomization.yaml +│   ├── params.yaml +│   └── virtual-service.yaml +...... +``` + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..c868ca532d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role.yaml new file mode 100644 index 0000000000..5cb8e6edb2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/cluster-role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - delete + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/config-map.yaml new file mode 100644 index 0000000000..fd9bef8b1a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/config-map.yaml @@ -0,0 +1,131 @@ +apiVersion: v1 +data: + create_ca.sh: | + #!/bin/bash + + set -e + + usage() { + cat <> ${tmpdir}/csr.conf + [req] + req_extensions = v3_req + distinguished_name = req_distinguished_name + [req_distinguished_name] + [ v3_req ] + basicConstraints = CA:FALSE + keyUsage = nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth + subjectAltName = @alt_names + [alt_names] + DNS.1 = ${service} + DNS.2 = ${service}.${namespace} + DNS.3 = ${service}.${namespace}.svc + EOF + + openssl genrsa -out ${tmpdir}/server-key.pem 2048 + openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf + + # Self sign + openssl x509 -req -days 365 -in ${tmpdir}/server.csr -CA ${tmpdir}/self_ca.crt -CAkey ${tmpdir}/self_ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem + + # create the secret with CA cert and server cert/key + kubectl create secret generic ${secret} \ + --from-file=key.pem=${tmpdir}/server-key.pem \ + --from-file=cert.pem=${tmpdir}/server-cert.pem \ + --dry-run -o yaml | + kubectl -n ${namespace} apply -f - + + # Webhook pod needs to be restarted so that the service reload the secret + # http://github.com/kueflow/kubeflow/issues/3227 + webhookPod=$(kubectl get pods -n ${namespace} |grep ${webhookDeploymentName} |awk '{print $1;}') + # ignore error if webhook pod does not exist + kubectl delete pod ${webhookPod} 2>/dev/null || true + echo "webhook ${webhookPod} is restarted to utilize the new secret" + + cat ${tmpdir}/self_ca.crt + + # -a means base64 encode + caBundle=$(cat ${tmpdir}/self_ca.crt | openssl enc -a -A) + echo ${caBundle} + + patchString='[{"op": "replace", "path": "/webhooks/0/clientConfig/caBundle", "value":"{{CA_BUNDLE}}"}]' + patchString=$(echo ${patchString} | sed "s|{{CA_BUNDLE}}|${caBundle}|g") + echo ${patchString} + + checkWebhookConfig() { + currentBundle=$(kubectl get mutatingwebhookconfigurations -n ${namespace} ${mutatingWebhookConfigName} -o jsonpath='{.webhooks[0].clientConfig.caBundle}') + [[ "$currentBundle" == "$caBundle" ]] + } + + while true; do + if ! checkWebhookConfig; then + echo "patching ca bundle for webhook configuration..." + kubectl patch mutatingwebhookconfiguration ${mutatingWebhookConfigName} \ + --type='json' -p="${patchString}" + fi + sleep 10 + done +kind: ConfigMap +metadata: + name: config-map diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/kustomization.yaml new file mode 100644 index 0000000000..f87503b206 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- service-account.yaml +- stateful-set.yaml +commonLabels: + kustomize.component: admission-webhook-bootstrap +namePrefix: admission-webhook-bootstrap- +images: +- name: gcr.io/kubeflow-images-public/ingress-setup + newName: gcr.io/kubeflow-images-public/ingress-setup + newTag: latest +generatorOptions: + disableNameSuffixHash: true +configurations: +- params.yaml +namespace: kubeflow +configMapGenerator: +- name: config-map + behavior: merge + env: params.env +vars: +- name: webhookNamePrefix + objref: + kind: ConfigMap + name: config-map + apiVersion: v1 + fieldref: + fieldpath: data.webhookNamePrefix +- name: namespace + objref: + kind: ConfigMap + name: config-map + apiVersion: v1 + fieldref: + fieldpath: data.namespace diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.env new file mode 100644 index 0000000000..764fb2fbea --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.env @@ -0,0 +1,2 @@ +namespace=kubeflow +webhookNamePrefix=admission-webhook- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.yaml new file mode 100644 index 0000000000..3c77a16725 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: data/create_ca.sh + kind: ConfigMap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/service-account.yaml new file mode 100644 index 0000000000..a36cbd800f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/stateful-set.yaml new file mode 100644 index 0000000000..a84c273fd6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/base/stateful-set.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: stateful-set +spec: + replicas: 1 + serviceName: service + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - command: + - sh + - /var/webhook-config/create_ca.sh + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: bootstrap + volumeMounts: + - mountPath: /var/webhook-config/ + name: admission-webhook-config + restartPolicy: Always + serviceAccountName: service-account + volumes: + - configMap: + name: config-map + name: admission-webhook-config + # Workaround for https://github.com/kubernetes-sigs/kustomize/issues/677 + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/application.yaml new file mode 100644 index 0000000000..2ed77f16f3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/application.yaml @@ -0,0 +1,34 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: bootstrap +spec: + selector: + matchLabels: + app.kubernetes.io/name: bootstrap + app.kubernetes.io/instance: bootstrap-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: bootstrap + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: StatefulSet + - group: core + kind: ServiceAccount + descriptor: + type: bootstrap + version: v1beta1 + description: Bootstraps the admission-webhook controller + maintainers: [] + owners: [] + keywords: + - admission-webhook + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/admission-webhook + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..ea76c634aa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/bootstrap/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: bootstrap + app.kubernetes.io/name: bootstrap +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..f7fe51dff5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role.yaml new file mode 100644 index 0000000000..df74fde822 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/cluster-role.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - watch + - list + - update + - create + - patch + - delete + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-poddefaults-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-poddefaults-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-poddefaults-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/crd.yaml new file mode 100644 index 0000000000..df2b459c1a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/crd.yaml @@ -0,0 +1,51 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: poddefaults.kubeflow.org +spec: + group: kubeflow.org + names: + kind: PodDefault + plural: poddefaults + singular: poddefault + scope: Namespaced + version: v1alpha1 + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + desc: + type: string + serviceAccountName: + type: string + env: + items: + type: object + type: array + envFrom: + items: + type: object + type: array + selector: + type: object + volumeMounts: + items: + type: object + type: array + volumes: + items: + type: object + type: array + required: + - selector + type: object + status: + type: object + type: object diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/deployment.yaml new file mode 100644 index 0000000000..2b0d28a960 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: gcr.io/kubeflow-images-public/admission-webhook:v20190520-v0-139-gcee39dbc-dirty-0d8f4c + name: admission-webhook + volumeMounts: + - mountPath: /etc/webhook/certs + name: webhook-cert + readOnly: true + volumes: + - name: webhook-cert + secret: + secretName: webhook-certs + serviceAccountName: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/kustomization.yaml new file mode 100644 index 0000000000..8af6b93940 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/kustomization.yaml @@ -0,0 +1,55 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- mutating-webhook-configuration.yaml +- service-account.yaml +- service.yaml +- crd.yaml +commonLabels: + app: admission-webhook + kustomize.component: admission-webhook +namePrefix: admission-webhook- +images: +- name: gcr.io/kubeflow-images-public/admission-webhook + newName: gcr.io/kubeflow-images-public/admission-webhook + newTag: vmaster-gaf96e4e3 +namespace: kubeflow +configMapGenerator: +- envs: + - params.env + name: admission-webhook-parameters +generatorOptions: + disableNameSuffixHash: true +vars: +# These vars are used to substitute in the namespace, service name and +# deployment name into the mutating WebHookConfiguration. +# Since its a CR kustomize isn't aware of those fields and won't +# transform them. +# We need the var names to be relatively unique so that when we +# compose with other applications they won't conflict. +- fieldref: + fieldPath: data.namespace + name: podDefaultsNamespace + objref: + apiVersion: v1 + kind: ConfigMap + name: admission-webhook-parameters +- fieldref: + fieldPath: metadata.name + name: podDefaultsServiceName + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: metadata.name + name: podDefaultsDeploymentName + objref: + apiVersion: apps/v1 + kind: Deployment + name: deployment +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/mutating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/mutating-webhook-configuration.yaml new file mode 100644 index 0000000000..b1774bb8da --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/mutating-webhook-configuration.yaml @@ -0,0 +1,21 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: "" + service: + name: $(podDefaultsServiceName) + namespace: $(podDefaultsNamespace) + path: /apply-poddefault + name: $(podDefaultsDeploymentName).kubeflow.org + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.env new file mode 100644 index 0000000000..78166431d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.env @@ -0,0 +1 @@ +namespace=kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.yaml new file mode 100644 index 0000000000..444edeaf6f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: webhooks/clientConfig/service/namespace + kind: MutatingWebhookConfiguration +- path: webhooks/clientConfig/service/name + kind: MutatingWebhookConfiguration +- path: webhooks/name + kind: MutatingWebhookConfiguration diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service-account.yaml new file mode 100644 index 0000000000..a36cbd800f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service.yaml new file mode 100644 index 0000000000..b772a6a776 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/base/service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + ports: + - port: 443 + targetPort: 443 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/application.yaml new file mode 100644 index 0000000000..fc31155e18 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/application.yaml @@ -0,0 +1,41 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: webhook +spec: + selector: + matchLabels: + # TODO(jlewi): We should probably rename the app to PodDefaults + # as that is what the admission controller is actually doing. + # webhook is generic and uninformative. + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: webhook-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: bootstrap + app.kubernetes.io/part-of: webhook + app.kubernetes.io/version: v1.0.0 + componentKinds: + # Do not select any cluster scoped resources + # as that will cause problems. + - group: core + kind: ConfigMap + - group: apps + kind: StatefulSet + - group: core + kind: Service + - group: core + kind: ServiceAccount + descriptor: + type: bootstrap + version: v1beta1 + description: injects volume, volume mounts, env vars into PodDefault + maintainers: [] + owners: [] + keywords: + - admission-webhook + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/admission-webhook + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..c7435438d8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: webhook + app.kubernetes.io/name: webhook +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/certificate.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/certificate.yaml new file mode 100644 index 0000000000..7a969cbe9b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/certificate.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: admission-webhook-cert +spec: + isCA: true + commonName: $(podDefaultsServiceName).$(podDefaultsNamespace).svc + dnsNames: + - $(podDefaultsServiceName).$(podDefaultsNamespace).svc + - $(podDefaultsServiceName).$(podDefaultsNamespace).svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: $(podDefaultsIssuer) + secretName: webhook-certs \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/deployment.yaml new file mode 100644 index 0000000000..af4c7b60fc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/deployment.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: admission-webhook + args: + - --tlsCertFile=/etc/webhook/certs/tls.crt + - --tlsKeyFile=/etc/webhook/certs/tls.key diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/kustomization.yaml new file mode 100644 index 0000000000..97fed95eb0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/kustomization.yaml @@ -0,0 +1,48 @@ +# This overlay uses CertManager to provision a certificate for the +# PodDefaults admission controller. This is preferred over the old +# way of using "bootstrap" which was running a shell script to create +# the certificate. +# TODO(jlewi): We should eventually refactor the manifests to delete +# bootstrap and use certmanager by default. +bases: +- ../../base + +resources: +- certificate.yaml + +patchesStrategicMerge: +- mutating-webhook-configuration.yaml +- deployment.yaml + +configMapGenerator: +- name: admission-webhook-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true + +vars: +# These vars are used to substitute in the namespace, service name and +# deployment name into the mutating WebHookConfiguration. +# Since its a CR kustomize isn't aware of those fields and won't +# transform them. +# We need the var names to be relatively unique so that when we +# compose with other applications they won't conflict. +- name: podDefaultsIssuer + objref: + kind: ConfigMap + name: admission-webhook-parameters + apiVersion: v1 + fieldref: + fieldpath: data.issuer +- name: podDefaultsCertName + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: admission-webhook-cert + fieldref: + fieldpath: metadata.name + +configurations: +- params.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml new file mode 100644 index 0000000000..de18f665bb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(podDefaultsNamespace)/$(podDefaultsCertName) + \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.env new file mode 100644 index 0000000000..9cb4f7f838 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.env @@ -0,0 +1 @@ +issuer=kubeflow-self-signing-issuer \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.yaml new file mode 100644 index 0000000000..d082ffe092 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/overlays/cert-manager/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/commonName + kind: Certificate +- path: spec/dnsNames + kind: Certificate +- path: spec/issuerRef/name + kind: Certificate +- path: metadata/annotations + kind: MutatingWebhookConfiguration diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/v3/kustomization.yaml new file mode 100644 index 0000000000..df268964e7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/admission-webhook/webhook/v3/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults +kind: Kustomization +resources: +- ../overlays/cert-manager/ +- ../overlays/application/application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/crd.yaml new file mode 100644 index 0000000000..bd5a7b2938 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/crd.yaml @@ -0,0 +1,233 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: applications.app.k8s.io +spec: + group: app.k8s.io + names: + kind: Application + plural: applications + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + addOwnerRef: + type: boolean + assemblyPhase: + type: string + componentKinds: + items: + type: object + type: array + descriptor: + properties: + description: + type: string + icons: + items: + properties: + size: + type: string + src: + type: string + type: + type: string + required: + - src + type: object + type: array + keywords: + items: + type: string + type: array + links: + items: + properties: + description: + type: string + url: + type: string + type: object + type: array + maintainers: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + notes: + type: string + owners: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + type: + type: string + version: + type: string + type: object + info: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + ingressRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + host: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + secretKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + serviceRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + port: + format: int32 + type: integer + resourceVersion: + type: string + uid: + type: string + type: object + type: + type: string + type: object + type: object + type: array + selector: + type: object + type: object + status: + properties: + components: + items: + properties: + group: + type: string + kind: + type: string + link: + type: string + name: + type: string + status: + type: string + type: object + type: array + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + lastUpdateTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + - status + type: object + type: array + observedGeneration: + format: int64 + type: integer + type: object + version: v1beta1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/kustomization.yaml new file mode 100644 index 0000000000..6e120e7b63 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..f7fe51dff5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role.yaml new file mode 100644 index 0000000000..169fc3bb6d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/cluster-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update + - patch + - watch +- apiGroups: + - app.k8s.io + resources: + - '*' + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/kustomization.yaml new file mode 100644 index 0000000000..dcc6709165 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/kustomization.yaml @@ -0,0 +1,29 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role.yaml +- cluster-role-binding.yaml +- service-account.yaml +- service.yaml +- stateful-set.yaml +namespace: kubeflow +nameprefix: application-controller- +configMapGenerator: +- name: parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +images: +- name: gcr.io/kubeflow-images-public/kubernetes-sigs/application + newName: gcr.io/kubeflow-images-public/kubernetes-sigs/application + newTag: 1.0-beta +vars: +- name: project + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.project +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.env new file mode 100644 index 0000000000..8a76300feb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.env @@ -0,0 +1 @@ +project= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.yaml new file mode 100644 index 0000000000..e544ce9bde --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/image + kind: StatefulSet diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service-account.yaml new file mode 100644 index 0000000000..a36cbd800f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service.yaml new file mode 100644 index 0000000000..c7368f9703 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + ports: + - port: 443 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/stateful-set.yaml new file mode 100644 index 0000000000..11e52d8500 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/base/stateful-set.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: stateful-set +spec: + serviceName: service + selector: + matchLabels: + app: application-controller + template: + metadata: + labels: + app: application-controller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: manager + command: + - /root/manager + image: gcr.io/kubeflow-images-public/kubernetes-sigs/application + imagePullPolicy: Always + env: + # TODO(https://github.com/kubeflow/manifests/issues/1043) + # Do we really need this? + - name: project + value: $(project) + serviceAccountName: service-account + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/application.yaml new file mode 100644 index 0000000000..8824962857 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/application.yaml @@ -0,0 +1,34 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: kubeflow +spec: + selector: + matchLabels: + app.kubernetes.io/name: kubeflow + app.kubernetes.io/instance: kubeflow-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kubeflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: app.k8s.io + kind: Application + descriptor: + type: kubeflow + version: v1beta1 + description: application that aggregates all kubeflow applications + maintainers: + - name: Jeremy Lewi + email: jlewi@google.com + - name: Kam Kasravi + email: kam.d.kasravi@intel.com + owners: + - name: Jeremy Lewi + email: jlewi@google.com + keywords: + - kubeflow + links: + - description: About + url: "https://kubeflow.org" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..fcba25a239 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: kubeflow + app.kubernetes.io/name: kubeflow +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/kustomization.yaml new file mode 100644 index 0000000000..93fb76babc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- stateful-set.yaml +images: +- name: gcr.io/$(project)/application-controller + newName: gcr.io/$(project)/application-controller + newTag: latest diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/stateful-set.yaml new file mode 100644 index 0000000000..9408dee619 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/application/overlays/debug/stateful-set.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: stateful-set +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: manager + image: gcr.io/$(project)/application-controller:latest + command: + - /go/bin/dlv + args: + - --listen=:2345 + - --headless=true + - --api-version=2 + - exec + - /go/src/github.com/kubernetes-sigs/application/manager + ports: + - containerPort: 2345 + securityContext: + privileged: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/application/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/application/v3/kustomization.yaml new file mode 100644 index 0000000000..c2a802fba4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/application/v3/kustomization.yaml @@ -0,0 +1,22 @@ +# This kustomize package contains a complete install +# of the application CR and controller for use with +# http://bit.ly/kf_kustomize_v3 +# TODO(jlewi): Once we migrate fully to stacks we might want +# to refactor and cleanup the manifests. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +nameprefix: application-controller- +resources: +- ../application-crds/base +- ../application/base/cluster-role.yaml +- ../application/base/cluster-role-binding.yaml +- ../application/base/service-account.yaml +- ../application/base/service.yaml +- ../application/base/stateful-set.yaml +- ../application/overlays/application/application.yaml +images: +- name: gcr.io/kubeflow-images-public/kubernetes-sigs/application + newName: gcr.io/kubeflow-images-public/kubernetes-sigs/application + newTag: 1.0-beta + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..979873c68d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role-binding.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: argo + name: argo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo +subjects: +- kind: ServiceAccount + name: argo + namespace: kubeflow +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: argo-ui + name: argo-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-ui +subjects: +- kind: ServiceAccount + name: argo-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role.yaml new file mode 100644 index 0000000000..9dc02e118e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/cluster-role.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: argo + name: argo +rules: +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - sparkoperator.k8s.io + resources: + - sparkapplications + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: argo + name: argo-ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/config-map.yaml new file mode 100644 index 0000000000..710c342e49 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/config-map.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: workflow-controller-configmap + namespace: kubeflow +data: + config: | + { + executorImage: $(executorImage), + containerRuntimeExecutor: $(containerRuntimeExecutor), + artifactRepository: + { + s3: { + bucket: $(artifactRepositoryBucket), + keyPrefix: $(artifactRepositoryKeyPrefix), + endpoint: $(artifactRepositoryEndpoint), + insecure: $(artifactRepositoryInsecure), + accessKeySecret: { + name: $(artifactRepositoryAccessKeySecretName), + key: $(artifactRepositoryAccessKeySecretKey) + }, + secretKeySecret: { + name: $(artifactRepositorySecretKeySecretName), + key: $(artifactRepositorySecretKeySecretKey) + } + } + } + } + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/crd.yaml new file mode 100644 index 0000000000..1b978a7ae7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/crd.yaml @@ -0,0 +1,15 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: workflows.argoproj.io +spec: + group: argoproj.io + names: + kind: Workflow + listKind: WorkflowList + plural: workflows + shortNames: + - wf + singular: workflow + scope: Namespaced + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/deployment.yaml new file mode 100644 index 0000000000..17ae4d6058 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/deployment.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: argo-ui + name: argo-ui + namespace: kubeflow +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: argo-ui + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: argo-ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - env: + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: IN_CLUSTER + value: 'true' + - name: ENABLE_WEB_CONSOLE + value: 'false' + - name: BASE_HREF + value: /argo/ + image: argoproj/argoui:v2.3.0 + imagePullPolicy: IfNotPresent + name: argo-ui + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + readinessProbe: + httpGet: + path: / + port: 8001 + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: argo-ui + serviceAccountName: argo-ui + terminationGracePeriodSeconds: 30 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: workflow-controller + name: workflow-controller + namespace: kubeflow +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: workflow-controller + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: workflow-controller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --configmap + - workflow-controller-configmap + command: + - workflow-controller + env: + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: argoproj/workflow-controller:v2.3.0 + imagePullPolicy: IfNotPresent + name: workflow-controller + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: argo + serviceAccountName: argo + terminationGracePeriodSeconds: 30 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/kustomization.yaml new file mode 100644 index 0000000000..481dad107f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/kustomization.yaml @@ -0,0 +1,111 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + kustomize.component: argo +images: +- name: argoproj/argoui + newName: argoproj/argoui + newTag: v2.3.0 +- name: argoproj/workflow-controller + newName: argoproj/workflow-controller + newTag: v2.3.0 +configMapGenerator: +- name: workflow-controller-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: executorImage + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.executorImage +- name: containerRuntimeExecutor + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.containerRuntimeExecutor +- name: artifactRepositoryBucket + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryBucket +- name: artifactRepositoryKeyPrefix + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryKeyPrefix +- name: artifactRepositoryEndpoint + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryEndpoint +- name: artifactRepositoryInsecure + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryInsecure +- name: artifactRepositoryAccessKeySecretName + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryAccessKeySecretName +- name: artifactRepositoryAccessKeySecretKey + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryAccessKeySecretKey +- name: artifactRepositorySecretKeySecretName + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositorySecretKeySecretName +- name: artifactRepositorySecretKeySecretKey + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositorySecretKeySecretKey +- name: namespace + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +- name: clusterDomain + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.env new file mode 100644 index 0000000000..2bb20197ba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.env @@ -0,0 +1,12 @@ +namespace= +executorImage=argoproj/argoexec:v2.3.0 +containerRuntimeExecutor=docker +artifactRepositoryBucket=mlpipeline +artifactRepositoryKeyPrefix=artifacts +artifactRepositoryEndpoint=minio-service.kubeflow:9000 +artifactRepositoryInsecure=true +artifactRepositoryAccessKeySecretName=mlpipeline-minio-artifact +artifactRepositoryAccessKeySecretKey=accesskey +artifactRepositorySecretKeySecretName=mlpipeline-minio-artifact +artifactRepositorySecretKeySecretKey=secretkey +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.yaml new file mode 100644 index 0000000000..eade9a871d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: data/config + kind: ConfigMap +- path: data/config + kind: Deployment +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service-account.yaml new file mode 100644 index 0000000000..6f463d9666 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service-account.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-ui + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service.yaml new file mode 100644 index 0000000000..ee0e0bd407 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/base/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: argo-ui-mapping + prefix: /argo/ + service: argo-ui.$(namespace) + labels: + app: argo-ui + name: argo-ui + namespace: kubeflow +spec: + ports: + - port: 80 + targetPort: 8001 + selector: + app: argo-ui + sessionAffinity: None + type: NodePort diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/application.yaml new file mode 100644 index 0000000000..ca45c4aa53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/application.yaml @@ -0,0 +1,38 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: argo +spec: + selector: + matchLabels: + app.kubernetes.io/name: argo + app.kubernetes.io/instance: argo-v2.3.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: argo + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v2.3.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + type: argo + version: v1beta1 + description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes + maintainers: [] + owners: [] + keywords: + - argo + - kubeflow + links: + - description: About + url: https://github.com/argoproj/argo + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..1f5a6feabc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: argo + app.kubernetes.io/name: argo +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..fcd00db904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..59449ed0c5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/argo/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: argo-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /argo/ + rewrite: + uri: / + route: + - destination: + host: argo-ui.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/OWNERS new file mode 100644 index 0000000000..3ca90a3e8e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/OWNERS @@ -0,0 +1,3 @@ +approvers: + - jeffwan + - mameshin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..3255be65fb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: alb-ingress-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: alb-ingress-controller +subjects: + - kind: ServiceAccount + name: alb-ingress-controller \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role.yaml new file mode 100644 index 0000000000..8910eaad16 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/cluster-role.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: alb-ingress-controller +rules: + - apiGroups: + - "" + - extensions + resources: + - configmaps + - endpoints + - events + - ingresses + - ingresses/status + - services + verbs: + - create + - get + - list + - update + - watch + - patch + - apiGroups: + - "" + - extensions + resources: + - nodes + - pods + - secrets + - services + - namespaces + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/deployment.yaml new file mode 100644 index 0000000000..e4b748b25c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/deployment.yaml @@ -0,0 +1,53 @@ +# Application Load Balancer (ALB) Ingress Controller Deployment Manifest. +# This manifest details sensible defaults for deploying an ALB Ingress Controller. +# GitHub: https://github.com/kubernetes-sigs/aws-alb-ingress-controller +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alb-ingress-controller + # Namespace the ALB Ingress Controller should run in. Does not impact which + # namespaces it's able to resolve ingress resource for. For limiting ingress + # namespace scope, see --watch-namespace. +# namespace: kubeflow +spec: + selector: + matchLabels: + app.kubernetes.io/name: alb-ingress-controller + template: + metadata: + labels: + app.kubernetes.io/name: alb-ingress-controller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: alb-ingress-controller + args: + # Limit the namespace where this ALB Ingress Controller deployment will + # resolve ingress resources. If left commented, all namespaces are used. + # - --watch-namespace=your-k8s-namespace + + # Setting the ingress-class flag below ensures that only ingress resources with the + # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may + # choose any class you'd like for this controller to respect. + - --ingress-class=alb + + # REQUIRED + # Name of your cluster. Used when naming resources created + # by the ALB Ingress Controller, providing distinction between + # clusters. +# - --cluster-name=$(CLUSTER_NAME) + - --cluster-name=$(CLUSTER_NAME) + + # AWS VPC ID this ingress controller will use to create AWS resources. + # If unspecified, it will be discovered from ec2metadata. + # - --aws-vpc-id=vpc-xxxxxx + + # AWS region this ingress controller will operate in. + # If unspecified, it will be discovered from ec2metadata. + # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region + # - --aws-region=us-west-1 + # Repository location of the ALB Ingress Controller. + image: docker.io/amazon/aws-alb-ingress-controller + imagePullPolicy: Always + serviceAccountName: alb-ingress-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/kustomization.yaml new file mode 100644 index 0000000000..ef54cbf074 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role.yaml +- cluster-role-binding.yaml +- deployment.yaml +- service-account.yaml +commonLabels: + kustomize.component: aws-alb-ingress-controller +generatorOptions: + disableNameSuffixHash: true +images: +- name: docker.io/amazon/aws-alb-ingress-controller + newName: docker.io/amazon/aws-alb-ingress-controller + newTag: v1.1.5 +configMapGenerator: +- name: alb-ingress-controller-parameters + env: params.env +vars: +- name: CLUSTER_NAME + objref: + kind: ConfigMap + name: alb-ingress-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterName diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/params.env new file mode 100644 index 0000000000..3c96b738ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/params.env @@ -0,0 +1 @@ +clusterName= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/service-account.yaml new file mode 100644 index 0000000000..38af5f1fc2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: alb-ingress-controller \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/application.yaml new file mode 100644 index 0000000000..8d18c30740 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/application.yaml @@ -0,0 +1,36 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: aws-alb-ingress-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: aws-alb-ingress-controller + app.kubernetes.io/instance: aws-alb-ingress-controller-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: aws-alb-ingress-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + type: aws-alb-ingress-controller + version: v1beta1 + description: Application Load Balancer (ALB) Ingress Controller Deployment Manifest provides sensible defaults for deploying an ALB Ingress Controller + maintainers: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + owners: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + keywords: + - aws + - kubeflow + links: + - description: About + url: https://github.com/kubernetes-sigs/aws-alb-ingress-controller + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..04a5cb53f1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/application/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: aws-alb-ingress-controller + app.kubernetes.io/name: aws-alb-ingress-controller +kind: Kustomization +resources: +- ../../base +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/kustomization.yaml new file mode 100644 index 0000000000..4e9ff0df0d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/kustomization.yaml @@ -0,0 +1,24 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base +patchesStrategicMerge: +- vpc.yaml +configMapGenerator: +- name: alb-ingress-controller-vpc-parameters + env: params.env +vars: +- name: VPC_ID + objref: + kind: ConfigMap + name: alb-ingress-controller-vpc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.vpcId +- name: REGION + objref: + kind: ConfigMap + name: alb-ingress-controller-vpc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.region diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/params.env new file mode 100644 index 0000000000..c825927711 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/params.env @@ -0,0 +1,2 @@ +vpcId= +region=us-west-2 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/vpc.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/vpc.yaml new file mode 100644 index 0000000000..a4af0a92b7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-alb-ingress-controller/overlays/vpc/vpc.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alb-ingress-controller + labels: + missing: label +spec: + selector: + matchLabels: + missing: label + template: + metadata: + labels: + missing: label + spec: + containers: + - name: alb-ingress-controller + args: + # AWS VPC ID this ingress controller will use to create AWS resources. + # If unspecified, it will be discovered from ec2metadata. + - --aws-vpc-id=$(VPC_ID) + + # AWS region this ingress controller will operate in. + # If unspecified, it will be discovered from ec2metadata. + # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region + - --aws-region=$(REGION) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-driver.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-driver.yaml new file mode 100644 index 0000000000..092a69acfc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-driver.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: storage.k8s.io/v1beta1 +kind: CSIDriver +metadata: + name: efs.csi.aws.com +spec: + attachRequired: false \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-node-daemonset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-node-daemonset.yaml new file mode 100644 index 0000000000..8a263ce5ca --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/csi-node-daemonset.yaml @@ -0,0 +1,99 @@ +--- +# Node Service +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: efs-csi-node +spec: + selector: + matchLabels: + app: efs-csi-node + template: + metadata: + labels: + app: efs-csi-node + spec: + nodeSelector: + beta.kubernetes.io/os: linux + hostNetwork: true + tolerations: + - operator: Exists + containers: + - name: efs-plugin + securityContext: + privileged: true + image: amazon/aws-efs-csi-driver:latest + args: + - --endpoint=$(CSI_ENDPOINT) + - --logtostderr + - --v=5 + env: + - name: CSI_ENDPOINT + value: unix:/csi/csi.sock + volumeMounts: + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: plugin-dir + mountPath: /csi + - name: efs-state-dir + mountPath: /var/run/efs + ports: + - containerPort: 9809 + name: healthz + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 2 + failureThreshold: 5 + - name: csi-driver-registrar + image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=5 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + - name: liveness-probe + imagePullPolicy: Always + image: quay.io/k8scsi/livenessprobe:v1.1.0 + args: + - --csi-address=/csi/csi.sock + - --health-port=9809 + volumeMounts: + - mountPath: /csi + name: plugin-dir + volumes: + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/efs.csi.aws.com/ + type: DirectoryOrCreate + - name: efs-state-dir + hostPath: + path: /var/run/efs + type: DirectoryOrCreate + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/kustomization.yaml new file mode 100644 index 0000000000..70cefc0717 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/base/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- csi-driver.yaml +- csi-node-daemonset.yaml +generatorOptions: + disableNameSuffixHash: true +images: +- name: amazon/aws-efs-csi-driver + newName: amazon/aws-efs-csi-driver + newTag: v0.3.0 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/application.yaml new file mode 100644 index 0000000000..ba0ecc1cfd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/application.yaml @@ -0,0 +1,36 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: aws-efs-csi-driver +spec: + selector: + matchLabels: + app.kubernetes.io/name: aws-efs-csi-driver + app.kubernetes.io/instance: aws-efs-csi-driver-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: aws-efs-csi-driver + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: apps + kind: DaemonSet + - group: storage + kind: CSIDriver + descriptor: + type: aws-efs-csi-driver + version: v0.3.0 + description: The Amazon EFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the lifecycle of Amazon EFS file systems. + maintainers: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + owners: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + keywords: + - aws + - kubeflow + links: + - description: About + url: https://github.com/kubernetes-sigs/aws-efs-csi-driver + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..c52ed734bd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-efs-csi-driver/overlays/application/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: aws-efs-csi-driver + app.kubernetes.io/name: aws-efs-csi-driver +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller-sa.yaml new file mode 100644 index 0000000000..4404ec2d3e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller-sa.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fsx-csi-controller-sa + namespace: kubeflow + #Enable if EKS IAM for SA is used + #annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/fsx-csi-role \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller.yaml new file mode 100644 index 0000000000..ce8fff6098 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-controller.yaml @@ -0,0 +1,64 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: fsx-csi-controller +spec: + replicas: 2 + selector: + matchLabels: + app: fsx-csi-controller + template: + metadata: + labels: + app: fsx-csi-controller + spec: + nodeSelector: + kubernetes.io/os: linux + kubernetes.io/arch: amd64 + serviceAccount: fsx-csi-controller-sa + tolerations: + - key: CriticalAddonsOnly + operator: Exists + containers: + - name: fsx-plugin + image: amazon/aws-fsx-csi-driver:latest + args : + - --endpoint=$(CSI_ENDPOINT) + - --logtostderr + - --v=5 + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-secret + key: AWS_ACCESS_KEY_ID + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-secret + key: AWS_SECRET_ACCESS_KEY + optional: true + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-provisioner + image: quay.io/k8scsi/csi-provisioner:v1.3.0 + args: + - --timeout=5m + - --csi-address=$(ADDRESS) + - --v=5 + - --enable-leader-election + - --leader-election-type=leases + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + volumes: + - name: socket-dir + emptyDir: {} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-driver.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-driver.yaml new file mode 100644 index 0000000000..71b99a00fd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-driver.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: storage.k8s.io/v1beta1 +kind: CSIDriver +metadata: + name: fsx.csi.aws.com +spec: + attachRequired: false \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-node-daemonset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-node-daemonset.yaml new file mode 100644 index 0000000000..6f231d1e49 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-node-daemonset.yaml @@ -0,0 +1,90 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: fsx-csi-node +spec: + selector: + matchLabels: + app: fsx-csi-node + template: + metadata: + labels: + app: fsx-csi-node + spec: + nodeSelector: + kubernetes.io/os: linux + kubernetes.io/arch: amd64 + hostNetwork: true + containers: + - name: fsx-plugin + securityContext: + privileged: true + image: amazon/aws-fsx-csi-driver:latest + args: + - --endpoint=$(CSI_ENDPOINT) + - --logtostderr + - --v=5 + env: + - name: CSI_ENDPOINT + value: unix:/csi/csi.sock + volumeMounts: + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: plugin-dir + mountPath: /csi + ports: + - containerPort: 9810 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 2 + - name: csi-driver-registrar + image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=5 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/fsx.csi.aws.com/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + - name: liveness-probe + imagePullPolicy: Always + image: quay.io/k8scsi/livenessprobe:v1.1.0 + args: + - --csi-address=/csi/csi.sock + - --health-port=9810 + volumeMounts: + - mountPath: /csi + name: plugin-dir + volumes: + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/fsx.csi.aws.com/ + type: DirectoryOrCreate \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role-binding.yaml new file mode 100644 index 0000000000..156b19f47b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: fsx-csi-external-provisioner-binding +subjects: + - kind: ServiceAccount + name: fsx-csi-controller-sa + namespace: kubeflow +roleRef: + kind: ClusterRole + name: fsx-csi-external-provisioner-role + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role.yaml new file mode 100644 index 0000000000..29ab1d07ec --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/csi-provisioner-cluster-role.yaml @@ -0,0 +1,26 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: fsx-csi-external-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/kustomization.yaml new file mode 100644 index 0000000000..60c5670eb3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- csi-driver.yaml +- csi-controller.yaml +- csi-controller-sa.yaml +- csi-node-daemonset.yaml +- csi-provisioner-cluster-role.yaml +- csi-provisioner-cluster-role-binding.yaml +generatorOptions: + disableNameSuffixHash: true +images: +- name: amazon/aws-fsx-csi-driver + newName: amazon/aws-fsx-csi-driver + newTag: v0.3.0 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/application.yaml new file mode 100644 index 0000000000..7f72dc0b50 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/application.yaml @@ -0,0 +1,44 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: aws-fsx-csi-driver +spec: + selector: + matchLabels: + app.kubernetes.io/name: aws-fsx-csi-driver + app.kubernetes.io/instance: aws-fsx-csi-driver-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: aws-fsx-csi-driver + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: apps + kind: Deployment + - group: apps + kind: DaemonSet + - group: storage + kind: CSIDriver + - group: core + kind: ServiceAccount + - group: rbac + kind: ClusterRoleBinding + - group: rbac + kind: ClusterRole + descriptor: + type: aws-efs-csi-driver + version: v0.3.0 + description: The Amazon FSx for Lustre Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the lifecycle of Amazon FSx for Lustre file systems. + maintainers: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + owners: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + keywords: + - aws + - kubeflow + links: + - description: About + url: https://github.com/kubernetes-sigs/aws-fsx-csi-driver + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..eb8ab9935b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-fsx-csi-driver/overlays/application/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: aws-fsx-csi-driver + app.kubernetes.io/name: aws-fsx-csi-driver +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/authzadaptor.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/authzadaptor.yaml new file mode 100644 index 0000000000..1a3d943529 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/authzadaptor.yaml @@ -0,0 +1,13 @@ +# this config is created through command +# mixgen adapter -c $REPO_ROOT/authzadaptor/config/config.proto_descriptor -o $REPO_ROOT/authzadaptor/config -s=false -n authzadaptor -t authzadaptor +apiVersion: "config.istio.io/v1alpha2" +kind: adapter +metadata: + name: authzadaptor +spec: + description: + session_based: false + templates: + - authzadaptor + config: CpopCh5nb29nbGUvcHJvdG9idWYvZHVyYXRpb24ucHJvdG8SD2dvb2dsZS5wcm90b2J1ZiI6CghEdXJhdGlvbhIYCgdzZWNvbmRzGAEgASgDUgdzZWNvbmRzEhQKBW5hbm9zGAIgASgFUgVuYW5vc0J8ChNjb20uZ29vZ2xlLnByb3RvYnVmQg1EdXJhdGlvblByb3RvUAFaKmdpdGh1Yi5jb20vZ29sYW5nL3Byb3RvYnVmL3B0eXBlcy9kdXJhdGlvbvgBAaICA0dQQqoCHkdvb2dsZS5Qcm90b2J1Zi5XZWxsS25vd25UeXBlc0qkJwoGEgQeAHQBCswMCgEMEgMeABIywQwgUHJvdG9jb2wgQnVmZmVycyAtIEdvb2dsZSdzIGRhdGEgaW50ZXJjaGFuZ2UgZm9ybWF0CiBDb3B5cmlnaHQgMjAwOCBHb29nbGUgSW5jLiAgQWxsIHJpZ2h0cyByZXNlcnZlZC4KIGh0dHBzOi8vZGV2ZWxvcGVycy5nb29nbGUuY29tL3Byb3RvY29sLWJ1ZmZlcnMvCgogUmVkaXN0cmlidXRpb24gYW5kIHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBmb3Jtcywgd2l0aCBvciB3aXRob3V0CiBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlCiBtZXQ6CgogICAgICogUmVkaXN0cmlidXRpb25zIG9mIHNvdXJjZSBjb2RlIG11c3QgcmV0YWluIHRoZSBhYm92ZSBjb3B5cmlnaHQKIG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lci4KICAgICAqIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJlcHJvZHVjZSB0aGUgYWJvdmUKIGNvcHlyaWdodCBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIKIGluIHRoZSBkb2N1bWVudGF0aW9uIGFuZC9vciBvdGhlciBtYXRlcmlhbHMgcHJvdmlkZWQgd2l0aCB0aGUKIGRpc3RyaWJ1dGlvbi4KICAgICAqIE5laXRoZXIgdGhlIG5hbWUgb2YgR29vZ2xlIEluYy4gbm9yIHRoZSBuYW1lcyBvZiBpdHMKIGNvbnRyaWJ1dG9ycyBtYXkgYmUgdXNlZCB0byBlbmRvcnNlIG9yIHByb21vdGUgcHJvZHVjdHMgZGVyaXZlZCBmcm9tCiB0aGlzIHNvZnR3YXJlIHdpdGhvdXQgc3BlY2lmaWMgcHJpb3Igd3JpdHRlbiBwZXJtaXNzaW9uLgoKIFRISVMgU09GVFdBUkUgSVMgUFJPVklERUQgQlkgVEhFIENPUFlSSUdIVCBIT0xERVJTIEFORCBDT05UUklCVVRPUlMKICJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCiBMSU1JVEVEIFRPLCBUSEUgSU1QTElFRCBXQVJSQU5USUVTIE9GIE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVTUyBGT1IKIEEgUEFSVElDVUxBUiBQVVJQT1NFIEFSRSBESVNDTEFJTUVELiBJTiBOTyBFVkVOVCBTSEFMTCBUSEUgQ09QWVJJR0hUCiBPV05FUiBPUiBDT05UUklCVVRPUlMgQkUgTElBQkxFIEZPUiBBTlkgRElSRUNULCBJTkRJUkVDVCwgSU5DSURFTlRBTCwKIFNQRUNJQUwsIEVYRU1QTEFSWSwgT1IgQ09OU0VRVUVOVElBTCBEQU1BR0VTIChJTkNMVURJTkcsIEJVVCBOT1QKIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLAogREFUQSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBUSU9OKSBIT1dFVkVSIENBVVNFRCBBTkQgT04gQU5ZCiBUSEVPUlkgT0YgTElBQklMSVRZLCBXSEVUSEVSIElOIENPTlRSQUNULCBTVFJJQ1QgTElBQklMSVRZLCBPUiBUT1JUCiAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UKIE9GIFRISVMgU09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkgT0YgU1VDSCBEQU1BR0UuCgoICgECEgMgCBcKCAoBCBIDIgA7CgsKBAjnBwASAyIAOwoMCgUI5wcAAhIDIgcXCg0KBgjnBwACABIDIgcXCg4KBwjnBwACAAESAyIHFwoMCgUI5wcABxIDIho6CggKAQgSAyMAHwoLCgQI5wcBEgMjAB8KDAoFCOcHAQISAyMHFwoNCgYI5wcBAgASAyMHFwoOCgcI5wcBAgABEgMjBxcKDAoFCOcHAQMSAyMaHgoICgEIEgMkAEEKCwoECOcHAhIDJABBCgwKBQjnBwICEgMkBxEKDQoGCOcHAgIAEgMkBxEKDgoHCOcHAgIAARIDJAcRCgwKBQjnBwIHEgMkFEAKCAoBCBIDJQAsCgsKBAjnBwMSAyUALAoMCgUI5wcDAhIDJQcTCg0KBgjnBwMCABIDJQcTCg4KBwjnBwMCAAESAyUHEwoMCgUI5wcDBxIDJRYrCggKAQgSAyYALgoLCgQI5wcEEgMmAC4KDAoFCOcHBAISAyYHGwoNCgYI5wcEAgASAyYHGwoOCgcI5wcEAgABEgMmBxsKDAoFCOcHBAcSAyYeLQoICgEIEgMnACIKCwoECOcHBRIDJwAiCgwKBQjnBwUCEgMnBxoKDQoGCOcHBQIAEgMnBxoKDgoHCOcHBQIAARIDJwcaCgwKBQjnBwUDEgMnHSEKCAoBCBIDKAAhCgsKBAjnBwYSAygAIQoMCgUI5wcGAhIDKAcYCg0KBgjnBwYCABIDKAcYCg4KBwjnBwYCAAESAygHGAoMCgUI5wcGBxIDKBsgCp8QCgIEABIEZgB0ARqSECBBIER1cmF0aW9uIHJlcHJlc2VudHMgYSBzaWduZWQsIGZpeGVkLWxlbmd0aCBzcGFuIG9mIHRpbWUgcmVwcmVzZW50ZWQKIGFzIGEgY291bnQgb2Ygc2Vjb25kcyBhbmQgZnJhY3Rpb25zIG9mIHNlY29uZHMgYXQgbmFub3NlY29uZAogcmVzb2x1dGlvbi4gSXQgaXMgaW5kZXBlbmRlbnQgb2YgYW55IGNhbGVuZGFyIGFuZCBjb25jZXB0cyBsaWtlICJkYXkiCiBvciAibW9udGgiLiBJdCBpcyByZWxhdGVkIHRvIFRpbWVzdGFtcCBpbiB0aGF0IHRoZSBkaWZmZXJlbmNlIGJldHdlZW4KIHR3byBUaW1lc3RhbXAgdmFsdWVzIGlzIGEgRHVyYXRpb24gYW5kIGl0IGNhbiBiZSBhZGRlZCBvciBzdWJ0cmFjdGVkCiBmcm9tIGEgVGltZXN0YW1wLiBSYW5nZSBpcyBhcHByb3hpbWF0ZWx5ICstMTAsMDAwIHllYXJzLgoKICMgRXhhbXBsZXMKCiBFeGFtcGxlIDE6IENvbXB1dGUgRHVyYXRpb24gZnJvbSB0d28gVGltZXN0YW1wcyBpbiBwc2V1ZG8gY29kZS4KCiAgICAgVGltZXN0YW1wIHN0YXJ0ID0gLi4uOwogICAgIFRpbWVzdGFtcCBlbmQgPSAuLi47CiAgICAgRHVyYXRpb24gZHVyYXRpb24gPSAuLi47CgogICAgIGR1cmF0aW9uLnNlY29uZHMgPSBlbmQuc2Vjb25kcyAtIHN0YXJ0LnNlY29uZHM7CiAgICAgZHVyYXRpb24ubmFub3MgPSBlbmQubmFub3MgLSBzdGFydC5uYW5vczsKCiAgICAgaWYgKGR1cmF0aW9uLnNlY29uZHMgPCAwICYmIGR1cmF0aW9uLm5hbm9zID4gMCkgewogICAgICAgZHVyYXRpb24uc2Vjb25kcyArPSAxOwogICAgICAgZHVyYXRpb24ubmFub3MgLT0gMTAwMDAwMDAwMDsKICAgICB9IGVsc2UgaWYgKGR1cmF0aW9ucy5zZWNvbmRzID4gMCAmJiBkdXJhdGlvbi5uYW5vcyA8IDApIHsKICAgICAgIGR1cmF0aW9uLnNlY29uZHMgLT0gMTsKICAgICAgIGR1cmF0aW9uLm5hbm9zICs9IDEwMDAwMDAwMDA7CiAgICAgfQoKIEV4YW1wbGUgMjogQ29tcHV0ZSBUaW1lc3RhbXAgZnJvbSBUaW1lc3RhbXAgKyBEdXJhdGlvbiBpbiBwc2V1ZG8gY29kZS4KCiAgICAgVGltZXN0YW1wIHN0YXJ0ID0gLi4uOwogICAgIER1cmF0aW9uIGR1cmF0aW9uID0gLi4uOwogICAgIFRpbWVzdGFtcCBlbmQgPSAuLi47CgogICAgIGVuZC5zZWNvbmRzID0gc3RhcnQuc2Vjb25kcyArIGR1cmF0aW9uLnNlY29uZHM7CiAgICAgZW5kLm5hbm9zID0gc3RhcnQubmFub3MgKyBkdXJhdGlvbi5uYW5vczsKCiAgICAgaWYgKGVuZC5uYW5vcyA8IDApIHsKICAgICAgIGVuZC5zZWNvbmRzIC09IDE7CiAgICAgICBlbmQubmFub3MgKz0gMTAwMDAwMDAwMDsKICAgICB9IGVsc2UgaWYgKGVuZC5uYW5vcyA+PSAxMDAwMDAwMDAwKSB7CiAgICAgICBlbmQuc2Vjb25kcyArPSAxOwogICAgICAgZW5kLm5hbm9zIC09IDEwMDAwMDAwMDA7CiAgICAgfQoKIEV4YW1wbGUgMzogQ29tcHV0ZSBEdXJhdGlvbiBmcm9tIGRhdGV0aW1lLnRpbWVkZWx0YSBpbiBQeXRob24uCgogICAgIHRkID0gZGF0ZXRpbWUudGltZWRlbHRhKGRheXM9MywgbWludXRlcz0xMCkKICAgICBkdXJhdGlvbiA9IER1cmF0aW9uKCkKICAgICBkdXJhdGlvbi5Gcm9tVGltZWRlbHRhKHRkKQoKICMgSlNPTiBNYXBwaW5nCgogSW4gSlNPTiBmb3JtYXQsIHRoZSBEdXJhdGlvbiB0eXBlIGlzIGVuY29kZWQgYXMgYSBzdHJpbmcgcmF0aGVyIHRoYW4gYW4KIG9iamVjdCwgd2hlcmUgdGhlIHN0cmluZyBlbmRzIGluIHRoZSBzdWZmaXggInMiIChpbmRpY2F0aW5nIHNlY29uZHMpIGFuZAogaXMgcHJlY2VkZWQgYnkgdGhlIG51bWJlciBvZiBzZWNvbmRzLCB3aXRoIG5hbm9zZWNvbmRzIGV4cHJlc3NlZCBhcwogZnJhY3Rpb25hbCBzZWNvbmRzLiBGb3IgZXhhbXBsZSwgMyBzZWNvbmRzIHdpdGggMCBuYW5vc2Vjb25kcyBzaG91bGQgYmUKIGVuY29kZWQgaW4gSlNPTiBmb3JtYXQgYXMgIjNzIiwgd2hpbGUgMyBzZWNvbmRzIGFuZCAxIG5hbm9zZWNvbmQgc2hvdWxkCiBiZSBleHByZXNzZWQgaW4gSlNPTiBmb3JtYXQgYXMgIjMuMDAwMDAwMDAxcyIsIGFuZCAzIHNlY29uZHMgYW5kIDEKIG1pY3Jvc2Vjb25kIHNob3VsZCBiZSBleHByZXNzZWQgaW4gSlNPTiBmb3JtYXQgYXMgIjMuMDAwMDAxcyIuCgoKCgoKAwQAARIDZggQCtwBCgQEAAIAEgNrAhQazgEgU2lnbmVkIHNlY29uZHMgb2YgdGhlIHNwYW4gb2YgdGltZS4gTXVzdCBiZSBmcm9tIC0zMTUsNTc2LDAwMCwwMDAKIHRvICszMTUsNTc2LDAwMCwwMDAgaW5jbHVzaXZlLiBOb3RlOiB0aGVzZSBib3VuZHMgYXJlIGNvbXB1dGVkIGZyb206CiA2MCBzZWMvbWluICogNjAgbWluL2hyICogMjQgaHIvZGF5ICogMzY1LjI1IGRheXMveWVhciAqIDEwMDAwIHllYXJzCgoNCgUEAAIABBIEawJmEgoMCgUEAAIABRIDawIHCgwKBQQAAgABEgNrCA8KDAoFBAACAAMSA2sSEwqDAwoEBAACARIDcwISGvUCIFNpZ25lZCBmcmFjdGlvbnMgb2YgYSBzZWNvbmQgYXQgbmFub3NlY29uZCByZXNvbHV0aW9uIG9mIHRoZSBzcGFuCiBvZiB0aW1lLiBEdXJhdGlvbnMgbGVzcyB0aGFuIG9uZSBzZWNvbmQgYXJlIHJlcHJlc2VudGVkIHdpdGggYSAwCiBgc2Vjb25kc2AgZmllbGQgYW5kIGEgcG9zaXRpdmUgb3IgbmVnYXRpdmUgYG5hbm9zYCBmaWVsZC4gRm9yIGR1cmF0aW9ucwogb2Ygb25lIHNlY29uZCBvciBtb3JlLCBhIG5vbi16ZXJvIHZhbHVlIGZvciB0aGUgYG5hbm9zYCBmaWVsZCBtdXN0IGJlCiBvZiB0aGUgc2FtZSBzaWduIGFzIHRoZSBgc2Vjb25kc2AgZmllbGQuIE11c3QgYmUgZnJvbSAtOTk5LDk5OSw5OTkKIHRvICs5OTksOTk5LDk5OSBpbmNsdXNpdmUuCgoNCgUEAAIBBBIEcwJrFAoMCgUEAAIBBRIDcwIHCgwKBQQAAgEBEgNzCA0KDAoFBAACAQMSA3MQEWIGcHJvdG8zCvD6AgogZ29vZ2xlL3Byb3RvYnVmL2Rlc2NyaXB0b3IucHJvdG8SD2dvb2dsZS5wcm90b2J1ZiJNChFGaWxlRGVzY3JpcHRvclNldBI4CgRmaWxlGAEgAygLMiQuZ29vZ2xlLnByb3RvYnVmLkZpbGVEZXNjcmlwdG9yUHJvdG9SBGZpbGUi5AQKE0ZpbGVEZXNjcmlwdG9yUHJvdG8SEgoEbmFtZRgBIAEoCVIEbmFtZRIYCgdwYWNrYWdlGAIgASgJUgdwYWNrYWdlEh4KCmRlcGVuZGVuY3kYAyADKAlSCmRlcGVuZGVuY3kSKwoRcHVibGljX2RlcGVuZGVuY3kYCiADKAVSEHB1YmxpY0RlcGVuZGVuY3kSJwoPd2Vha19kZXBlbmRlbmN5GAsgAygFUg53ZWFrRGVwZW5kZW5jeRJDCgxtZXNzYWdlX3R5cGUYBCADKAsyIC5nb29nbGUucHJvdG9idWYuRGVzY3JpcHRvclByb3RvUgttZXNzYWdlVHlwZRJBCgllbnVtX3R5cGUYBSADKAsyJC5nb29nbGUucHJvdG9idWYuRW51bURlc2NyaXB0b3JQcm90b1IIZW51bVR5cGUSQQoHc2VydmljZRgGIAMoCzInLmdvb2dsZS5wcm90b2J1Zi5TZXJ2aWNlRGVzY3JpcHRvclByb3RvUgdzZXJ2aWNlEkMKCWV4dGVuc2lvbhgHIAMoCzIlLmdvb2dsZS5wcm90b2J1Zi5GaWVsZERlc2NyaXB0b3JQcm90b1IJZXh0ZW5zaW9uEjYKB29wdGlvbnMYCCABKAsyHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnNSB29wdGlvbnMSSQoQc291cmNlX2NvZGVfaW5mbxgJIAEoCzIfLmdvb2dsZS5wcm90b2J1Zi5Tb3VyY2VDb2RlSW5mb1IOc291cmNlQ29kZUluZm8SFgoGc3ludGF4GAwgASgJUgZzeW50YXgiuQYKD0Rlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEjsKBWZpZWxkGAIgAygLMiUuZ29vZ2xlLnByb3RvYnVmLkZpZWxkRGVzY3JpcHRvclByb3RvUgVmaWVsZBJDCglleHRlbnNpb24YBiADKAsyJS5nb29nbGUucHJvdG9idWYuRmllbGREZXNjcmlwdG9yUHJvdG9SCWV4dGVuc2lvbhJBCgtuZXN0ZWRfdHlwZRgDIAMoCzIgLmdvb2dsZS5wcm90b2J1Zi5EZXNjcmlwdG9yUHJvdG9SCm5lc3RlZFR5cGUSQQoJZW51bV90eXBlGAQgAygLMiQuZ29vZ2xlLnByb3RvYnVmLkVudW1EZXNjcmlwdG9yUHJvdG9SCGVudW1UeXBlElgKD2V4dGVuc2lvbl9yYW5nZRgFIAMoCzIvLmdvb2dsZS5wcm90b2J1Zi5EZXNjcmlwdG9yUHJvdG8uRXh0ZW5zaW9uUmFuZ2VSDmV4dGVuc2lvblJhbmdlEkQKCm9uZW9mX2RlY2wYCCADKAsyJS5nb29nbGUucHJvdG9idWYuT25lb2ZEZXNjcmlwdG9yUHJvdG9SCW9uZW9mRGVjbBI5CgdvcHRpb25zGAcgASgLMh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zUgdvcHRpb25zElUKDnJlc2VydmVkX3JhbmdlGAkgAygLMi4uZ29vZ2xlLnByb3RvYnVmLkRlc2NyaXB0b3JQcm90by5SZXNlcnZlZFJhbmdlUg1yZXNlcnZlZFJhbmdlEiMKDXJlc2VydmVkX25hbWUYCiADKAlSDHJlc2VydmVkTmFtZRp6Cg5FeHRlbnNpb25SYW5nZRIUCgVzdGFydBgBIAEoBVIFc3RhcnQSEAoDZW5kGAIgASgFUgNlbmQSQAoHb3B0aW9ucxgDIAEoCzImLmdvb2dsZS5wcm90b2J1Zi5FeHRlbnNpb25SYW5nZU9wdGlvbnNSB29wdGlvbnMaNwoNUmVzZXJ2ZWRSYW5nZRIUCgVzdGFydBgBIAEoBVIFc3RhcnQSEAoDZW5kGAIgASgFUgNlbmQifAoVRXh0ZW5zaW9uUmFuZ2VPcHRpb25zElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uKgkI6AcQgICAgAIimAYKFEZpZWxkRGVzY3JpcHRvclByb3RvEhIKBG5hbWUYASABKAlSBG5hbWUSFgoGbnVtYmVyGAMgASgFUgZudW1iZXISQQoFbGFiZWwYBCABKA4yKy5nb29nbGUucHJvdG9idWYuRmllbGREZXNjcmlwdG9yUHJvdG8uTGFiZWxSBWxhYmVsEj4KBHR5cGUYBSABKA4yKi5nb29nbGUucHJvdG9idWYuRmllbGREZXNjcmlwdG9yUHJvdG8uVHlwZVIEdHlwZRIbCgl0eXBlX25hbWUYBiABKAlSCHR5cGVOYW1lEhoKCGV4dGVuZGVlGAIgASgJUghleHRlbmRlZRIjCg1kZWZhdWx0X3ZhbHVlGAcgASgJUgxkZWZhdWx0VmFsdWUSHwoLb25lb2ZfaW5kZXgYCSABKAVSCm9uZW9mSW5kZXgSGwoJanNvbl9uYW1lGAogASgJUghqc29uTmFtZRI3CgdvcHRpb25zGAggASgLMh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9uc1IHb3B0aW9ucyK2AgoEVHlwZRIPCgtUWVBFX0RPVUJMRRABEg4KClRZUEVfRkxPQVQQAhIOCgpUWVBFX0lOVDY0EAMSDwoLVFlQRV9VSU5UNjQQBBIOCgpUWVBFX0lOVDMyEAUSEAoMVFlQRV9GSVhFRDY0EAYSEAoMVFlQRV9GSVhFRDMyEAcSDQoJVFlQRV9CT09MEAgSDwoLVFlQRV9TVFJJTkcQCRIOCgpUWVBFX0dST1VQEAoSEAoMVFlQRV9NRVNTQUdFEAsSDgoKVFlQRV9CWVRFUxAMEg8KC1RZUEVfVUlOVDMyEA0SDQoJVFlQRV9FTlVNEA4SEQoNVFlQRV9TRklYRUQzMhAPEhEKDVRZUEVfU0ZJWEVENjQQEBIPCgtUWVBFX1NJTlQzMhAREg8KC1RZUEVfU0lOVDY0EBIiQwoFTGFiZWwSEgoOTEFCRUxfT1BUSU9OQUwQARISCg5MQUJFTF9SRVFVSVJFRBACEhIKDkxBQkVMX1JFUEVBVEVEEAMiYwoUT25lb2ZEZXNjcmlwdG9yUHJvdG8SEgoEbmFtZRgBIAEoCVIEbmFtZRI3CgdvcHRpb25zGAIgASgLMh0uZ29vZ2xlLnByb3RvYnVmLk9uZW9mT3B0aW9uc1IHb3B0aW9ucyLjAgoTRW51bURlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEj8KBXZhbHVlGAIgAygLMikuZ29vZ2xlLnByb3RvYnVmLkVudW1WYWx1ZURlc2NyaXB0b3JQcm90b1IFdmFsdWUSNgoHb3B0aW9ucxgDIAEoCzIcLmdvb2dsZS5wcm90b2J1Zi5FbnVtT3B0aW9uc1IHb3B0aW9ucxJdCg5yZXNlcnZlZF9yYW5nZRgEIAMoCzI2Lmdvb2dsZS5wcm90b2J1Zi5FbnVtRGVzY3JpcHRvclByb3RvLkVudW1SZXNlcnZlZFJhbmdlUg1yZXNlcnZlZFJhbmdlEiMKDXJlc2VydmVkX25hbWUYBSADKAlSDHJlc2VydmVkTmFtZRo7ChFFbnVtUmVzZXJ2ZWRSYW5nZRIUCgVzdGFydBgBIAEoBVIFc3RhcnQSEAoDZW5kGAIgASgFUgNlbmQigwEKGEVudW1WYWx1ZURlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEhYKBm51bWJlchgCIAEoBVIGbnVtYmVyEjsKB29wdGlvbnMYAyABKAsyIS5nb29nbGUucHJvdG9idWYuRW51bVZhbHVlT3B0aW9uc1IHb3B0aW9ucyKnAQoWU2VydmljZURlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEj4KBm1ldGhvZBgCIAMoCzImLmdvb2dsZS5wcm90b2J1Zi5NZXRob2REZXNjcmlwdG9yUHJvdG9SBm1ldGhvZBI5CgdvcHRpb25zGAMgASgLMh8uZ29vZ2xlLnByb3RvYnVmLlNlcnZpY2VPcHRpb25zUgdvcHRpb25zIokCChVNZXRob2REZXNjcmlwdG9yUHJvdG8SEgoEbmFtZRgBIAEoCVIEbmFtZRIdCgppbnB1dF90eXBlGAIgASgJUglpbnB1dFR5cGUSHwoLb3V0cHV0X3R5cGUYAyABKAlSCm91dHB1dFR5cGUSOAoHb3B0aW9ucxgEIAEoCzIeLmdvb2dsZS5wcm90b2J1Zi5NZXRob2RPcHRpb25zUgdvcHRpb25zEjAKEGNsaWVudF9zdHJlYW1pbmcYBSABKAg6BWZhbHNlUg9jbGllbnRTdHJlYW1pbmcSMAoQc2VydmVyX3N0cmVhbWluZxgGIAEoCDoFZmFsc2VSD3NlcnZlclN0cmVhbWluZyK5CAoLRmlsZU9wdGlvbnMSIQoMamF2YV9wYWNrYWdlGAEgASgJUgtqYXZhUGFja2FnZRIwChRqYXZhX291dGVyX2NsYXNzbmFtZRgIIAEoCVISamF2YU91dGVyQ2xhc3NuYW1lEjUKE2phdmFfbXVsdGlwbGVfZmlsZXMYCiABKAg6BWZhbHNlUhFqYXZhTXVsdGlwbGVGaWxlcxJECh1qYXZhX2dlbmVyYXRlX2VxdWFsc19hbmRfaGFzaBgUIAEoCEICGAFSGWphdmFHZW5lcmF0ZUVxdWFsc0FuZEhhc2gSOgoWamF2YV9zdHJpbmdfY2hlY2tfdXRmOBgbIAEoCDoFZmFsc2VSE2phdmFTdHJpbmdDaGVja1V0ZjgSUwoMb3B0aW1pemVfZm9yGAkgASgOMikuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zLk9wdGltaXplTW9kZToFU1BFRURSC29wdGltaXplRm9yEh0KCmdvX3BhY2thZ2UYCyABKAlSCWdvUGFja2FnZRI1ChNjY19nZW5lcmljX3NlcnZpY2VzGBAgASgIOgVmYWxzZVIRY2NHZW5lcmljU2VydmljZXMSOQoVamF2YV9nZW5lcmljX3NlcnZpY2VzGBEgASgIOgVmYWxzZVITamF2YUdlbmVyaWNTZXJ2aWNlcxI1ChNweV9nZW5lcmljX3NlcnZpY2VzGBIgASgIOgVmYWxzZVIRcHlHZW5lcmljU2VydmljZXMSNwoUcGhwX2dlbmVyaWNfc2VydmljZXMYKiABKAg6BWZhbHNlUhJwaHBHZW5lcmljU2VydmljZXMSJQoKZGVwcmVjYXRlZBgXIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSLwoQY2NfZW5hYmxlX2FyZW5hcxgfIAEoCDoFZmFsc2VSDmNjRW5hYmxlQXJlbmFzEioKEW9iamNfY2xhc3NfcHJlZml4GCQgASgJUg9vYmpjQ2xhc3NQcmVmaXgSKQoQY3NoYXJwX25hbWVzcGFjZRglIAEoCVIPY3NoYXJwTmFtZXNwYWNlEiEKDHN3aWZ0X3ByZWZpeBgnIAEoCVILc3dpZnRQcmVmaXgSKAoQcGhwX2NsYXNzX3ByZWZpeBgoIAEoCVIOcGhwQ2xhc3NQcmVmaXgSIwoNcGhwX25hbWVzcGFjZRgpIAEoCVIMcGhwTmFtZXNwYWNlElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uIjoKDE9wdGltaXplTW9kZRIJCgVTUEVFRBABEg0KCUNPREVfU0laRRACEhAKDExJVEVfUlVOVElNRRADKgkI6AcQgICAgAJKBAgmECci0QIKDk1lc3NhZ2VPcHRpb25zEjwKF21lc3NhZ2Vfc2V0X3dpcmVfZm9ybWF0GAEgASgIOgVmYWxzZVIUbWVzc2FnZVNldFdpcmVGb3JtYXQSTAofbm9fc3RhbmRhcmRfZGVzY3JpcHRvcl9hY2Nlc3NvchgCIAEoCDoFZmFsc2VSHG5vU3RhbmRhcmREZXNjcmlwdG9yQWNjZXNzb3ISJQoKZGVwcmVjYXRlZBgDIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSGwoJbWFwX2VudHJ5GAcgASgIUghtYXBFbnRyeRJYChR1bmludGVycHJldGVkX29wdGlvbhjnByADKAsyJC5nb29nbGUucHJvdG9idWYuVW5pbnRlcnByZXRlZE9wdGlvblITdW5pbnRlcnByZXRlZE9wdGlvbioJCOgHEICAgIACSgQICBAJSgQICRAKIuIDCgxGaWVsZE9wdGlvbnMSQQoFY3R5cGUYASABKA4yIy5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zLkNUeXBlOgZTVFJJTkdSBWN0eXBlEhYKBnBhY2tlZBgCIAEoCFIGcGFja2VkEkcKBmpzdHlwZRgGIAEoDjIkLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMuSlNUeXBlOglKU19OT1JNQUxSBmpzdHlwZRIZCgRsYXp5GAUgASgIOgVmYWxzZVIEbGF6eRIlCgpkZXByZWNhdGVkGAMgASgIOgVmYWxzZVIKZGVwcmVjYXRlZBIZCgR3ZWFrGAogASgIOgVmYWxzZVIEd2VhaxJYChR1bmludGVycHJldGVkX29wdGlvbhjnByADKAsyJC5nb29nbGUucHJvdG9idWYuVW5pbnRlcnByZXRlZE9wdGlvblITdW5pbnRlcnByZXRlZE9wdGlvbiIvCgVDVHlwZRIKCgZTVFJJTkcQABIICgRDT1JEEAESEAoMU1RSSU5HX1BJRUNFEAIiNQoGSlNUeXBlEg0KCUpTX05PUk1BTBAAEg0KCUpTX1NUUklORxABEg0KCUpTX05VTUJFUhACKgkI6AcQgICAgAJKBAgEEAUicwoMT25lb2ZPcHRpb25zElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uKgkI6AcQgICAgAIiwAEKC0VudW1PcHRpb25zEh8KC2FsbG93X2FsaWFzGAIgASgIUgphbGxvd0FsaWFzEiUKCmRlcHJlY2F0ZWQYAyABKAg6BWZhbHNlUgpkZXByZWNhdGVkElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uKgkI6AcQgICAgAJKBAgFEAYingEKEEVudW1WYWx1ZU9wdGlvbnMSJQoKZGVwcmVjYXRlZBgBIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSWAoUdW5pbnRlcnByZXRlZF9vcHRpb24Y5wcgAygLMiQuZ29vZ2xlLnByb3RvYnVmLlVuaW50ZXJwcmV0ZWRPcHRpb25SE3VuaW50ZXJwcmV0ZWRPcHRpb24qCQjoBxCAgICAAiKcAQoOU2VydmljZU9wdGlvbnMSJQoKZGVwcmVjYXRlZBghIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSWAoUdW5pbnRlcnByZXRlZF9vcHRpb24Y5wcgAygLMiQuZ29vZ2xlLnByb3RvYnVmLlVuaW50ZXJwcmV0ZWRPcHRpb25SE3VuaW50ZXJwcmV0ZWRPcHRpb24qCQjoBxCAgICAAiLgAgoNTWV0aG9kT3B0aW9ucxIlCgpkZXByZWNhdGVkGCEgASgIOgVmYWxzZVIKZGVwcmVjYXRlZBJxChFpZGVtcG90ZW5jeV9sZXZlbBgiIAEoDjIvLmdvb2dsZS5wcm90b2J1Zi5NZXRob2RPcHRpb25zLklkZW1wb3RlbmN5TGV2ZWw6E0lERU1QT1RFTkNZX1VOS05PV05SEGlkZW1wb3RlbmN5TGV2ZWwSWAoUdW5pbnRlcnByZXRlZF9vcHRpb24Y5wcgAygLMiQuZ29vZ2xlLnByb3RvYnVmLlVuaW50ZXJwcmV0ZWRPcHRpb25SE3VuaW50ZXJwcmV0ZWRPcHRpb24iUAoQSWRlbXBvdGVuY3lMZXZlbBIXChNJREVNUE9URU5DWV9VTktOT1dOEAASEwoPTk9fU0lERV9FRkZFQ1RTEAESDgoKSURFTVBPVEVOVBACKgkI6AcQgICAgAIimgMKE1VuaW50ZXJwcmV0ZWRPcHRpb24SQQoEbmFtZRgCIAMoCzItLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uLk5hbWVQYXJ0UgRuYW1lEikKEGlkZW50aWZpZXJfdmFsdWUYAyABKAlSD2lkZW50aWZpZXJWYWx1ZRIsChJwb3NpdGl2ZV9pbnRfdmFsdWUYBCABKARSEHBvc2l0aXZlSW50VmFsdWUSLAoSbmVnYXRpdmVfaW50X3ZhbHVlGAUgASgDUhBuZWdhdGl2ZUludFZhbHVlEiEKDGRvdWJsZV92YWx1ZRgGIAEoAVILZG91YmxlVmFsdWUSIQoMc3RyaW5nX3ZhbHVlGAcgASgMUgtzdHJpbmdWYWx1ZRInCg9hZ2dyZWdhdGVfdmFsdWUYCCABKAlSDmFnZ3JlZ2F0ZVZhbHVlGkoKCE5hbWVQYXJ0EhsKCW5hbWVfcGFydBgBIAIoCVIIbmFtZVBhcnQSIQoMaXNfZXh0ZW5zaW9uGAIgAigIUgtpc0V4dGVuc2lvbiKnAgoOU291cmNlQ29kZUluZm8SRAoIbG9jYXRpb24YASADKAsyKC5nb29nbGUucHJvdG9idWYuU291cmNlQ29kZUluZm8uTG9jYXRpb25SCGxvY2F0aW9uGs4BCghMb2NhdGlvbhIWCgRwYXRoGAEgAygFQgIQAVIEcGF0aBIWCgRzcGFuGAIgAygFQgIQAVIEc3BhbhIpChBsZWFkaW5nX2NvbW1lbnRzGAMgASgJUg9sZWFkaW5nQ29tbWVudHMSKwoRdHJhaWxpbmdfY29tbWVudHMYBCABKAlSEHRyYWlsaW5nQ29tbWVudHMSOgoZbGVhZGluZ19kZXRhY2hlZF9jb21tZW50cxgGIAMoCVIXbGVhZGluZ0RldGFjaGVkQ29tbWVudHMi0QEKEUdlbmVyYXRlZENvZGVJbmZvEk0KCmFubm90YXRpb24YASADKAsyLS5nb29nbGUucHJvdG9idWYuR2VuZXJhdGVkQ29kZUluZm8uQW5ub3RhdGlvblIKYW5ub3RhdGlvbhptCgpBbm5vdGF0aW9uEhYKBHBhdGgYASADKAVCAhABUgRwYXRoEh8KC3NvdXJjZV9maWxlGAIgASgJUgpzb3VyY2VGaWxlEhQKBWJlZ2luGAMgASgFUgViZWdpbhIQCgNlbmQYBCABKAVSA2VuZEKPAQoTY29tLmdvb2dsZS5wcm90b2J1ZkIQRGVzY3JpcHRvclByb3Rvc0gBWj5naXRodWIuY29tL2dvbGFuZy9wcm90b2J1Zi9wcm90b2MtZ2VuLWdvL2Rlc2NyaXB0b3I7ZGVzY3JpcHRvcvgBAaICA0dQQqoCGkdvb2dsZS5Qcm90b2J1Zi5SZWZsZWN0aW9uSqrAAgoHEgUnAOcGAQqqDwoBDBIDJwASMsEMIFByb3RvY29sIEJ1ZmZlcnMgLSBHb29nbGUncyBkYXRhIGludGVyY2hhbmdlIGZvcm1hdAogQ29weXJpZ2h0IDIwMDggR29vZ2xlIEluYy4gIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiBodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9wcm90b2NvbC1idWZmZXJzLwoKIFJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVkIHByb3ZpZGVkIHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zIGFyZQogbWV0OgoKICAgICAqIFJlZGlzdHJpYnV0aW9ucyBvZiBzb3VyY2UgY29kZSBtdXN0IHJldGFpbiB0aGUgYWJvdmUgY29weXJpZ2h0CiBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgICAgKiBSZWRpc3RyaWJ1dGlvbnMgaW4gYmluYXJ5IGZvcm0gbXVzdCByZXByb2R1Y2UgdGhlIGFib3ZlCiBjb3B5cmlnaHQgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyCiBpbiB0aGUgZG9jdW1lbnRhdGlvbiBhbmQvb3Igb3RoZXIgbWF0ZXJpYWxzIHByb3ZpZGVkIHdpdGggdGhlCiBkaXN0cmlidXRpb24uCiAgICAgKiBOZWl0aGVyIHRoZSBuYW1lIG9mIEdvb2dsZSBJbmMuIG5vciB0aGUgbmFtZXMgb2YgaXRzCiBjb250cmlidXRvcnMgbWF5IGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbQogdGhpcyBzb2Z0d2FyZSB3aXRob3V0IHNwZWNpZmljIHByaW9yIHdyaXR0ZW4gcGVybWlzc2lvbi4KCiBUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiAiQVMgSVMiIEFORCBBTlkgRVhQUkVTUyBPUiBJTVBMSUVEIFdBUlJBTlRJRVMsIElOQ0xVRElORywgQlVUIE5PVAogTElNSVRFRCBUTywgVEhFIElNUExJRUQgV0FSUkFOVElFUyBPRiBNRVJDSEFOVEFCSUxJVFkgQU5EIEZJVE5FU1MgRk9SCiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgVEhFIENPUFlSSUdIVAogT1dORVIgT1IgQ09OVFJJQlVUT1JTIEJFIExJQUJMRSBGT1IgQU5ZIERJUkVDVCwgSU5ESVJFQ1QsIElOQ0lERU5UQUwsCiBTUEVDSUFMLCBFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UCiBMSU1JVEVEIFRPLCBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdPT0RTIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVTRSwKIERBVEEsIE9SIFBST0ZJVFM7IE9SIEJVU0lORVNTIElOVEVSUlVQVElPTikgSE9XRVZFUiBDQVVTRUQgQU5EIE9OIEFOWQogVEhFT1JZIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVAogKElOQ0xVRElORyBORUdMSUdFTkNFIE9SIE9USEVSV0lTRSkgQVJJU0lORyBJTiBBTlkgV0FZIE9VVCBPRiBUSEUgVVNFCiBPRiBUSElTIFNPRlRXQVJFLCBFVkVOIElGIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GIFNVQ0ggREFNQUdFLgoy2wIgQXV0aG9yOiBrZW50b25AZ29vZ2xlLmNvbSAoS2VudG9uIFZhcmRhKQogIEJhc2VkIG9uIG9yaWdpbmFsIFByb3RvY29sIEJ1ZmZlcnMgZGVzaWduIGJ5CiAgU2FuamF5IEdoZW1hd2F0LCBKZWZmIERlYW4sIGFuZCBvdGhlcnMuCgogVGhlIG1lc3NhZ2VzIGluIHRoaXMgZmlsZSBkZXNjcmliZSB0aGUgZGVmaW5pdGlvbnMgZm91bmQgaW4gLnByb3RvIGZpbGVzLgogQSB2YWxpZCAucHJvdG8gZmlsZSBjYW4gYmUgdHJhbnNsYXRlZCBkaXJlY3RseSB0byBhIEZpbGVEZXNjcmlwdG9yUHJvdG8KIHdpdGhvdXQgYW55IG90aGVyIGluZm9ybWF0aW9uIChlLmcuIHdpdGhvdXQgcmVhZGluZyBpdHMgaW1wb3J0cykuCgoICgECEgMpCBcKCAoBCBIDKgBVCgsKBAjnBwASAyoAVQoMCgUI5wcAAhIDKgcRCg0KBgjnBwACABIDKgcRCg4KBwjnBwACAAESAyoHEQoMCgUI5wcABxIDKhRUCggKAQgSAysALAoLCgQI5wcBEgMrACwKDAoFCOcHAQISAysHEwoNCgYI5wcBAgASAysHEwoOCgcI5wcBAgABEgMrBxMKDAoFCOcHAQcSAysWKwoICgEIEgMsADEKCwoECOcHAhIDLAAxCgwKBQjnBwICEgMsBxsKDQoGCOcHAgIAEgMsBxsKDgoHCOcHAgIAARIDLAcbCgwKBQjnBwIHEgMsHjAKCAoBCBIDLQA3CgsKBAjnBwMSAy0ANwoMCgUI5wcDAhIDLQcXCg0KBgjnBwMCABIDLQcXCg4KBwjnBwMCAAESAy0HFwoMCgUI5wcDBxIDLRo2CggKAQgSAy4AIQoLCgQI5wcEEgMuACEKDAoFCOcHBAISAy4HGAoNCgYI5wcEAgASAy4HGAoOCgcI5wcEAgABEgMuBxgKDAoFCOcHBAcSAy4bIAoICgEIEgMvAB8KCwoECOcHBRIDLwAfCgwKBQjnBwUCEgMvBxcKDQoGCOcHBQIAEgMvBxcKDgoHCOcHBQIAARIDLwcXCgwKBQjnBwUDEgMvGh4KCAoBCBIDMwAcCoEBCgQI5wcGEgMzABwadCBkZXNjcmlwdG9yLnByb3RvIG11c3QgYmUgb3B0aW1pemVkIGZvciBzcGVlZCBiZWNhdXNlIHJlZmxlY3Rpb24tYmFzZWQKIGFsZ29yaXRobXMgZG9uJ3Qgd29yayBkdXJpbmcgYm9vdHN0cmFwcGluZy4KCgwKBQjnBwYCEgMzBxMKDQoGCOcHBgIAEgMzBxMKDgoHCOcHBgIAARIDMwcTCgwKBQjnBwYDEgMzFhsKagoCBAASBDcAOQEaXiBUaGUgcHJvdG9jb2wgY29tcGlsZXIgY2FuIG91dHB1dCBhIEZpbGVEZXNjcmlwdG9yU2V0IGNvbnRhaW5pbmcgdGhlIC5wcm90bwogZmlsZXMgaXQgcGFyc2VzLgoKCgoDBAABEgM3CBkKCwoEBAACABIDOAIoCgwKBQQAAgAEEgM4AgoKDAoFBAACAAYSAzgLHgoMCgUEAAIAARIDOB8jCgwKBQQAAgADEgM4JicKLwoCBAESBDwAWQEaIyBEZXNjcmliZXMgYSBjb21wbGV0ZSAucHJvdG8gZmlsZS4KCgoKAwQBARIDPAgbCjkKBAQBAgASAz0CGyIsIGZpbGUgbmFtZSwgcmVsYXRpdmUgdG8gcm9vdCBvZiBzb3VyY2UgdHJlZQoKDAoFBAECAAQSAz0CCgoMCgUEAQIABRIDPQsRCgwKBQQBAgABEgM9EhYKDAoFBAECAAMSAz0ZGgoqCgQEAQIBEgM+Ah4iHSBlLmcuICJmb28iLCAiZm9vLmJhciIsIGV0Yy4KCgwKBQQBAgEEEgM+AgoKDAoFBAECAQUSAz4LEQoMCgUEAQIBARIDPhIZCgwKBQQBAgEDEgM+HB0KNAoEBAECAhIDQQIhGicgTmFtZXMgb2YgZmlsZXMgaW1wb3J0ZWQgYnkgdGhpcyBmaWxlLgoKDAoFBAECAgQSA0ECCgoMCgUEAQICBRIDQQsRCgwKBQQBAgIBEgNBEhwKDAoFBAECAgMSA0EfIApRCgQEAQIDEgNDAigaRCBJbmRleGVzIG9mIHRoZSBwdWJsaWMgaW1wb3J0ZWQgZmlsZXMgaW4gdGhlIGRlcGVuZGVuY3kgbGlzdCBhYm92ZS4KCgwKBQQBAgMEEgNDAgoKDAoFBAECAwUSA0MLEAoMCgUEAQIDARIDQxEiCgwKBQQBAgMDEgNDJScKegoEBAECBBIDRgImGm0gSW5kZXhlcyBvZiB0aGUgd2VhayBpbXBvcnRlZCBmaWxlcyBpbiB0aGUgZGVwZW5kZW5jeSBsaXN0LgogRm9yIEdvb2dsZS1pbnRlcm5hbCBtaWdyYXRpb24gb25seS4gRG8gbm90IHVzZS4KCgwKBQQBAgQEEgNGAgoKDAoFBAECBAUSA0YLEAoMCgUEAQIEARIDRhEgCgwKBQQBAgQDEgNGIyUKNgoEBAECBRIDSQIsGikgQWxsIHRvcC1sZXZlbCBkZWZpbml0aW9ucyBpbiB0aGlzIGZpbGUuCgoMCgUEAQIFBBIDSQIKCgwKBQQBAgUGEgNJCxoKDAoFBAECBQESA0kbJwoMCgUEAQIFAxIDSSorCgsKBAQBAgYSA0oCLQoMCgUEAQIGBBIDSgIKCgwKBQQBAgYGEgNKCx4KDAoFBAECBgESA0ofKAoMCgUEAQIGAxIDSissCgsKBAQBAgcSA0sCLgoMCgUEAQIHBBIDSwIKCgwKBQQBAgcGEgNLCyEKDAoFBAECBwESA0siKQoMCgUEAQIHAxIDSywtCgsKBAQBAggSA0wCLgoMCgUEAQIIBBIDTAIKCgwKBQQBAggGEgNMCx8KDAoFBAECCAESA0wgKQoMCgUEAQIIAxIDTCwtCgsKBAQBAgkSA04CIwoMCgUEAQIJBBIDTgIKCgwKBQQBAgkGEgNOCxYKDAoFBAECCQESA04XHgoMCgUEAQIJAxIDTiEiCvQBCgQEAQIKEgNUAi8a5gEgVGhpcyBmaWVsZCBjb250YWlucyBvcHRpb25hbCBpbmZvcm1hdGlvbiBhYm91dCB0aGUgb3JpZ2luYWwgc291cmNlIGNvZGUuCiBZb3UgbWF5IHNhZmVseSByZW1vdmUgdGhpcyBlbnRpcmUgZmllbGQgd2l0aG91dCBoYXJtaW5nIHJ1bnRpbWUKIGZ1bmN0aW9uYWxpdHkgb2YgdGhlIGRlc2NyaXB0b3JzIC0tIHRoZSBpbmZvcm1hdGlvbiBpcyBuZWVkZWQgb25seSBieQogZGV2ZWxvcG1lbnQgdG9vbHMuCgoMCgUEAQIKBBIDVAIKCgwKBQQBAgoGEgNUCxkKDAoFBAECCgESA1QaKgoMCgUEAQIKAxIDVC0uCl0KBAQBAgsSA1gCHhpQIFRoZSBzeW50YXggb2YgdGhlIHByb3RvIGZpbGUuCiBUaGUgc3VwcG9ydGVkIHZhbHVlcyBhcmUgInByb3RvMiIgYW5kICJwcm90bzMiLgoKDAoFBAECCwQSA1gCCgoMCgUEAQILBRIDWAsRCgwKBQQBAgsBEgNYEhgKDAoFBAECCwMSA1gbHQonCgIEAhIEXAB8ARobIERlc2NyaWJlcyBhIG1lc3NhZ2UgdHlwZS4KCgoKAwQCARIDXAgXCgsKBAQCAgASA10CGwoMCgUEAgIABBIDXQIKCgwKBQQCAgAFEgNdCxEKDAoFBAICAAESA10SFgoMCgUEAgIAAxIDXRkaCgsKBAQCAgESA18CKgoMCgUEAgIBBBIDXwIKCgwKBQQCAgEGEgNfCx8KDAoFBAICAQESA18gJQoMCgUEAgIBAxIDXygpCgsKBAQCAgISA2ACLgoMCgUEAgICBBIDYAIKCgwKBQQCAgIGEgNgCx8KDAoFBAICAgESA2AgKQoMCgUEAgICAxIDYCwtCgsKBAQCAgMSA2ICKwoMCgUEAgIDBBIDYgIKCgwKBQQCAgMGEgNiCxoKDAoFBAICAwESA2IbJgoMCgUEAgIDAxIDYikqCgsKBAQCAgQSA2MCLQoMCgUEAgIEBBIDYwIKCgwKBQQCAgQGEgNjCx4KDAoFBAICBAESA2MfKAoMCgUEAgIEAxIDYyssCgwKBAQCAwASBGUCagMKDAoFBAIDAAESA2UKGAoNCgYEAgMAAgASA2YEHQoOCgcEAgMAAgAEEgNmBAwKDgoHBAIDAAIABRIDZg0SCg4KBwQCAwACAAESA2YTGAoOCgcEAgMAAgADEgNmGxwKDQoGBAIDAAIBEgNnBBsKDgoHBAIDAAIBBBIDZwQMCg4KBwQCAwACAQUSA2cNEgoOCgcEAgMAAgEBEgNnExYKDgoHBAIDAAIBAxIDZxkaCg0KBgQCAwACAhIDaQQvCg4KBwQCAwACAgQSA2kEDAoOCgcEAgMAAgIGEgNpDSIKDgoHBAIDAAICARIDaSMqCg4KBwQCAwACAgMSA2ktLgoLCgQEAgIFEgNrAi4KDAoFBAICBQQSA2sCCgoMCgUEAgIFBhIDawsZCgwKBQQCAgUBEgNrGikKDAoFBAICBQMSA2ssLQoLCgQEAgIGEgNtAi8KDAoFBAICBgQSA20CCgoMCgUEAgIGBhIDbQsfCgwKBQQCAgYBEgNtICoKDAoFBAICBgMSA20tLgoLCgQEAgIHEgNvAiYKDAoFBAICBwQSA28CCgoMCgUEAgIHBhIDbwsZCgwKBQQCAgcBEgNvGiEKDAoFBAICBwMSA28kJQqqAQoEBAIDARIEdAJ3AxqbASBSYW5nZSBvZiByZXNlcnZlZCB0YWcgbnVtYmVycy4gUmVzZXJ2ZWQgdGFnIG51bWJlcnMgbWF5IG5vdCBiZSB1c2VkIGJ5CiBmaWVsZHMgb3IgZXh0ZW5zaW9uIHJhbmdlcyBpbiB0aGUgc2FtZSBtZXNzYWdlLiBSZXNlcnZlZCByYW5nZXMgbWF5CiBub3Qgb3ZlcmxhcC4KCgwKBQQCAwEBEgN0ChcKGwoGBAIDAQIAEgN1BB0iDCBJbmNsdXNpdmUuCgoOCgcEAgMBAgAEEgN1BAwKDgoHBAIDAQIABRIDdQ0SCg4KBwQCAwECAAESA3UTGAoOCgcEAgMBAgADEgN1GxwKGwoGBAIDAQIBEgN2BBsiDCBFeGNsdXNpdmUuCgoOCgcEAgMBAgEEEgN2BAwKDgoHBAIDAQIBBRIDdg0SCg4KBwQCAwECAQESA3YTFgoOCgcEAgMBAgEDEgN2GRoKCwoEBAICCBIDeAIsCgwKBQQCAggEEgN4AgoKDAoFBAICCAYSA3gLGAoMCgUEAgIIARIDeBknCgwKBQQCAggDEgN4KisKggEKBAQCAgkSA3sCJRp1IFJlc2VydmVkIGZpZWxkIG5hbWVzLCB3aGljaCBtYXkgbm90IGJlIHVzZWQgYnkgZmllbGRzIGluIHRoZSBzYW1lIG1lc3NhZ2UuCiBBIGdpdmVuIG5hbWUgbWF5IG9ubHkgYmUgcmVzZXJ2ZWQgb25jZS4KCgwKBQQCAgkEEgN7AgoKDAoFBAICCQUSA3sLEQoMCgUEAgIJARIDexIfCgwKBQQCAgkDEgN7IiQKCwoCBAMSBX4AhAEBCgoKAwQDARIDfggdCk8KBAQDAgASBIABAjoaQSBUaGUgcGFyc2VyIHN0b3JlcyBvcHRpb25zIGl0IGRvZXNuJ3QgcmVjb2duaXplIGhlcmUuIFNlZSBhYm92ZS4KCg0KBQQDAgAEEgSAAQIKCg0KBQQDAgAGEgSAAQseCg0KBQQDAgABEgSAAR8zCg0KBQQDAgADEgSAATY5CloKAwQDBRIEgwECGRpNIENsaWVudHMgY2FuIGRlZmluZSBjdXN0b20gb3B0aW9ucyBpbiBleHRlbnNpb25zIG9mIHRoaXMgbWVzc2FnZS4gU2VlIGFib3ZlLgoKDAoEBAMFABIEgwENGAoNCgUEAwUAARIEgwENEQoNCgUEAwUAAhIEgwEVGAozCgIEBBIGhwEA1QEBGiUgRGVzY3JpYmVzIGEgZmllbGQgd2l0aGluIGEgbWVzc2FnZS4KCgsKAwQEARIEhwEIHAoOCgQEBAQAEgaIAQKnAQMKDQoFBAQEAAESBIgBBwsKUwoGBAQEAAIAEgSLAQQcGkMgMCBpcyByZXNlcnZlZCBmb3IgZXJyb3JzLgogT3JkZXIgaXMgd2VpcmQgZm9yIGhpc3RvcmljYWwgcmVhc29ucy4KCg8KBwQEBAACAAESBIsBBA8KDwoHBAQEAAIAAhIEiwEaGwoOCgYEBAQAAgESBIwBBBwKDwoHBAQEAAIBARIEjAEEDgoPCgcEBAQAAgECEgSMARobCncKBgQEBAACAhIEjwEEHBpnIE5vdCBaaWdaYWcgZW5jb2RlZC4gIE5lZ2F0aXZlIG51bWJlcnMgdGFrZSAxMCBieXRlcy4gIFVzZSBUWVBFX1NJTlQ2NCBpZgogbmVnYXRpdmUgdmFsdWVzIGFyZSBsaWtlbHkuCgoPCgcEBAQAAgIBEgSPAQQOCg8KBwQEBAACAgISBI8BGhsKDgoGBAQEAAIDEgSQAQQcCg8KBwQEBAACAwESBJABBA8KDwoHBAQEAAIDAhIEkAEaGwp3CgYEBAQAAgQSBJMBBBwaZyBOb3QgWmlnWmFnIGVuY29kZWQuICBOZWdhdGl2ZSBudW1iZXJzIHRha2UgMTAgYnl0ZXMuICBVc2UgVFlQRV9TSU5UMzIgaWYKIG5lZ2F0aXZlIHZhbHVlcyBhcmUgbGlrZWx5LgoKDwoHBAQEAAIEARIEkwEEDgoPCgcEBAQAAgQCEgSTARobCg4KBgQEBAACBRIElAEEHAoPCgcEBAQAAgUBEgSUAQQQCg8KBwQEBAACBQISBJQBGhsKDgoGBAQEAAIGEgSVAQQcCg8KBwQEBAACBgESBJUBBBAKDwoHBAQEAAIGAhIElQEaGwoOCgYEBAQAAgcSBJYBBBwKDwoHBAQEAAIHARIElgEEDQoPCgcEBAQAAgcCEgSWARobCg4KBgQEBAACCBIElwEEHAoPCgcEBAQAAggBEgSXAQQPCg8KBwQEBAACCAISBJcBGhsK4gEKBgQEBAACCRIEnAEEHRrRASBUYWctZGVsaW1pdGVkIGFnZ3JlZ2F0ZS4KIEdyb3VwIHR5cGUgaXMgZGVwcmVjYXRlZCBhbmQgbm90IHN1cHBvcnRlZCBpbiBwcm90bzMuIEhvd2V2ZXIsIFByb3RvMwogaW1wbGVtZW50YXRpb25zIHNob3VsZCBzdGlsbCBiZSBhYmxlIHRvIHBhcnNlIHRoZSBncm91cCB3aXJlIGZvcm1hdCBhbmQKIHRyZWF0IGdyb3VwIGZpZWxkcyBhcyB1bmtub3duIGZpZWxkcy4KCg8KBwQEBAACCQESBJwBBA4KDwoHBAQEAAIJAhIEnAEaHAotCgYEBAQAAgoSBJ0BBB0iHSBMZW5ndGgtZGVsaW1pdGVkIGFnZ3JlZ2F0ZS4KCg8KBwQEBAACCgESBJ0BBBAKDwoHBAQEAAIKAhIEnQEaHAojCgYEBAQAAgsSBKABBB0aEyBOZXcgaW4gdmVyc2lvbiAyLgoKDwoHBAQEAAILARIEoAEEDgoPCgcEBAQAAgsCEgSgARocCg4KBgQEBAACDBIEoQEEHQoPCgcEBAQAAgwBEgShAQQPCg8KBwQEBAACDAISBKEBGhwKDgoGBAQEAAINEgSiAQQdCg8KBwQEBAACDQESBKIBBA0KDwoHBAQEAAINAhIEogEaHAoOCgYEBAQAAg4SBKMBBB0KDwoHBAQEAAIOARIEowEEEQoPCgcEBAQAAg4CEgSjARocCg4KBgQEBAACDxIEpAEEHQoPCgcEBAQAAg8BEgSkAQQRCg8KBwQEBAACDwISBKQBGhwKJwoGBAQEAAIQEgSlAQQdIhcgVXNlcyBaaWdaYWcgZW5jb2RpbmcuCgoPCgcEBAQAAhABEgSlAQQPCg8KBwQEBAACEAISBKUBGhwKJwoGBAQEAAIREgSmAQQdIhcgVXNlcyBaaWdaYWcgZW5jb2RpbmcuCgoPCgcEBAQAAhEBEgSmAQQPCg8KBwQEBAACEQISBKYBGhwKDgoEBAQEARIGqQECrgEDCg0KBQQEBAEBEgSpAQcMCioKBgQEBAECABIEqwEEHBoaIDAgaXMgcmVzZXJ2ZWQgZm9yIGVycm9ycwoKDwoHBAQEAQIAARIEqwEEEgoPCgcEBAQBAgACEgSrARobCg4KBgQEBAECARIErAEEHAoPCgcEBAQBAgEBEgSsAQQSCg8KBwQEBAECAQISBKwBGhsKDgoGBAQEAQICEgStAQQcCg8KBwQEBAECAgESBK0BBBIKDwoHBAQEAQICAhIErQEaGwoMCgQEBAIAEgSwAQIbCg0KBQQEAgAEEgSwAQIKCg0KBQQEAgAFEgSwAQsRCg0KBQQEAgABEgSwARIWCg0KBQQEAgADEgSwARkaCgwKBAQEAgESBLEBAhwKDQoFBAQCAQQSBLEBAgoKDQoFBAQCAQUSBLEBCxAKDQoFBAQCAQESBLEBERcKDQoFBAQCAQMSBLEBGhsKDAoEBAQCAhIEsgECGwoNCgUEBAICBBIEsgECCgoNCgUEBAICBhIEsgELEAoNCgUEBAICARIEsgERFgoNCgUEBAICAxIEsgEZGgqcAQoEBAQCAxIEtgECGRqNASBJZiB0eXBlX25hbWUgaXMgc2V0LCB0aGlzIG5lZWQgbm90IGJlIHNldC4gIElmIGJvdGggdGhpcyBhbmQgdHlwZV9uYW1lCiBhcmUgc2V0LCB0aGlzIG11c3QgYmUgb25lIG9mIFRZUEVfRU5VTSwgVFlQRV9NRVNTQUdFIG9yIFRZUEVfR1JPVVAuCgoNCgUEBAIDBBIEtgECCgoNCgUEBAIDBhIEtgELDwoNCgUEBAIDARIEtgEQFAoNCgUEBAIDAxIEtgEXGAq3AgoEBAQCBBIEvQECIBqoAiBGb3IgbWVzc2FnZSBhbmQgZW51bSB0eXBlcywgdGhpcyBpcyB0aGUgbmFtZSBvZiB0aGUgdHlwZS4gIElmIHRoZSBuYW1lCiBzdGFydHMgd2l0aCBhICcuJywgaXQgaXMgZnVsbHktcXVhbGlmaWVkLiAgT3RoZXJ3aXNlLCBDKystbGlrZSBzY29waW5nCiBydWxlcyBhcmUgdXNlZCB0byBmaW5kIHRoZSB0eXBlIChpLmUuIGZpcnN0IHRoZSBuZXN0ZWQgdHlwZXMgd2l0aGluIHRoaXMKIG1lc3NhZ2UgYXJlIHNlYXJjaGVkLCB0aGVuIHdpdGhpbiB0aGUgcGFyZW50LCBvbiB1cCB0byB0aGUgcm9vdAogbmFtZXNwYWNlKS4KCg0KBQQEAgQEEgS9AQIKCg0KBQQEAgQFEgS9AQsRCg0KBQQEAgQBEgS9ARIbCg0KBQQEAgQDEgS9AR4fCn4KBAQEAgUSBMEBAh8acCBGb3IgZXh0ZW5zaW9ucywgdGhpcyBpcyB0aGUgbmFtZSBvZiB0aGUgdHlwZSBiZWluZyBleHRlbmRlZC4gIEl0IGlzCiByZXNvbHZlZCBpbiB0aGUgc2FtZSBtYW5uZXIgYXMgdHlwZV9uYW1lLgoKDQoFBAQCBQQSBMEBAgoKDQoFBAQCBQUSBMEBCxEKDQoFBAQCBQESBMEBEhoKDQoFBAQCBQMSBMEBHR4KsQIKBAQEAgYSBMgBAiQaogIgRm9yIG51bWVyaWMgdHlwZXMsIGNvbnRhaW5zIHRoZSBvcmlnaW5hbCB0ZXh0IHJlcHJlc2VudGF0aW9uIG9mIHRoZSB2YWx1ZS4KIEZvciBib29sZWFucywgInRydWUiIG9yICJmYWxzZSIuCiBGb3Igc3RyaW5ncywgY29udGFpbnMgdGhlIGRlZmF1bHQgdGV4dCBjb250ZW50cyAobm90IGVzY2FwZWQgaW4gYW55IHdheSkuCiBGb3IgYnl0ZXMsIGNvbnRhaW5zIHRoZSBDIGVzY2FwZWQgdmFsdWUuICBBbGwgYnl0ZXMgPj0gMTI4IGFyZSBlc2NhcGVkLgogVE9ETyhrZW50b24pOiAgQmFzZS02NCBlbmNvZGU/CgoNCgUEBAIGBBIEyAECCgoNCgUEBAIGBRIEyAELEQoNCgUEBAIGARIEyAESHwoNCgUEBAIGAxIEyAEiIwqEAQoEBAQCBxIEzAECIRp2IElmIHNldCwgZ2l2ZXMgdGhlIGluZGV4IG9mIGEgb25lb2YgaW4gdGhlIGNvbnRhaW5pbmcgdHlwZSdzIG9uZW9mX2RlY2wKIGxpc3QuICBUaGlzIGZpZWxkIGlzIGEgbWVtYmVyIG9mIHRoYXQgb25lb2YuCgoNCgUEBAIHBBIEzAECCgoNCgUEBAIHBRIEzAELEAoNCgUEBAIHARIEzAERHAoNCgUEBAIHAxIEzAEfIAr6AQoEBAQCCBIE0gECIRrrASBKU09OIG5hbWUgb2YgdGhpcyBmaWVsZC4gVGhlIHZhbHVlIGlzIHNldCBieSBwcm90b2NvbCBjb21waWxlci4gSWYgdGhlCiB1c2VyIGhhcyBzZXQgYSAianNvbl9uYW1lIiBvcHRpb24gb24gdGhpcyBmaWVsZCwgdGhhdCBvcHRpb24ncyB2YWx1ZQogd2lsbCBiZSB1c2VkLiBPdGhlcndpc2UsIGl0J3MgZGVkdWNlZCBmcm9tIHRoZSBmaWVsZCdzIG5hbWUgYnkgY29udmVydGluZwogaXQgdG8gY2FtZWxDYXNlLgoKDQoFBAQCCAQSBNIBAgoKDQoFBAQCCAUSBNIBCxEKDQoFBAQCCAESBNIBEhsKDQoFBAQCCAMSBNIBHiAKDAoEBAQCCRIE1AECJAoNCgUEBAIJBBIE1AECCgoNCgUEBAIJBhIE1AELFwoNCgUEBAIJARIE1AEYHwoNCgUEBAIJAxIE1AEiIwoiCgIEBRIG2AEA2wEBGhQgRGVzY3JpYmVzIGEgb25lb2YuCgoLCgMEBQESBNgBCBwKDAoEBAUCABIE2QECGwoNCgUEBQIABBIE2QECCgoNCgUEBQIABRIE2QELEQoNCgUEBQIAARIE2QESFgoNCgUEBQIAAxIE2QEZGgoMCgQEBQIBEgTaAQIkCg0KBQQFAgEEEgTaAQIKCg0KBQQFAgEGEgTaAQsXCg0KBQQFAgEBEgTaARgfCg0KBQQFAgEDEgTaASIjCicKAgQGEgbeAQD4AQEaGSBEZXNjcmliZXMgYW4gZW51bSB0eXBlLgoKCwoDBAYBEgTeAQgbCgwKBAQGAgASBN8BAhsKDQoFBAYCAAQSBN8BAgoKDQoFBAYCAAUSBN8BCxEKDQoFBAYCAAESBN8BEhYKDQoFBAYCAAMSBN8BGRoKDAoEBAYCARIE4QECLgoNCgUEBgIBBBIE4QECCgoNCgUEBgIBBhIE4QELIwoNCgUEBgIBARIE4QEkKQoNCgUEBgIBAxIE4QEsLQoMCgQEBgICEgTjAQIjCg0KBQQGAgIEEgTjAQIKCg0KBQQGAgIGEgTjAQsWCg0KBQQGAgIBEgTjARceCg0KBQQGAgIDEgTjASEiCq8CCgQEBgMAEgbrAQLuAQMangIgUmFuZ2Ugb2YgcmVzZXJ2ZWQgbnVtZXJpYyB2YWx1ZXMuIFJlc2VydmVkIHZhbHVlcyBtYXkgbm90IGJlIHVzZWQgYnkKIGVudHJpZXMgaW4gdGhlIHNhbWUgZW51bS4gUmVzZXJ2ZWQgcmFuZ2VzIG1heSBub3Qgb3ZlcmxhcC4KCiBOb3RlIHRoYXQgdGhpcyBpcyBkaXN0aW5jdCBmcm9tIERlc2NyaXB0b3JQcm90by5SZXNlcnZlZFJhbmdlIGluIHRoYXQgaXQKIGlzIGluY2x1c2l2ZSBzdWNoIHRoYXQgaXQgY2FuIGFwcHJvcHJpYXRlbHkgcmVwcmVzZW50IHRoZSBlbnRpcmUgaW50MzIKIGRvbWFpbi4KCg0KBQQGAwABEgTrAQobChwKBgQGAwACABIE7AEEHSIMIEluY2x1c2l2ZS4KCg8KBwQGAwACAAQSBOwBBAwKDwoHBAYDAAIABRIE7AENEgoPCgcEBgMAAgABEgTsARMYCg8KBwQGAwACAAMSBOwBGxwKHAoGBAYDAAIBEgTtAQQbIgwgSW5jbHVzaXZlLgoKDwoHBAYDAAIBBBIE7QEEDAoPCgcEBgMAAgEFEgTtAQ0SCg8KBwQGAwACAQESBO0BExYKDwoHBAYDAAIBAxIE7QEZGgqqAQoEBAYCAxIE8wECMBqbASBSYW5nZSBvZiByZXNlcnZlZCBudW1lcmljIHZhbHVlcy4gUmVzZXJ2ZWQgbnVtZXJpYyB2YWx1ZXMgbWF5IG5vdCBiZSB1c2VkCiBieSBlbnVtIHZhbHVlcyBpbiB0aGUgc2FtZSBlbnVtIGRlY2xhcmF0aW9uLiBSZXNlcnZlZCByYW5nZXMgbWF5IG5vdAogb3ZlcmxhcC4KCg0KBQQGAgMEEgTzAQIKCg0KBQQGAgMGEgTzAQscCg0KBQQGAgMBEgTzAR0rCg0KBQQGAgMDEgTzAS4vCmwKBAQGAgQSBPcBAiQaXiBSZXNlcnZlZCBlbnVtIHZhbHVlIG5hbWVzLCB3aGljaCBtYXkgbm90IGJlIHJldXNlZC4gQSBnaXZlbiBuYW1lIG1heSBvbmx5CiBiZSByZXNlcnZlZCBvbmNlLgoKDQoFBAYCBAQSBPcBAgoKDQoFBAYCBAUSBPcBCxEKDQoFBAYCBAESBPcBEh8KDQoFBAYCBAMSBPcBIiMKMQoCBAcSBvsBAIACARojIERlc2NyaWJlcyBhIHZhbHVlIHdpdGhpbiBhbiBlbnVtLgoKCwoDBAcBEgT7AQggCgwKBAQHAgASBPwBAhsKDQoFBAcCAAQSBPwBAgoKDQoFBAcCAAUSBPwBCxEKDQoFBAcCAAESBPwBEhYKDQoFBAcCAAMSBPwBGRoKDAoEBAcCARIE/QECHAoNCgUEBwIBBBIE/QECCgoNCgUEBwIBBRIE/QELEAoNCgUEBwIBARIE/QERFwoNCgUEBwIBAxIE/QEaGwoMCgQEBwICEgT/AQIoCg0KBQQHAgIEEgT/AQIKCg0KBQQHAgIGEgT/AQsbCg0KBQQHAgIBEgT/ARwjCg0KBQQHAgIDEgT/ASYnCiQKAgQIEgaDAgCIAgEaFiBEZXNjcmliZXMgYSBzZXJ2aWNlLgoKCwoDBAgBEgSDAggeCgwKBAQIAgASBIQCAhsKDQoFBAgCAAQSBIQCAgoKDQoFBAgCAAUSBIQCCxEKDQoFBAgCAAESBIQCEhYKDQoFBAgCAAMSBIQCGRoKDAoEBAgCARIEhQICLAoNCgUECAIBBBIEhQICCgoNCgUECAIBBhIEhQILIAoNCgUECAIBARIEhQIhJwoNCgUECAIBAxIEhQIqKwoMCgQECAICEgSHAgImCg0KBQQIAgIEEgSHAgIKCg0KBQQIAgIGEgSHAgsZCg0KBQQIAgIBEgSHAhohCg0KBQQIAgIDEgSHAiQlCjAKAgQJEgaLAgCZAgEaIiBEZXNjcmliZXMgYSBtZXRob2Qgb2YgYSBzZXJ2aWNlLgoKCwoDBAkBEgSLAggdCgwKBAQJAgASBIwCAhsKDQoFBAkCAAQSBIwCAgoKDQoFBAkCAAUSBIwCCxEKDQoFBAkCAAESBIwCEhYKDQoFBAkCAAMSBIwCGRoKlwEKBAQJAgESBJACAiEaiAEgSW5wdXQgYW5kIG91dHB1dCB0eXBlIG5hbWVzLiAgVGhlc2UgYXJlIHJlc29sdmVkIGluIHRoZSBzYW1lIHdheSBhcwogRmllbGREZXNjcmlwdG9yUHJvdG8udHlwZV9uYW1lLCBidXQgbXVzdCByZWZlciB0byBhIG1lc3NhZ2UgdHlwZS4KCg0KBQQJAgEEEgSQAgIKCg0KBQQJAgEFEgSQAgsRCg0KBQQJAgEBEgSQAhIcCg0KBQQJAgEDEgSQAh8gCgwKBAQJAgISBJECAiIKDQoFBAkCAgQSBJECAgoKDQoFBAkCAgUSBJECCxEKDQoFBAkCAgESBJECEh0KDQoFBAkCAgMSBJECICEKDAoEBAkCAxIEkwICJQoNCgUECQIDBBIEkwICCgoNCgUECQIDBhIEkwILGAoNCgUECQIDARIEkwIZIAoNCgUECQIDAxIEkwIjJApFCgQECQIEEgSWAgI1GjcgSWRlbnRpZmllcyBpZiBjbGllbnQgc3RyZWFtcyBtdWx0aXBsZSBjbGllbnQgbWVzc2FnZXMKCg0KBQQJAgQEEgSWAgIKCg0KBQQJAgQFEgSWAgsPCg0KBQQJAgQBEgSWAhAgCg0KBQQJAgQDEgSWAiMkCg0KBQQJAgQIEgSWAiU0Cg0KBQQJAgQHEgSWAi4zCkUKBAQJAgUSBJgCAjUaNyBJZGVudGlmaWVzIGlmIHNlcnZlciBzdHJlYW1zIG11bHRpcGxlIHNlcnZlciBtZXNzYWdlcwoKDQoFBAkCBQQSBJgCAgoKDQoFBAkCBQUSBJgCCw8KDQoFBAkCBQESBJgCECAKDQoFBAkCBQMSBJgCIyQKDQoFBAkCBQgSBJgCJTQKDQoFBAkCBQcSBJgCLjMKrw4KAgQKEga9AgCsAwEyTiA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiBPcHRpb25zCjLQDSBFYWNoIG9mIHRoZSBkZWZpbml0aW9ucyBhYm92ZSBtYXkgaGF2ZSAib3B0aW9ucyIgYXR0YWNoZWQuICBUaGVzZSBhcmUKIGp1c3QgYW5ub3RhdGlvbnMgd2hpY2ggbWF5IGNhdXNlIGNvZGUgdG8gYmUgZ2VuZXJhdGVkIHNsaWdodGx5IGRpZmZlcmVudGx5CiBvciBtYXkgY29udGFpbiBoaW50cyBmb3IgY29kZSB0aGF0IG1hbmlwdWxhdGVzIHByb3RvY29sIG1lc3NhZ2VzLgoKIENsaWVudHMgbWF5IGRlZmluZSBjdXN0b20gb3B0aW9ucyBhcyBleHRlbnNpb25zIG9mIHRoZSAqT3B0aW9ucyBtZXNzYWdlcy4KIFRoZXNlIGV4dGVuc2lvbnMgbWF5IG5vdCB5ZXQgYmUga25vd24gYXQgcGFyc2luZyB0aW1lLCBzbyB0aGUgcGFyc2VyIGNhbm5vdAogc3RvcmUgdGhlIHZhbHVlcyBpbiB0aGVtLiAgSW5zdGVhZCBpdCBzdG9yZXMgdGhlbSBpbiBhIGZpZWxkIGluIHRoZSAqT3B0aW9ucwogbWVzc2FnZSBjYWxsZWQgdW5pbnRlcnByZXRlZF9vcHRpb24uIFRoaXMgZmllbGQgbXVzdCBoYXZlIHRoZSBzYW1lIG5hbWUKIGFjcm9zcyBhbGwgKk9wdGlvbnMgbWVzc2FnZXMuIFdlIHRoZW4gdXNlIHRoaXMgZmllbGQgdG8gcG9wdWxhdGUgdGhlCiBleHRlbnNpb25zIHdoZW4gd2UgYnVpbGQgYSBkZXNjcmlwdG9yLCBhdCB3aGljaCBwb2ludCBhbGwgcHJvdG9zIGhhdmUgYmVlbgogcGFyc2VkIGFuZCBzbyBhbGwgZXh0ZW5zaW9ucyBhcmUga25vd24uCgogRXh0ZW5zaW9uIG51bWJlcnMgZm9yIGN1c3RvbSBvcHRpb25zIG1heSBiZSBjaG9zZW4gYXMgZm9sbG93czoKICogRm9yIG9wdGlvbnMgd2hpY2ggd2lsbCBvbmx5IGJlIHVzZWQgd2l0aGluIGEgc2luZ2xlIGFwcGxpY2F0aW9uIG9yCiAgIG9yZ2FuaXphdGlvbiwgb3IgZm9yIGV4cGVyaW1lbnRhbCBvcHRpb25zLCB1c2UgZmllbGQgbnVtYmVycyA1MDAwMAogICB0aHJvdWdoIDk5OTk5LiAgSXQgaXMgdXAgdG8geW91IHRvIGVuc3VyZSB0aGF0IHlvdSBkbyBub3QgdXNlIHRoZQogICBzYW1lIG51bWJlciBmb3IgbXVsdGlwbGUgb3B0aW9ucy4KICogRm9yIG9wdGlvbnMgd2hpY2ggd2lsbCBiZSBwdWJsaXNoZWQgYW5kIHVzZWQgcHVibGljbHkgYnkgbXVsdGlwbGUKICAgaW5kZXBlbmRlbnQgZW50aXRpZXMsIGUtbWFpbCBwcm90b2J1Zi1nbG9iYWwtZXh0ZW5zaW9uLXJlZ2lzdHJ5QGdvb2dsZS5jb20KICAgdG8gcmVzZXJ2ZSBleHRlbnNpb24gbnVtYmVycy4gU2ltcGx5IHByb3ZpZGUgeW91ciBwcm9qZWN0IG5hbWUgKGUuZy4KICAgT2JqZWN0aXZlLUMgcGx1Z2luKSBhbmQgeW91ciBwcm9qZWN0IHdlYnNpdGUgKGlmIGF2YWlsYWJsZSkgLS0gdGhlcmUncyBubwogICBuZWVkIHRvIGV4cGxhaW4gaG93IHlvdSBpbnRlbmQgdG8gdXNlIHRoZW0uIFVzdWFsbHkgeW91IG9ubHkgbmVlZCBvbmUKICAgZXh0ZW5zaW9uIG51bWJlci4gWW91IGNhbiBkZWNsYXJlIG11bHRpcGxlIG9wdGlvbnMgd2l0aCBvbmx5IG9uZSBleHRlbnNpb24KICAgbnVtYmVyIGJ5IHB1dHRpbmcgdGhlbSBpbiBhIHN1Yi1tZXNzYWdlLiBTZWUgdGhlIEN1c3RvbSBPcHRpb25zIHNlY3Rpb24gb2YKICAgdGhlIGRvY3MgZm9yIGV4YW1wbGVzOgogICBodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9wcm90b2NvbC1idWZmZXJzL2RvY3MvcHJvdG8jb3B0aW9ucwogICBJZiB0aGlzIHR1cm5zIG91dCB0byBiZSBwb3B1bGFyLCBhIHdlYiBzZXJ2aWNlIHdpbGwgYmUgc2V0IHVwCiAgIHRvIGF1dG9tYXRpY2FsbHkgYXNzaWduIG9wdGlvbiBudW1iZXJzLgoKCwoDBAoBEgS9AggTCvQBCgQECgIAEgTDAgIjGuUBIFNldHMgdGhlIEphdmEgcGFja2FnZSB3aGVyZSBjbGFzc2VzIGdlbmVyYXRlZCBmcm9tIHRoaXMgLnByb3RvIHdpbGwgYmUKIHBsYWNlZC4gIEJ5IGRlZmF1bHQsIHRoZSBwcm90byBwYWNrYWdlIGlzIHVzZWQsIGJ1dCB0aGlzIGlzIG9mdGVuCiBpbmFwcHJvcHJpYXRlIGJlY2F1c2UgcHJvdG8gcGFja2FnZXMgZG8gbm90IG5vcm1hbGx5IHN0YXJ0IHdpdGggYmFja3dhcmRzCiBkb21haW4gbmFtZXMuCgoNCgUECgIABBIEwwICCgoNCgUECgIABRIEwwILEQoNCgUECgIAARIEwwISHgoNCgUECgIAAxIEwwIhIgq/AgoEBAoCARIEywICKxqwAiBJZiBzZXQsIGFsbCB0aGUgY2xhc3NlcyBmcm9tIHRoZSAucHJvdG8gZmlsZSBhcmUgd3JhcHBlZCBpbiBhIHNpbmdsZQogb3V0ZXIgY2xhc3Mgd2l0aCB0aGUgZ2l2ZW4gbmFtZS4gIFRoaXMgYXBwbGllcyB0byBib3RoIFByb3RvMQogKGVxdWl2YWxlbnQgdG8gdGhlIG9sZCAiLS1vbmVfamF2YV9maWxlIiBvcHRpb24pIGFuZCBQcm90bzIgKHdoZXJlCiBhIC5wcm90byBhbHdheXMgdHJhbnNsYXRlcyB0byBhIHNpbmdsZSBjbGFzcywgYnV0IHlvdSBtYXkgd2FudCB0bwogZXhwbGljaXRseSBjaG9vc2UgdGhlIGNsYXNzIG5hbWUpLgoKDQoFBAoCAQQSBMsCAgoKDQoFBAoCAQUSBMsCCxEKDQoFBAoCAQESBMsCEiYKDQoFBAoCAQMSBMsCKSoKowMKBAQKAgISBNMCAjkalAMgSWYgc2V0IHRydWUsIHRoZW4gdGhlIEphdmEgY29kZSBnZW5lcmF0b3Igd2lsbCBnZW5lcmF0ZSBhIHNlcGFyYXRlIC5qYXZhCiBmaWxlIGZvciBlYWNoIHRvcC1sZXZlbCBtZXNzYWdlLCBlbnVtLCBhbmQgc2VydmljZSBkZWZpbmVkIGluIHRoZSAucHJvdG8KIGZpbGUuICBUaHVzLCB0aGVzZSB0eXBlcyB3aWxsICpub3QqIGJlIG5lc3RlZCBpbnNpZGUgdGhlIG91dGVyIGNsYXNzCiBuYW1lZCBieSBqYXZhX291dGVyX2NsYXNzbmFtZS4gIEhvd2V2ZXIsIHRoZSBvdXRlciBjbGFzcyB3aWxsIHN0aWxsIGJlCiBnZW5lcmF0ZWQgdG8gY29udGFpbiB0aGUgZmlsZSdzIGdldERlc2NyaXB0b3IoKSBtZXRob2QgYXMgd2VsbCBhcyBhbnkKIHRvcC1sZXZlbCBleHRlbnNpb25zIGRlZmluZWQgaW4gdGhlIGZpbGUuCgoNCgUECgICBBIE0wICCgoNCgUECgICBRIE0wILDwoNCgUECgICARIE0wIQIwoNCgUECgICAxIE0wImKAoNCgUECgICCBIE0wIpOAoNCgUECgICBxIE0wIyNwopCgQECgIDEgTWAgJFGhsgVGhpcyBvcHRpb24gZG9lcyBub3RoaW5nLgoKDQoFBAoCAwQSBNYCAgoKDQoFBAoCAwUSBNYCCw8KDQoFBAoCAwESBNYCEC0KDQoFBAoCAwMSBNYCMDIKDQoFBAoCAwgSBNYCM0QKEAoIBAoCAwjnBwASBNYCNEMKEQoJBAoCAwjnBwACEgTWAjQ+ChIKCgQKAgMI5wcAAgASBNYCND4KEwoLBAoCAwjnBwACAAESBNYCND4KEQoJBAoCAwjnBwADEgTWAj9DCuYCCgQECgIEEgTeAgI8GtcCIElmIHNldCB0cnVlLCB0aGVuIHRoZSBKYXZhMiBjb2RlIGdlbmVyYXRvciB3aWxsIGdlbmVyYXRlIGNvZGUgdGhhdAogdGhyb3dzIGFuIGV4Y2VwdGlvbiB3aGVuZXZlciBhbiBhdHRlbXB0IGlzIG1hZGUgdG8gYXNzaWduIGEgbm9uLVVURi04CiBieXRlIHNlcXVlbmNlIHRvIGEgc3RyaW5nIGZpZWxkLgogTWVzc2FnZSByZWZsZWN0aW9uIHdpbGwgZG8gdGhlIHNhbWUuCiBIb3dldmVyLCBhbiBleHRlbnNpb24gZmllbGQgc3RpbGwgYWNjZXB0cyBub24tVVRGLTggYnl0ZSBzZXF1ZW5jZXMuCiBUaGlzIG9wdGlvbiBoYXMgbm8gZWZmZWN0IG9uIHdoZW4gdXNlZCB3aXRoIHRoZSBsaXRlIHJ1bnRpbWUuCgoNCgUECgIEBBIE3gICCgoNCgUECgIEBRIE3gILDwoNCgUECgIEARIE3gIQJgoNCgUECgIEAxIE3gIpKwoNCgUECgIECBIE3gIsOwoNCgUECgIEBxIE3gI1OgpMCgQECgQAEgbiAgLnAgMaPCBHZW5lcmF0ZWQgY2xhc3NlcyBjYW4gYmUgb3B0aW1pemVkIGZvciBzcGVlZCBvciBjb2RlIHNpemUuCgoNCgUECgQAARIE4gIHEwpECgYECgQAAgASBOMCBA4iNCBHZW5lcmF0ZSBjb21wbGV0ZSBjb2RlIGZvciBwYXJzaW5nLCBzZXJpYWxpemF0aW9uLAoKDwoHBAoEAAIAARIE4wIECQoPCgcECgQAAgACEgTjAgwNCkcKBgQKBAACARIE5QIEEhoGIGV0Yy4KIi8gVXNlIFJlZmxlY3Rpb25PcHMgdG8gaW1wbGVtZW50IHRoZXNlIG1ldGhvZHMuCgoPCgcECgQAAgEBEgTlAgQNCg8KBwQKBAACAQISBOUCEBEKRwoGBAoEAAICEgTmAgQVIjcgR2VuZXJhdGUgY29kZSB1c2luZyBNZXNzYWdlTGl0ZSBhbmQgdGhlIGxpdGUgcnVudGltZS4KCg8KBwQKBAACAgESBOYCBBAKDwoHBAoEAAICAhIE5gITFAoMCgQECgIFEgToAgI5Cg0KBQQKAgUEEgToAgIKCg0KBQQKAgUGEgToAgsXCg0KBQQKAgUBEgToAhgkCg0KBQQKAgUDEgToAicoCg0KBQQKAgUIEgToAik4Cg0KBQQKAgUHEgToAjI3CuICCgQECgIGEgTvAgIiGtMCIFNldHMgdGhlIEdvIHBhY2thZ2Ugd2hlcmUgc3RydWN0cyBnZW5lcmF0ZWQgZnJvbSB0aGlzIC5wcm90byB3aWxsIGJlCiBwbGFjZWQuIElmIG9taXR0ZWQsIHRoZSBHbyBwYWNrYWdlIHdpbGwgYmUgZGVyaXZlZCBmcm9tIHRoZSBmb2xsb3dpbmc6CiAgIC0gVGhlIGJhc2VuYW1lIG9mIHRoZSBwYWNrYWdlIGltcG9ydCBwYXRoLCBpZiBwcm92aWRlZC4KICAgLSBPdGhlcndpc2UsIHRoZSBwYWNrYWdlIHN0YXRlbWVudCBpbiB0aGUgLnByb3RvIGZpbGUsIGlmIHByZXNlbnQuCiAgIC0gT3RoZXJ3aXNlLCB0aGUgYmFzZW5hbWUgb2YgdGhlIC5wcm90byBmaWxlLCB3aXRob3V0IGV4dGVuc2lvbi4KCg0KBQQKAgYEEgTvAgIKCg0KBQQKAgYFEgTvAgsRCg0KBQQKAgYBEgTvAhIcCg0KBQQKAgYDEgTvAh8hCtQECgQECgIHEgT9AgI5GsUEIFNob3VsZCBnZW5lcmljIHNlcnZpY2VzIGJlIGdlbmVyYXRlZCBpbiBlYWNoIGxhbmd1YWdlPyAgIkdlbmVyaWMiIHNlcnZpY2VzCiBhcmUgbm90IHNwZWNpZmljIHRvIGFueSBwYXJ0aWN1bGFyIFJQQyBzeXN0ZW0uICBUaGV5IGFyZSBnZW5lcmF0ZWQgYnkgdGhlCiBtYWluIGNvZGUgZ2VuZXJhdG9ycyBpbiBlYWNoIGxhbmd1YWdlICh3aXRob3V0IGFkZGl0aW9uYWwgcGx1Z2lucykuCiBHZW5lcmljIHNlcnZpY2VzIHdlcmUgdGhlIG9ubHkga2luZCBvZiBzZXJ2aWNlIGdlbmVyYXRpb24gc3VwcG9ydGVkIGJ5CiBlYXJseSB2ZXJzaW9ucyBvZiBnb29nbGUucHJvdG9idWYuCgogR2VuZXJpYyBzZXJ2aWNlcyBhcmUgbm93IGNvbnNpZGVyZWQgZGVwcmVjYXRlZCBpbiBmYXZvciBvZiB1c2luZyBwbHVnaW5zCiB0aGF0IGdlbmVyYXRlIGNvZGUgc3BlY2lmaWMgdG8geW91ciBwYXJ0aWN1bGFyIFJQQyBzeXN0ZW0uICBUaGVyZWZvcmUsCiB0aGVzZSBkZWZhdWx0IHRvIGZhbHNlLiAgT2xkIGNvZGUgd2hpY2ggZGVwZW5kcyBvbiBnZW5lcmljIHNlcnZpY2VzIHNob3VsZAogZXhwbGljaXRseSBzZXQgdGhlbSB0byB0cnVlLgoKDQoFBAoCBwQSBP0CAgoKDQoFBAoCBwUSBP0CCw8KDQoFBAoCBwESBP0CECMKDQoFBAoCBwMSBP0CJigKDQoFBAoCBwgSBP0CKTgKDQoFBAoCBwcSBP0CMjcKDAoEBAoCCBIE/gICOwoNCgUECgIIBBIE/gICCgoNCgUECgIIBRIE/gILDwoNCgUECgIIARIE/gIQJQoNCgUECgIIAxIE/gIoKgoNCgUECgIICBIE/gIrOgoNCgUECgIIBxIE/gI0OQoMCgQECgIJEgT/AgI5Cg0KBQQKAgkEEgT/AgIKCg0KBQQKAgkFEgT/AgsPCg0KBQQKAgkBEgT/AhAjCg0KBQQKAgkDEgT/AiYoCg0KBQQKAgkIEgT/Aik4Cg0KBQQKAgkHEgT/AjI3CgwKBAQKAgoSBIADAjoKDQoFBAoCCgQSBIADAgoKDQoFBAoCCgUSBIADCw8KDQoFBAoCCgESBIADECQKDQoFBAoCCgMSBIADJykKDQoFBAoCCggSBIADKjkKDQoFBAoCCgcSBIADMzgK8wEKBAQKAgsSBIYDAjAa5AEgSXMgdGhpcyBmaWxlIGRlcHJlY2F0ZWQ/CiBEZXBlbmRpbmcgb24gdGhlIHRhcmdldCBwbGF0Zm9ybSwgdGhpcyBjYW4gZW1pdCBEZXByZWNhdGVkIGFubm90YXRpb25zCiBmb3IgZXZlcnl0aGluZyBpbiB0aGUgZmlsZSwgb3IgaXQgd2lsbCBiZSBjb21wbGV0ZWx5IGlnbm9yZWQ7IGluIHRoZSB2ZXJ5CiBsZWFzdCwgdGhpcyBpcyBhIGZvcm1hbGl6YXRpb24gZm9yIGRlcHJlY2F0aW5nIGZpbGVzLgoKDQoFBAoCCwQSBIYDAgoKDQoFBAoCCwUSBIYDCw8KDQoFBAoCCwESBIYDEBoKDQoFBAoCCwMSBIYDHR8KDQoFBAoCCwgSBIYDIC8KDQoFBAoCCwcSBIYDKS4KfwoEBAoCDBIEigMCNhpxIEVuYWJsZXMgdGhlIHVzZSBvZiBhcmVuYXMgZm9yIHRoZSBwcm90byBtZXNzYWdlcyBpbiB0aGlzIGZpbGUuIFRoaXMgYXBwbGllcwogb25seSB0byBnZW5lcmF0ZWQgY2xhc3NlcyBmb3IgQysrLgoKDQoFBAoCDAQSBIoDAgoKDQoFBAoCDAUSBIoDCw8KDQoFBAoCDAESBIoDECAKDQoFBAoCDAMSBIoDIyUKDQoFBAoCDAgSBIoDJjUKDQoFBAoCDAcSBIoDLzQKkgEKBAQKAg0SBI8DAikagwEgU2V0cyB0aGUgb2JqZWN0aXZlIGMgY2xhc3MgcHJlZml4IHdoaWNoIGlzIHByZXBlbmRlZCB0byBhbGwgb2JqZWN0aXZlIGMKIGdlbmVyYXRlZCBjbGFzc2VzIGZyb20gdGhpcyAucHJvdG8uIFRoZXJlIGlzIG5vIGRlZmF1bHQuCgoNCgUECgINBBIEjwMCCgoNCgUECgINBRIEjwMLEQoNCgUECgINARIEjwMSIwoNCgUECgINAxIEjwMmKApJCgQECgIOEgSSAwIoGjsgTmFtZXNwYWNlIGZvciBnZW5lcmF0ZWQgY2xhc3NlczsgZGVmYXVsdHMgdG8gdGhlIHBhY2thZ2UuCgoNCgUECgIOBBIEkgMCCgoNCgUECgIOBRIEkgMLEQoNCgUECgIOARIEkgMSIgoNCgUECgIOAxIEkgMlJwqRAgoEBAoCDxIEmAMCJBqCAiBCeSBkZWZhdWx0IFN3aWZ0IGdlbmVyYXRvcnMgd2lsbCB0YWtlIHRoZSBwcm90byBwYWNrYWdlIGFuZCBDYW1lbENhc2UgaXQKIHJlcGxhY2luZyAnLicgd2l0aCB1bmRlcnNjb3JlIGFuZCB1c2UgdGhhdCB0byBwcmVmaXggdGhlIHR5cGVzL3N5bWJvbHMKIGRlZmluZWQuIFdoZW4gdGhpcyBvcHRpb25zIGlzIHByb3ZpZGVkLCB0aGV5IHdpbGwgdXNlIHRoaXMgdmFsdWUgaW5zdGVhZAogdG8gcHJlZml4IHRoZSB0eXBlcy9zeW1ib2xzIGRlZmluZWQuCgoNCgUECgIPBBIEmAMCCgoNCgUECgIPBRIEmAMLEQoNCgUECgIPARIEmAMSHgoNCgUECgIPAxIEmAMhIwp+CgQECgIQEgScAwIoGnAgU2V0cyB0aGUgcGhwIGNsYXNzIHByZWZpeCB3aGljaCBpcyBwcmVwZW5kZWQgdG8gYWxsIHBocCBnZW5lcmF0ZWQgY2xhc3NlcwogZnJvbSB0aGlzIC5wcm90by4gRGVmYXVsdCBpcyBlbXB0eS4KCg0KBQQKAhAEEgScAwIKCg0KBQQKAhAFEgScAwsRCg0KBQQKAhABEgScAxIiCg0KBQQKAhADEgScAyUnCr4BCgQECgIREgShAwIlGq8BIFVzZSB0aGlzIG9wdGlvbiB0byBjaGFuZ2UgdGhlIG5hbWVzcGFjZSBvZiBwaHAgZ2VuZXJhdGVkIGNsYXNzZXMuIERlZmF1bHQKIGlzIGVtcHR5LiBXaGVuIHRoaXMgb3B0aW9uIGlzIGVtcHR5LCB0aGUgcGFja2FnZSBuYW1lIHdpbGwgYmUgdXNlZCBmb3IKIGRldGVybWluaW5nIHRoZSBuYW1lc3BhY2UuCgoNCgUECgIRBBIEoQMCCgoNCgUECgIRBRIEoQMLEQoNCgUECgIRARIEoQMSHwoNCgUECgIRAxIEoQMiJAp8CgQECgISEgSlAwI6Gm4gVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLgogU2VlIHRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgIk9wdGlvbnMiIHNlY3Rpb24gYWJvdmUuCgoNCgUECgISBBIEpQMCCgoNCgUECgISBhIEpQMLHgoNCgUECgISARIEpQMfMwoNCgUECgISAxIEpQM2OQqHAQoDBAoFEgSpAwIZGnogQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLgogU2VlIHRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgIk9wdGlvbnMiIHNlY3Rpb24gYWJvdmUuCgoMCgQECgUAEgSpAw0YCg0KBQQKBQABEgSpAw0RCg0KBQQKBQACEgSpAxUYCgsKAwQKCRIEqwMLDgoMCgQECgkAEgSrAwsNCg0KBQQKCQABEgSrAwsNCg0KBQQKCQACEgSrAwsNCgwKAgQLEgauAwDtAwEKCwoDBAsBEgSuAwgWCtgFCgQECwIAEgTBAwI8GskFIFNldCB0cnVlIHRvIHVzZSB0aGUgb2xkIHByb3RvMSBNZXNzYWdlU2V0IHdpcmUgZm9ybWF0IGZvciBleHRlbnNpb25zLgogVGhpcyBpcyBwcm92aWRlZCBmb3IgYmFja3dhcmRzLWNvbXBhdGliaWxpdHkgd2l0aCB0aGUgTWVzc2FnZVNldCB3aXJlCiBmb3JtYXQuICBZb3Ugc2hvdWxkIG5vdCB1c2UgdGhpcyBmb3IgYW55IG90aGVyIHJlYXNvbjogIEl0J3MgbGVzcwogZWZmaWNpZW50LCBoYXMgZmV3ZXIgZmVhdHVyZXMsIGFuZCBpcyBtb3JlIGNvbXBsaWNhdGVkLgoKIFRoZSBtZXNzYWdlIG11c3QgYmUgZGVmaW5lZCBleGFjdGx5IGFzIGZvbGxvd3M6CiAgIG1lc3NhZ2UgRm9vIHsKICAgICBvcHRpb24gbWVzc2FnZV9zZXRfd2lyZV9mb3JtYXQgPSB0cnVlOwogICAgIGV4dGVuc2lvbnMgNCB0byBtYXg7CiAgIH0KIE5vdGUgdGhhdCB0aGUgbWVzc2FnZSBjYW5ub3QgaGF2ZSBhbnkgZGVmaW5lZCBmaWVsZHM7IE1lc3NhZ2VTZXRzIG9ubHkKIGhhdmUgZXh0ZW5zaW9ucy4KCiBBbGwgZXh0ZW5zaW9ucyBvZiB5b3VyIHR5cGUgbXVzdCBiZSBzaW5ndWxhciBtZXNzYWdlczsgZS5nLiB0aGV5IGNhbm5vdAogYmUgaW50MzJzLCBlbnVtcywgb3IgcmVwZWF0ZWQgbWVzc2FnZXMuCgogQmVjYXVzZSB0aGlzIGlzIGFuIG9wdGlvbiwgdGhlIGFib3ZlIHR3byByZXN0cmljdGlvbnMgYXJlIG5vdCBlbmZvcmNlZCBieQogdGhlIHByb3RvY29sIGNvbXBpbGVyLgoKDQoFBAsCAAQSBMEDAgoKDQoFBAsCAAUSBMEDCw8KDQoFBAsCAAESBMEDECcKDQoFBAsCAAMSBMEDKisKDQoFBAsCAAgSBMEDLDsKDQoFBAsCAAcSBMEDNToK6wEKBAQLAgESBMYDAkQa3AEgRGlzYWJsZXMgdGhlIGdlbmVyYXRpb24gb2YgdGhlIHN0YW5kYXJkICJkZXNjcmlwdG9yKCkiIGFjY2Vzc29yLCB3aGljaCBjYW4KIGNvbmZsaWN0IHdpdGggYSBmaWVsZCBvZiB0aGUgc2FtZSBuYW1lLiAgVGhpcyBpcyBtZWFudCB0byBtYWtlIG1pZ3JhdGlvbgogZnJvbSBwcm90bzEgZWFzaWVyOyBuZXcgY29kZSBzaG91bGQgYXZvaWQgZmllbGRzIG5hbWVkICJkZXNjcmlwdG9yIi4KCg0KBQQLAgEEEgTGAwIKCg0KBQQLAgEFEgTGAwsPCg0KBQQLAgEBEgTGAxAvCg0KBQQLAgEDEgTGAzIzCg0KBQQLAgEIEgTGAzRDCg0KBQQLAgEHEgTGAz1CCu4BCgQECwICEgTMAwIvGt8BIElzIHRoaXMgbWVzc2FnZSBkZXByZWNhdGVkPwogRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgcGxhdGZvcm0sIHRoaXMgY2FuIGVtaXQgRGVwcmVjYXRlZCBhbm5vdGF0aW9ucwogZm9yIHRoZSBtZXNzYWdlLCBvciBpdCB3aWxsIGJlIGNvbXBsZXRlbHkgaWdub3JlZDsgaW4gdGhlIHZlcnkgbGVhc3QsCiB0aGlzIGlzIGEgZm9ybWFsaXphdGlvbiBmb3IgZGVwcmVjYXRpbmcgbWVzc2FnZXMuCgoNCgUECwICBBIEzAMCCgoNCgUECwICBRIEzAMLDwoNCgUECwICARIEzAMQGgoNCgUECwICAxIEzAMdHgoNCgUECwICCBIEzAMfLgoNCgUECwICBxIEzAMoLQqeBgoEBAsCAxIE4wMCHhqPBiBXaGV0aGVyIHRoZSBtZXNzYWdlIGlzIGFuIGF1dG9tYXRpY2FsbHkgZ2VuZXJhdGVkIG1hcCBlbnRyeSB0eXBlIGZvciB0aGUKIG1hcHMgZmllbGQuCgogRm9yIG1hcHMgZmllbGRzOgogICAgIG1hcDxLZXlUeXBlLCBWYWx1ZVR5cGU+IG1hcF9maWVsZCA9IDE7CiBUaGUgcGFyc2VkIGRlc2NyaXB0b3IgbG9va3MgbGlrZToKICAgICBtZXNzYWdlIE1hcEZpZWxkRW50cnkgewogICAgICAgICBvcHRpb24gbWFwX2VudHJ5ID0gdHJ1ZTsKICAgICAgICAgb3B0aW9uYWwgS2V5VHlwZSBrZXkgPSAxOwogICAgICAgICBvcHRpb25hbCBWYWx1ZVR5cGUgdmFsdWUgPSAyOwogICAgIH0KICAgICByZXBlYXRlZCBNYXBGaWVsZEVudHJ5IG1hcF9maWVsZCA9IDE7CgogSW1wbGVtZW50YXRpb25zIG1heSBjaG9vc2Ugbm90IHRvIGdlbmVyYXRlIHRoZSBtYXBfZW50cnk9dHJ1ZSBtZXNzYWdlLCBidXQKIHVzZSBhIG5hdGl2ZSBtYXAgaW4gdGhlIHRhcmdldCBsYW5ndWFnZSB0byBob2xkIHRoZSBrZXlzIGFuZCB2YWx1ZXMuCiBUaGUgcmVmbGVjdGlvbiBBUElzIGluIHN1Y2ggaW1wbGVtZW50aW9ucyBzdGlsbCBuZWVkIHRvIHdvcmsgYXMKIGlmIHRoZSBmaWVsZCBpcyBhIHJlcGVhdGVkIG1lc3NhZ2UgZmllbGQuCgogTk9URTogRG8gbm90IHNldCB0aGUgb3B0aW9uIGluIC5wcm90byBmaWxlcy4gQWx3YXlzIHVzZSB0aGUgbWFwcyBzeW50YXgKIGluc3RlYWQuIFRoZSBvcHRpb24gc2hvdWxkIG9ubHkgYmUgaW1wbGljaXRseSBzZXQgYnkgdGhlIHByb3RvIGNvbXBpbGVyCiBwYXJzZXIuCgoNCgUECwIDBBIE4wMCCgoNCgUECwIDBRIE4wMLDwoNCgUECwIDARIE4wMQGQoNCgUECwIDAxIE4wMcHQokCgMECwkSBOUDCw0iFyBqYXZhbGl0ZV9zZXJpYWxpemFibGUKCgwKBAQLCQASBOUDCwwKDQoFBAsJAAESBOUDCwwKDQoFBAsJAAISBOUDCwwKHwoDBAsJEgTmAwsNIhIgamF2YW5hbm9fYXNfbGl0ZQoKDAoEBAsJARIE5gMLDAoNCgUECwkBARIE5gMLDAoNCgUECwkBAhIE5gMLDApPCgQECwIEEgTpAwI6GkEgVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLiBTZWUgYWJvdmUuCgoNCgUECwIEBBIE6QMCCgoNCgUECwIEBhIE6QMLHgoNCgUECwIEARIE6QMfMwoNCgUECwIEAxIE6QM2OQpaCgMECwUSBOwDAhkaTSBDbGllbnRzIGNhbiBkZWZpbmUgY3VzdG9tIG9wdGlvbnMgaW4gZXh0ZW5zaW9ucyBvZiB0aGlzIG1lc3NhZ2UuIFNlZSBhYm92ZS4KCgwKBAQLBQASBOwDDRgKDQoFBAsFAAESBOwDDREKDQoFBAsFAAISBOwDFRgKDAoCBAwSBu8DAMoEAQoLCgMEDAESBO8DCBQKowIKBAQMAgASBPQDAi4alAIgVGhlIGN0eXBlIG9wdGlvbiBpbnN0cnVjdHMgdGhlIEMrKyBjb2RlIGdlbmVyYXRvciB0byB1c2UgYSBkaWZmZXJlbnQKIHJlcHJlc2VudGF0aW9uIG9mIHRoZSBmaWVsZCB0aGFuIGl0IG5vcm1hbGx5IHdvdWxkLiAgU2VlIHRoZSBzcGVjaWZpYwogb3B0aW9ucyBiZWxvdy4gIFRoaXMgb3B0aW9uIGlzIG5vdCB5ZXQgaW1wbGVtZW50ZWQgaW4gdGhlIG9wZW4gc291cmNlCiByZWxlYXNlIC0tIHNvcnJ5LCB3ZSdsbCB0cnkgdG8gaW5jbHVkZSBpdCBpbiBhIGZ1dHVyZSB2ZXJzaW9uIQoKDQoFBAwCAAQSBPQDAgoKDQoFBAwCAAYSBPQDCxAKDQoFBAwCAAESBPQDERYKDQoFBAwCAAMSBPQDGRoKDQoFBAwCAAgSBPQDGy0KDQoFBAwCAAcSBPQDJiwKDgoEBAwEABIG9QMC/AMDCg0KBQQMBAABEgT1AwcMCh8KBgQMBAACABIE9wMEDxoPIERlZmF1bHQgbW9kZS4KCg8KBwQMBAACAAESBPcDBAoKDwoHBAwEAAIAAhIE9wMNDgoOCgYEDAQAAgESBPkDBA0KDwoHBAwEAAIBARIE+QMECAoPCgcEDAQAAgECEgT5AwsMCg4KBgQMBAACAhIE+wMEFQoPCgcEDAQAAgIBEgT7AwQQCg8KBwQMBAACAgISBPsDExQK2gIKBAQMAgESBIIEAhsaywIgVGhlIHBhY2tlZCBvcHRpb24gY2FuIGJlIGVuYWJsZWQgZm9yIHJlcGVhdGVkIHByaW1pdGl2ZSBmaWVsZHMgdG8gZW5hYmxlCiBhIG1vcmUgZWZmaWNpZW50IHJlcHJlc2VudGF0aW9uIG9uIHRoZSB3aXJlLiBSYXRoZXIgdGhhbiByZXBlYXRlZGx5CiB3cml0aW5nIHRoZSB0YWcgYW5kIHR5cGUgZm9yIGVhY2ggZWxlbWVudCwgdGhlIGVudGlyZSBhcnJheSBpcyBlbmNvZGVkIGFzCiBhIHNpbmdsZSBsZW5ndGgtZGVsaW1pdGVkIGJsb2IuIEluIHByb3RvMywgb25seSBleHBsaWNpdCBzZXR0aW5nIGl0IHRvCiBmYWxzZSB3aWxsIGF2b2lkIHVzaW5nIHBhY2tlZCBlbmNvZGluZy4KCg0KBQQMAgEEEgSCBAIKCg0KBQQMAgEFEgSCBAsPCg0KBQQMAgEBEgSCBBAWCg0KBQQMAgEDEgSCBBkaCpoFCgQEDAICEgSPBAIzGosFIFRoZSBqc3R5cGUgb3B0aW9uIGRldGVybWluZXMgdGhlIEphdmFTY3JpcHQgdHlwZSB1c2VkIGZvciB2YWx1ZXMgb2YgdGhlCiBmaWVsZC4gIFRoZSBvcHRpb24gaXMgcGVybWl0dGVkIG9ubHkgZm9yIDY0IGJpdCBpbnRlZ3JhbCBhbmQgZml4ZWQgdHlwZXMKIChpbnQ2NCwgdWludDY0LCBzaW50NjQsIGZpeGVkNjQsIHNmaXhlZDY0KS4gIEEgZmllbGQgd2l0aCBqc3R5cGUgSlNfU1RSSU5HCiBpcyByZXByZXNlbnRlZCBhcyBKYXZhU2NyaXB0IHN0cmluZywgd2hpY2ggYXZvaWRzIGxvc3Mgb2YgcHJlY2lzaW9uIHRoYXQKIGNhbiBoYXBwZW4gd2hlbiBhIGxhcmdlIHZhbHVlIGlzIGNvbnZlcnRlZCB0byBhIGZsb2F0aW5nIHBvaW50IEphdmFTY3JpcHQuCiBTcGVjaWZ5aW5nIEpTX05VTUJFUiBmb3IgdGhlIGpzdHlwZSBjYXVzZXMgdGhlIGdlbmVyYXRlZCBKYXZhU2NyaXB0IGNvZGUgdG8KIHVzZSB0aGUgSmF2YVNjcmlwdCAibnVtYmVyIiB0eXBlLiAgVGhlIGJlaGF2aW9yIG9mIHRoZSBkZWZhdWx0IG9wdGlvbgogSlNfTk9STUFMIGlzIGltcGxlbWVudGF0aW9uIGRlcGVuZGVudC4KCiBUaGlzIG9wdGlvbiBpcyBhbiBlbnVtIHRvIHBlcm1pdCBhZGRpdGlvbmFsIHR5cGVzIHRvIGJlIGFkZGVkLCBlLmcuCiBnb29nLm1hdGguSW50ZWdlci4KCg0KBQQMAgIEEgSPBAIKCg0KBQQMAgIGEgSPBAsRCg0KBQQMAgIBEgSPBBIYCg0KBQQMAgIDEgSPBBscCg0KBQQMAgIIEgSPBB0yCg0KBQQMAgIHEgSPBCgxCg4KBAQMBAESBpAEApkEAwoNCgUEDAQBARIEkAQHDQonCgYEDAQBAgASBJIEBBIaFyBVc2UgdGhlIGRlZmF1bHQgdHlwZS4KCg8KBwQMBAECAAESBJIEBA0KDwoHBAwEAQIAAhIEkgQQEQopCgYEDAQBAgESBJUEBBIaGSBVc2UgSmF2YVNjcmlwdCBzdHJpbmdzLgoKDwoHBAwEAQIBARIElQQEDQoPCgcEDAQBAgECEgSVBBARCikKBgQMBAECAhIEmAQEEhoZIFVzZSBKYXZhU2NyaXB0IG51bWJlcnMuCgoPCgcEDAQBAgIBEgSYBAQNCg8KBwQMBAECAgISBJgEEBEK7wwKBAQMAgMSBLcEAika4AwgU2hvdWxkIHRoaXMgZmllbGQgYmUgcGFyc2VkIGxhemlseT8gIExhenkgYXBwbGllcyBvbmx5IHRvIG1lc3NhZ2UtdHlwZQogZmllbGRzLiAgSXQgbWVhbnMgdGhhdCB3aGVuIHRoZSBvdXRlciBtZXNzYWdlIGlzIGluaXRpYWxseSBwYXJzZWQsIHRoZQogaW5uZXIgbWVzc2FnZSdzIGNvbnRlbnRzIHdpbGwgbm90IGJlIHBhcnNlZCBidXQgaW5zdGVhZCBzdG9yZWQgaW4gZW5jb2RlZAogZm9ybS4gIFRoZSBpbm5lciBtZXNzYWdlIHdpbGwgYWN0dWFsbHkgYmUgcGFyc2VkIHdoZW4gaXQgaXMgZmlyc3QgYWNjZXNzZWQuCgogVGhpcyBpcyBvbmx5IGEgaGludC4gIEltcGxlbWVudGF0aW9ucyBhcmUgZnJlZSB0byBjaG9vc2Ugd2hldGhlciB0byB1c2UKIGVhZ2VyIG9yIGxhenkgcGFyc2luZyByZWdhcmRsZXNzIG9mIHRoZSB2YWx1ZSBvZiB0aGlzIG9wdGlvbi4gIEhvd2V2ZXIsCiBzZXR0aW5nIHRoaXMgb3B0aW9uIHRydWUgc3VnZ2VzdHMgdGhhdCB0aGUgcHJvdG9jb2wgYXV0aG9yIGJlbGlldmVzIHRoYXQKIHVzaW5nIGxhenkgcGFyc2luZyBvbiB0aGlzIGZpZWxkIGlzIHdvcnRoIHRoZSBhZGRpdGlvbmFsIGJvb2trZWVwaW5nCiBvdmVyaGVhZCB0eXBpY2FsbHkgbmVlZGVkIHRvIGltcGxlbWVudCBpdC4KCiBUaGlzIG9wdGlvbiBkb2VzIG5vdCBhZmZlY3QgdGhlIHB1YmxpYyBpbnRlcmZhY2Ugb2YgYW55IGdlbmVyYXRlZCBjb2RlOwogYWxsIG1ldGhvZCBzaWduYXR1cmVzIHJlbWFpbiB0aGUgc2FtZS4gIEZ1cnRoZXJtb3JlLCB0aHJlYWQtc2FmZXR5IG9mIHRoZQogaW50ZXJmYWNlIGlzIG5vdCBhZmZlY3RlZCBieSB0aGlzIG9wdGlvbjsgY29uc3QgbWV0aG9kcyByZW1haW4gc2FmZSB0bwogY2FsbCBmcm9tIG11bHRpcGxlIHRocmVhZHMgY29uY3VycmVudGx5LCB3aGlsZSBub24tY29uc3QgbWV0aG9kcyBjb250aW51ZQogdG8gcmVxdWlyZSBleGNsdXNpdmUgYWNjZXNzLgoKCiBOb3RlIHRoYXQgaW1wbGVtZW50YXRpb25zIG1heSBjaG9vc2Ugbm90IHRvIGNoZWNrIHJlcXVpcmVkIGZpZWxkcyB3aXRoaW4KIGEgbGF6eSBzdWItbWVzc2FnZS4gIFRoYXQgaXMsIGNhbGxpbmcgSXNJbml0aWFsaXplZCgpIG9uIHRoZSBvdXRlciBtZXNzYWdlCiBtYXkgcmV0dXJuIHRydWUgZXZlbiBpZiB0aGUgaW5uZXIgbWVzc2FnZSBoYXMgbWlzc2luZyByZXF1aXJlZCBmaWVsZHMuCiBUaGlzIGlzIG5lY2Vzc2FyeSBiZWNhdXNlIG90aGVyd2lzZSB0aGUgaW5uZXIgbWVzc2FnZSB3b3VsZCBoYXZlIHRvIGJlCiBwYXJzZWQgaW4gb3JkZXIgdG8gcGVyZm9ybSB0aGUgY2hlY2ssIGRlZmVhdGluZyB0aGUgcHVycG9zZSBvZiBsYXp5CiBwYXJzaW5nLiAgQW4gaW1wbGVtZW50YXRpb24gd2hpY2ggY2hvb3NlcyBub3QgdG8gY2hlY2sgcmVxdWlyZWQgZmllbGRzCiBtdXN0IGJlIGNvbnNpc3RlbnQgYWJvdXQgaXQuICBUaGF0IGlzLCBmb3IgYW55IHBhcnRpY3VsYXIgc3ViLW1lc3NhZ2UsIHRoZQogaW1wbGVtZW50YXRpb24gbXVzdCBlaXRoZXIgKmFsd2F5cyogY2hlY2sgaXRzIHJlcXVpcmVkIGZpZWxkcywgb3IgKm5ldmVyKgogY2hlY2sgaXRzIHJlcXVpcmVkIGZpZWxkcywgcmVnYXJkbGVzcyBvZiB3aGV0aGVyIG9yIG5vdCB0aGUgbWVzc2FnZSBoYXMKIGJlZW4gcGFyc2VkLgoKDQoFBAwCAwQSBLcEAgoKDQoFBAwCAwUSBLcECw8KDQoFBAwCAwESBLcEEBQKDQoFBAwCAwMSBLcEFxgKDQoFBAwCAwgSBLcEGSgKDQoFBAwCAwcSBLcEIicK6AEKBAQMAgQSBL0EAi8a2QEgSXMgdGhpcyBmaWVsZCBkZXByZWNhdGVkPwogRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgcGxhdGZvcm0sIHRoaXMgY2FuIGVtaXQgRGVwcmVjYXRlZCBhbm5vdGF0aW9ucwogZm9yIGFjY2Vzc29ycywgb3IgaXQgd2lsbCBiZSBjb21wbGV0ZWx5IGlnbm9yZWQ7IGluIHRoZSB2ZXJ5IGxlYXN0LCB0aGlzCiBpcyBhIGZvcm1hbGl6YXRpb24gZm9yIGRlcHJlY2F0aW5nIGZpZWxkcy4KCg0KBQQMAgQEEgS9BAIKCg0KBQQMAgQFEgS9BAsPCg0KBQQMAgQBEgS9BBAaCg0KBQQMAgQDEgS9BB0eCg0KBQQMAgQIEgS9BB8uCg0KBQQMAgQHEgS9BCgtCj8KBAQMAgUSBMAEAioaMSBGb3IgR29vZ2xlLWludGVybmFsIG1pZ3JhdGlvbiBvbmx5LiBEbyBub3QgdXNlLgoKDQoFBAwCBQQSBMAEAgoKDQoFBAwCBQUSBMAECw8KDQoFBAwCBQESBMAEEBQKDQoFBAwCBQMSBMAEFxkKDQoFBAwCBQgSBMAEGikKDQoFBAwCBQcSBMAEIygKTwoEBAwCBhIExAQCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBAwCBgQSBMQEAgoKDQoFBAwCBgYSBMQECx4KDQoFBAwCBgESBMQEHzMKDQoFBAwCBgMSBMQENjkKWgoDBAwFEgTHBAIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEDAUAEgTHBA0YCg0KBQQMBQABEgTHBA0RCg0KBQQMBQACEgTHBBUYChwKAwQMCRIEyQQLDSIPIHJlbW92ZWQganR5cGUKCgwKBAQMCQASBMkECwwKDQoFBAwJAAESBMkECwwKDQoFBAwJAAISBMkECwwKDAoCBA0SBswEANIEAQoLCgMEDQESBMwECBQKTwoEBA0CABIEzgQCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBA0CAAQSBM4EAgoKDQoFBA0CAAYSBM4ECx4KDQoFBA0CAAESBM4EHzMKDQoFBA0CAAMSBM4ENjkKWgoDBA0FEgTRBAIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEDQUAEgTRBA0YCg0KBQQNBQABEgTRBA0RCg0KBQQNBQACEgTRBBUYCgwKAgQOEgbUBADnBAEKCwoDBA4BEgTUBAgTCmAKBAQOAgASBNgEAiAaUiBTZXQgdGhpcyBvcHRpb24gdG8gdHJ1ZSB0byBhbGxvdyBtYXBwaW5nIGRpZmZlcmVudCB0YWcgbmFtZXMgdG8gdGhlIHNhbWUKIHZhbHVlLgoKDQoFBA4CAAQSBNgEAgoKDQoFBA4CAAUSBNgECw8KDQoFBA4CAAESBNgEEBsKDQoFBA4CAAMSBNgEHh8K5QEKBAQOAgESBN4EAi8a1gEgSXMgdGhpcyBlbnVtIGRlcHJlY2F0ZWQ/CiBEZXBlbmRpbmcgb24gdGhlIHRhcmdldCBwbGF0Zm9ybSwgdGhpcyBjYW4gZW1pdCBEZXByZWNhdGVkIGFubm90YXRpb25zCiBmb3IgdGhlIGVudW0sIG9yIGl0IHdpbGwgYmUgY29tcGxldGVseSBpZ25vcmVkOyBpbiB0aGUgdmVyeSBsZWFzdCwgdGhpcwogaXMgYSBmb3JtYWxpemF0aW9uIGZvciBkZXByZWNhdGluZyBlbnVtcy4KCg0KBQQOAgEEEgTeBAIKCg0KBQQOAgEFEgTeBAsPCg0KBQQOAgEBEgTeBBAaCg0KBQQOAgEDEgTeBB0eCg0KBQQOAgEIEgTeBB8uCg0KBQQOAgEHEgTeBCgtCh8KAwQOCRIE4AQLDSISIGphdmFuYW5vX2FzX2xpdGUKCgwKBAQOCQASBOAECwwKDQoFBA4JAAESBOAECwwKDQoFBA4JAAISBOAECwwKTwoEBA4CAhIE4wQCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBA4CAgQSBOMEAgoKDQoFBA4CAgYSBOMECx4KDQoFBA4CAgESBOMEHzMKDQoFBA4CAgMSBOMENjkKWgoDBA4FEgTmBAIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEDgUAEgTmBA0YCg0KBQQOBQABEgTmBA0RCg0KBQQOBQACEgTmBBUYCgwKAgQPEgbpBAD1BAEKCwoDBA8BEgTpBAgYCvcBCgQEDwIAEgTuBAIvGugBIElzIHRoaXMgZW51bSB2YWx1ZSBkZXByZWNhdGVkPwogRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgcGxhdGZvcm0sIHRoaXMgY2FuIGVtaXQgRGVwcmVjYXRlZCBhbm5vdGF0aW9ucwogZm9yIHRoZSBlbnVtIHZhbHVlLCBvciBpdCB3aWxsIGJlIGNvbXBsZXRlbHkgaWdub3JlZDsgaW4gdGhlIHZlcnkgbGVhc3QsCiB0aGlzIGlzIGEgZm9ybWFsaXphdGlvbiBmb3IgZGVwcmVjYXRpbmcgZW51bSB2YWx1ZXMuCgoNCgUEDwIABBIE7gQCCgoNCgUEDwIABRIE7gQLDwoNCgUEDwIAARIE7gQQGgoNCgUEDwIAAxIE7gQdHgoNCgUEDwIACBIE7gQfLgoNCgUEDwIABxIE7gQoLQpPCgQEDwIBEgTxBAI6GkEgVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLiBTZWUgYWJvdmUuCgoNCgUEDwIBBBIE8QQCCgoNCgUEDwIBBhIE8QQLHgoNCgUEDwIBARIE8QQfMwoNCgUEDwIBAxIE8QQ2OQpaCgMEDwUSBPQEAhkaTSBDbGllbnRzIGNhbiBkZWZpbmUgY3VzdG9tIG9wdGlvbnMgaW4gZXh0ZW5zaW9ucyBvZiB0aGlzIG1lc3NhZ2UuIFNlZSBhYm92ZS4KCgwKBAQPBQASBPQEDRgKDQoFBA8FAAESBPQEDREKDQoFBA8FAAISBPQEFRgKDAoCBBASBvcEAIkFAQoLCgMEEAESBPcECBYK2QMKBAQQAgASBIIFAjAa3wEgSXMgdGhpcyBzZXJ2aWNlIGRlcHJlY2F0ZWQ/CiBEZXBlbmRpbmcgb24gdGhlIHRhcmdldCBwbGF0Zm9ybSwgdGhpcyBjYW4gZW1pdCBEZXByZWNhdGVkIGFubm90YXRpb25zCiBmb3IgdGhlIHNlcnZpY2UsIG9yIGl0IHdpbGwgYmUgY29tcGxldGVseSBpZ25vcmVkOyBpbiB0aGUgdmVyeSBsZWFzdCwKIHRoaXMgaXMgYSBmb3JtYWxpemF0aW9uIGZvciBkZXByZWNhdGluZyBzZXJ2aWNlcy4KMugBIE5vdGU6ICBGaWVsZCBudW1iZXJzIDEgdGhyb3VnaCAzMiBhcmUgcmVzZXJ2ZWQgZm9yIEdvb2dsZSdzIGludGVybmFsIFJQQwogICBmcmFtZXdvcmsuICBXZSBhcG9sb2dpemUgZm9yIGhvYXJkaW5nIHRoZXNlIG51bWJlcnMgdG8gb3Vyc2VsdmVzLCBidXQKICAgd2Ugd2VyZSBhbHJlYWR5IHVzaW5nIHRoZW0gbG9uZyBiZWZvcmUgd2UgZGVjaWRlZCB0byByZWxlYXNlIFByb3RvY29sCiAgIEJ1ZmZlcnMuCgoNCgUEEAIABBIEggUCCgoNCgUEEAIABRIEggULDwoNCgUEEAIAARIEggUQGgoNCgUEEAIAAxIEggUdHwoNCgUEEAIACBIEggUgLwoNCgUEEAIABxIEggUpLgpPCgQEEAIBEgSFBQI6GkEgVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLiBTZWUgYWJvdmUuCgoNCgUEEAIBBBIEhQUCCgoNCgUEEAIBBhIEhQULHgoNCgUEEAIBARIEhQUfMwoNCgUEEAIBAxIEhQU2OQpaCgMEEAUSBIgFAhkaTSBDbGllbnRzIGNhbiBkZWZpbmUgY3VzdG9tIG9wdGlvbnMgaW4gZXh0ZW5zaW9ucyBvZiB0aGlzIG1lc3NhZ2UuIFNlZSBhYm92ZS4KCgwKBAQQBQASBIgFDRgKDQoFBBAFAAESBIgFDREKDQoFBBAFAAISBIgFFRgKDAoCBBESBosFAKgFAQoLCgMEEQESBIsFCBUK1gMKBAQRAgASBJYFAjAa3AEgSXMgdGhpcyBtZXRob2QgZGVwcmVjYXRlZD8KIERlcGVuZGluZyBvbiB0aGUgdGFyZ2V0IHBsYXRmb3JtLCB0aGlzIGNhbiBlbWl0IERlcHJlY2F0ZWQgYW5ub3RhdGlvbnMKIGZvciB0aGUgbWV0aG9kLCBvciBpdCB3aWxsIGJlIGNvbXBsZXRlbHkgaWdub3JlZDsgaW4gdGhlIHZlcnkgbGVhc3QsCiB0aGlzIGlzIGEgZm9ybWFsaXphdGlvbiBmb3IgZGVwcmVjYXRpbmcgbWV0aG9kcy4KMugBIE5vdGU6ICBGaWVsZCBudW1iZXJzIDEgdGhyb3VnaCAzMiBhcmUgcmVzZXJ2ZWQgZm9yIEdvb2dsZSdzIGludGVybmFsIFJQQwogICBmcmFtZXdvcmsuICBXZSBhcG9sb2dpemUgZm9yIGhvYXJkaW5nIHRoZXNlIG51bWJlcnMgdG8gb3Vyc2VsdmVzLCBidXQKICAgd2Ugd2VyZSBhbHJlYWR5IHVzaW5nIHRoZW0gbG9uZyBiZWZvcmUgd2UgZGVjaWRlZCB0byByZWxlYXNlIFByb3RvY29sCiAgIEJ1ZmZlcnMuCgoNCgUEEQIABBIElgUCCgoNCgUEEQIABRIElgULDwoNCgUEEQIAARIElgUQGgoNCgUEEQIAAxIElgUdHwoNCgUEEQIACBIElgUgLwoNCgUEEQIABxIElgUpLgrwAQoEBBEEABIGmwUCnwUDGt8BIElzIHRoaXMgbWV0aG9kIHNpZGUtZWZmZWN0LWZyZWUgKG9yIHNhZmUgaW4gSFRUUCBwYXJsYW5jZSksIG9yIGlkZW1wb3RlbnQsCiBvciBuZWl0aGVyPyBIVFRQIGJhc2VkIFJQQyBpbXBsZW1lbnRhdGlvbiBtYXkgY2hvb3NlIEdFVCB2ZXJiIGZvciBzYWZlCiBtZXRob2RzLCBhbmQgUFVUIHZlcmIgZm9yIGlkZW1wb3RlbnQgbWV0aG9kcyBpbnN0ZWFkIG9mIHRoZSBkZWZhdWx0IFBPU1QuCgoNCgUEEQQAARIEmwUHFwoOCgYEEQQAAgASBJwFBBwKDwoHBBEEAAIAARIEnAUEFwoPCgcEEQQAAgACEgScBRobCiQKBgQRBAACARIEnQUEHCIUIGltcGxpZXMgaWRlbXBvdGVudAoKDwoHBBEEAAIBARIEnQUEEwoPCgcEEQQAAgECEgSdBRobCjcKBgQRBAACAhIEngUEHCInIGlkZW1wb3RlbnQsIGJ1dCBtYXkgaGF2ZSBzaWRlIGVmZmVjdHMKCg8KBwQRBAACAgESBJ4FBA4KDwoHBBEEAAICAhIEngUaGwoOCgQEEQIBEgagBQKhBScKDQoFBBECAQQSBKAFAgoKDQoFBBECAQYSBKAFCxsKDQoFBBECAQESBKAFHC0KDQoFBBECAQMSBKEFBggKDQoFBBECAQgSBKEFCSYKDQoFBBECAQcSBKEFEiUKTwoEBBECAhIEpAUCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBBECAgQSBKQFAgoKDQoFBBECAgYSBKQFCx4KDQoFBBECAgESBKQFHzMKDQoFBBECAgMSBKQFNjkKWgoDBBEFEgSnBQIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEEQUAEgSnBQ0YCg0KBQQRBQABEgSnBQ0RCg0KBQQRBQACEgSnBRUYCosDCgIEEhIGsQUAxQUBGvwCIEEgbWVzc2FnZSByZXByZXNlbnRpbmcgYSBvcHRpb24gdGhlIHBhcnNlciBkb2VzIG5vdCByZWNvZ25pemUuIFRoaXMgb25seQogYXBwZWFycyBpbiBvcHRpb25zIHByb3RvcyBjcmVhdGVkIGJ5IHRoZSBjb21waWxlcjo6UGFyc2VyIGNsYXNzLgogRGVzY3JpcHRvclBvb2wgcmVzb2x2ZXMgdGhlc2Ugd2hlbiBidWlsZGluZyBEZXNjcmlwdG9yIG9iamVjdHMuIFRoZXJlZm9yZSwKIG9wdGlvbnMgcHJvdG9zIGluIGRlc2NyaXB0b3Igb2JqZWN0cyAoZS5nLiByZXR1cm5lZCBieSBEZXNjcmlwdG9yOjpvcHRpb25zKCksCiBvciBwcm9kdWNlZCBieSBEZXNjcmlwdG9yOjpDb3B5VG8oKSkgd2lsbCBuZXZlciBoYXZlIFVuaW50ZXJwcmV0ZWRPcHRpb25zCiBpbiB0aGVtLgoKCwoDBBIBEgSxBQgbCssCCgQEEgMAEga3BQK6BQMaugIgVGhlIG5hbWUgb2YgdGhlIHVuaW50ZXJwcmV0ZWQgb3B0aW9uLiAgRWFjaCBzdHJpbmcgcmVwcmVzZW50cyBhIHNlZ21lbnQgaW4KIGEgZG90LXNlcGFyYXRlZCBuYW1lLiAgaXNfZXh0ZW5zaW9uIGlzIHRydWUgaWZmIGEgc2VnbWVudCByZXByZXNlbnRzIGFuCiBleHRlbnNpb24gKGRlbm90ZWQgd2l0aCBwYXJlbnRoZXNlcyBpbiBvcHRpb25zIHNwZWNzIGluIC5wcm90byBmaWxlcykuCiBFLmcuLHsgWyJmb28iLCBmYWxzZV0sIFsiYmFyLmJheiIsIHRydWVdLCBbInF1eCIsIGZhbHNlXSB9IHJlcHJlc2VudHMKICJmb28uKGJhci5iYXopLnF1eCIuCgoNCgUEEgMAARIEtwUKEgoOCgYEEgMAAgASBLgFBCIKDwoHBBIDAAIABBIEuAUEDAoPCgcEEgMAAgAFEgS4BQ0TCg8KBwQSAwACAAESBLgFFB0KDwoHBBIDAAIAAxIEuAUgIQoOCgYEEgMAAgESBLkFBCMKDwoHBBIDAAIBBBIEuQUEDAoPCgcEEgMAAgEFEgS5BQ0RCg8KBwQSAwACAQESBLkFEh4KDwoHBBIDAAIBAxIEuQUhIgoMCgQEEgIAEgS7BQIdCg0KBQQSAgAEEgS7BQIKCg0KBQQSAgAGEgS7BQsTCg0KBQQSAgABEgS7BRQYCg0KBQQSAgADEgS7BRscCpwBCgQEEgIBEgS/BQInGo0BIFRoZSB2YWx1ZSBvZiB0aGUgdW5pbnRlcnByZXRlZCBvcHRpb24sIGluIHdoYXRldmVyIHR5cGUgdGhlIHRva2VuaXplcgogaWRlbnRpZmllZCBpdCBhcyBkdXJpbmcgcGFyc2luZy4gRXhhY3RseSBvbmUgb2YgdGhlc2Ugc2hvdWxkIGJlIHNldC4KCg0KBQQSAgEEEgS/BQIKCg0KBQQSAgEFEgS/BQsRCg0KBQQSAgEBEgS/BRIiCg0KBQQSAgEDEgS/BSUmCgwKBAQSAgISBMAFAikKDQoFBBICAgQSBMAFAgoKDQoFBBICAgUSBMAFCxEKDQoFBBICAgESBMAFEiQKDQoFBBICAgMSBMAFJygKDAoEBBICAxIEwQUCKAoNCgUEEgIDBBIEwQUCCgoNCgUEEgIDBRIEwQULEAoNCgUEEgIDARIEwQURIwoNCgUEEgIDAxIEwQUmJwoMCgQEEgIEEgTCBQIjCg0KBQQSAgQEEgTCBQIKCg0KBQQSAgQFEgTCBQsRCg0KBQQSAgQBEgTCBRIeCg0KBQQSAgQDEgTCBSEiCgwKBAQSAgUSBMMFAiIKDQoFBBICBQQSBMMFAgoKDQoFBBICBQUSBMMFCxAKDQoFBBICBQESBMMFER0KDQoFBBICBQMSBMMFICEKDAoEBBICBhIExAUCJgoNCgUEEgIGBBIExAUCCgoNCgUEEgIGBRIExAULEQoNCgUEEgIGARIExAUSIQoNCgUEEgIGAxIExAUkJQraAQoCBBMSBswFAM0GARpqIEVuY2Fwc3VsYXRlcyBpbmZvcm1hdGlvbiBhYm91dCB0aGUgb3JpZ2luYWwgc291cmNlIGZpbGUgZnJvbSB3aGljaCBhCiBGaWxlRGVzY3JpcHRvclByb3RvIHdhcyBnZW5lcmF0ZWQuCjJgID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KIE9wdGlvbmFsIHNvdXJjZSBjb2RlIGluZm8KCgsKAwQTARIEzAUIFgqCEQoEBBMCABIE+AUCIRrzECBBIExvY2F0aW9uIGlkZW50aWZpZXMgYSBwaWVjZSBvZiBzb3VyY2UgY29kZSBpbiBhIC5wcm90byBmaWxlIHdoaWNoCiBjb3JyZXNwb25kcyB0byBhIHBhcnRpY3VsYXIgZGVmaW5pdGlvbi4gIFRoaXMgaW5mb3JtYXRpb24gaXMgaW50ZW5kZWQKIHRvIGJlIHVzZWZ1bCB0byBJREVzLCBjb2RlIGluZGV4ZXJzLCBkb2N1bWVudGF0aW9uIGdlbmVyYXRvcnMsIGFuZCBzaW1pbGFyCiB0b29scy4KCiBGb3IgZXhhbXBsZSwgc2F5IHdlIGhhdmUgYSBmaWxlIGxpa2U6CiAgIG1lc3NhZ2UgRm9vIHsKICAgICBvcHRpb25hbCBzdHJpbmcgZm9vID0gMTsKICAgfQogTGV0J3MgbG9vayBhdCBqdXN0IHRoZSBmaWVsZCBkZWZpbml0aW9uOgogICBvcHRpb25hbCBzdHJpbmcgZm9vID0gMTsKICAgXiAgICAgICBeXiAgICAgXl4gIF4gIF5eXgogICBhICAgICAgIGJjICAgICBkZSAgZiAgZ2hpCiBXZSBoYXZlIHRoZSBmb2xsb3dpbmcgbG9jYXRpb25zOgogICBzcGFuICAgcGF0aCAgICAgICAgICAgICAgIHJlcHJlc2VudHMKICAgW2EsaSkgIFsgNCwgMCwgMiwgMCBdICAgICBUaGUgd2hvbGUgZmllbGQgZGVmaW5pdGlvbi4KICAgW2EsYikgIFsgNCwgMCwgMiwgMCwgNCBdICBUaGUgbGFiZWwgKG9wdGlvbmFsKS4KICAgW2MsZCkgIFsgNCwgMCwgMiwgMCwgNSBdICBUaGUgdHlwZSAoc3RyaW5nKS4KICAgW2UsZikgIFsgNCwgMCwgMiwgMCwgMSBdICBUaGUgbmFtZSAoZm9vKS4KICAgW2csaCkgIFsgNCwgMCwgMiwgMCwgMyBdICBUaGUgbnVtYmVyICgxKS4KCiBOb3RlczoKIC0gQSBsb2NhdGlvbiBtYXkgcmVmZXIgdG8gYSByZXBlYXRlZCBmaWVsZCBpdHNlbGYgKGkuZS4gbm90IHRvIGFueQogICBwYXJ0aWN1bGFyIGluZGV4IHdpdGhpbiBpdCkuICBUaGlzIGlzIHVzZWQgd2hlbmV2ZXIgYSBzZXQgb2YgZWxlbWVudHMgYXJlCiAgIGxvZ2ljYWxseSBlbmNsb3NlZCBpbiBhIHNpbmdsZSBjb2RlIHNlZ21lbnQuICBGb3IgZXhhbXBsZSwgYW4gZW50aXJlCiAgIGV4dGVuZCBibG9jayAocG9zc2libHkgY29udGFpbmluZyBtdWx0aXBsZSBleHRlbnNpb24gZGVmaW5pdGlvbnMpIHdpbGwKICAgaGF2ZSBhbiBvdXRlciBsb2NhdGlvbiB3aG9zZSBwYXRoIHJlZmVycyB0byB0aGUgImV4dGVuc2lvbnMiIHJlcGVhdGVkCiAgIGZpZWxkIHdpdGhvdXQgYW4gaW5kZXguCiAtIE11bHRpcGxlIGxvY2F0aW9ucyBtYXkgaGF2ZSB0aGUgc2FtZSBwYXRoLiAgVGhpcyBoYXBwZW5zIHdoZW4gYSBzaW5nbGUKICAgbG9naWNhbCBkZWNsYXJhdGlvbiBpcyBzcHJlYWQgb3V0IGFjcm9zcyBtdWx0aXBsZSBwbGFjZXMuICBUaGUgbW9zdAogICBvYnZpb3VzIGV4YW1wbGUgaXMgdGhlICJleHRlbmQiIGJsb2NrIGFnYWluIC0tIHRoZXJlIG1heSBiZSBtdWx0aXBsZQogICBleHRlbmQgYmxvY2tzIGluIHRoZSBzYW1lIHNjb3BlLCBlYWNoIG9mIHdoaWNoIHdpbGwgaGF2ZSB0aGUgc2FtZSBwYXRoLgogLSBBIGxvY2F0aW9uJ3Mgc3BhbiBpcyBub3QgYWx3YXlzIGEgc3Vic2V0IG9mIGl0cyBwYXJlbnQncyBzcGFuLiAgRm9yCiAgIGV4YW1wbGUsIHRoZSAiZXh0ZW5kZWUiIG9mIGFuIGV4dGVuc2lvbiBkZWNsYXJhdGlvbiBhcHBlYXJzIGF0IHRoZQogICBiZWdpbm5pbmcgb2YgdGhlICJleHRlbmQiIGJsb2NrIGFuZCBpcyBzaGFyZWQgYnkgYWxsIGV4dGVuc2lvbnMgd2l0aGluCiAgIHRoZSBibG9jay4KIC0gSnVzdCBiZWNhdXNlIGEgbG9jYXRpb24ncyBzcGFuIGlzIGEgc3Vic2V0IG9mIHNvbWUgb3RoZXIgbG9jYXRpb24ncyBzcGFuCiAgIGRvZXMgbm90IG1lYW4gdGhhdCBpdCBpcyBhIGRlc2NlbmRlbnQuICBGb3IgZXhhbXBsZSwgYSAiZ3JvdXAiIGRlZmluZXMKICAgYm90aCBhIHR5cGUgYW5kIGEgZmllbGQgaW4gYSBzaW5nbGUgZGVjbGFyYXRpb24uICBUaHVzLCB0aGUgbG9jYXRpb25zCiAgIGNvcnJlc3BvbmRpbmcgdG8gdGhlIHR5cGUgYW5kIGZpZWxkIGFuZCB0aGVpciBjb21wb25lbnRzIHdpbGwgb3ZlcmxhcC4KIC0gQ29kZSB3aGljaCB0cmllcyB0byBpbnRlcnByZXQgbG9jYXRpb25zIHNob3VsZCBwcm9iYWJseSBiZSBkZXNpZ25lZCB0bwogICBpZ25vcmUgdGhvc2UgdGhhdCBpdCBkb2Vzbid0IHVuZGVyc3RhbmQsIGFzIG1vcmUgdHlwZXMgb2YgbG9jYXRpb25zIGNvdWxkCiAgIGJlIHJlY29yZGVkIGluIHRoZSBmdXR1cmUuCgoNCgUEEwIABBIE+AUCCgoNCgUEEwIABhIE+AULEwoNCgUEEwIAARIE+AUUHAoNCgUEEwIAAxIE+AUfIAoOCgQEEwMAEgb5BQLMBgMKDQoFBBMDAAESBPkFChIKgwcKBgQTAwACABIEkQYEKhryBiBJZGVudGlmaWVzIHdoaWNoIHBhcnQgb2YgdGhlIEZpbGVEZXNjcmlwdG9yUHJvdG8gd2FzIGRlZmluZWQgYXQgdGhpcwogbG9jYXRpb24uCgogRWFjaCBlbGVtZW50IGlzIGEgZmllbGQgbnVtYmVyIG9yIGFuIGluZGV4LiAgVGhleSBmb3JtIGEgcGF0aCBmcm9tCiB0aGUgcm9vdCBGaWxlRGVzY3JpcHRvclByb3RvIHRvIHRoZSBwbGFjZSB3aGVyZSB0aGUgZGVmaW5pdGlvbi4gIEZvcgogZXhhbXBsZSwgdGhpcyBwYXRoOgogICBbIDQsIDMsIDIsIDcsIDEgXQogcmVmZXJzIHRvOgogICBmaWxlLm1lc3NhZ2VfdHlwZSgzKSAgLy8gNCwgMwogICAgICAgLmZpZWxkKDcpICAgICAgICAgLy8gMiwgNwogICAgICAgLm5hbWUoKSAgICAgICAgICAgLy8gMQogVGhpcyBpcyBiZWNhdXNlIEZpbGVEZXNjcmlwdG9yUHJvdG8ubWVzc2FnZV90eXBlIGhhcyBmaWVsZCBudW1iZXIgNDoKICAgcmVwZWF0ZWQgRGVzY3JpcHRvclByb3RvIG1lc3NhZ2VfdHlwZSA9IDQ7CiBhbmQgRGVzY3JpcHRvclByb3RvLmZpZWxkIGhhcyBmaWVsZCBudW1iZXIgMjoKICAgcmVwZWF0ZWQgRmllbGREZXNjcmlwdG9yUHJvdG8gZmllbGQgPSAyOwogYW5kIEZpZWxkRGVzY3JpcHRvclByb3RvLm5hbWUgaGFzIGZpZWxkIG51bWJlciAxOgogICBvcHRpb25hbCBzdHJpbmcgbmFtZSA9IDE7CgogVGh1cywgdGhlIGFib3ZlIHBhdGggZ2l2ZXMgdGhlIGxvY2F0aW9uIG9mIGEgZmllbGQgbmFtZS4gIElmIHdlIHJlbW92ZWQKIHRoZSBsYXN0IGVsZW1lbnQ6CiAgIFsgNCwgMywgMiwgNyBdCiB0aGlzIHBhdGggcmVmZXJzIHRvIHRoZSB3aG9sZSBmaWVsZCBkZWNsYXJhdGlvbiAoZnJvbSB0aGUgYmVnaW5uaW5nCiBvZiB0aGUgbGFiZWwgdG8gdGhlIHRlcm1pbmF0aW5nIHNlbWljb2xvbikuCgoPCgcEEwMAAgAEEgSRBgQMCg8KBwQTAwACAAUSBJEGDRIKDwoHBBMDAAIAARIEkQYTFwoPCgcEEwMAAgADEgSRBhobCg8KBwQTAwACAAgSBJEGHCkKEgoKBBMDAAIACOcHABIEkQYdKAoTCgsEEwMAAgAI5wcAAhIEkQYdIwoUCgwEEwMAAgAI5wcAAgASBJEGHSMKFQoNBBMDAAIACOcHAAIAARIEkQYdIwoTCgsEEwMAAgAI5wcAAxIEkQYkKArSAgoGBBMDAAIBEgSYBgQqGsECIEFsd2F5cyBoYXMgZXhhY3RseSB0aHJlZSBvciBmb3VyIGVsZW1lbnRzOiBzdGFydCBsaW5lLCBzdGFydCBjb2x1bW4sCiBlbmQgbGluZSAob3B0aW9uYWwsIG90aGVyd2lzZSBhc3N1bWVkIHNhbWUgYXMgc3RhcnQgbGluZSksIGVuZCBjb2x1bW4uCiBUaGVzZSBhcmUgcGFja2VkIGludG8gYSBzaW5nbGUgZmllbGQgZm9yIGVmZmljaWVuY3kuICBOb3RlIHRoYXQgbGluZQogYW5kIGNvbHVtbiBudW1iZXJzIGFyZSB6ZXJvLWJhc2VkIC0tIHR5cGljYWxseSB5b3Ugd2lsbCB3YW50IHRvIGFkZAogMSB0byBlYWNoIGJlZm9yZSBkaXNwbGF5aW5nIHRvIGEgdXNlci4KCg8KBwQTAwACAQQSBJgGBAwKDwoHBBMDAAIBBRIEmAYNEgoPCgcEEwMAAgEBEgSYBhMXCg8KBwQTAwACAQMSBJgGGhsKDwoHBBMDAAIBCBIEmAYcKQoSCgoEEwMAAgEI5wcAEgSYBh0oChMKCwQTAwACAQjnBwACEgSYBh0jChQKDAQTAwACAQjnBwACABIEmAYdIwoVCg0EEwMAAgEI5wcAAgABEgSYBh0jChMKCwQTAwACAQjnBwADEgSYBiQoCqUMCgYEEwMAAgISBMkGBCkalAwgSWYgdGhpcyBTb3VyY2VDb2RlSW5mbyByZXByZXNlbnRzIGEgY29tcGxldGUgZGVjbGFyYXRpb24sIHRoZXNlIGFyZSBhbnkKIGNvbW1lbnRzIGFwcGVhcmluZyBiZWZvcmUgYW5kIGFmdGVyIHRoZSBkZWNsYXJhdGlvbiB3aGljaCBhcHBlYXIgdG8gYmUKIGF0dGFjaGVkIHRvIHRoZSBkZWNsYXJhdGlvbi4KCiBBIHNlcmllcyBvZiBsaW5lIGNvbW1lbnRzIGFwcGVhcmluZyBvbiBjb25zZWN1dGl2ZSBsaW5lcywgd2l0aCBubyBvdGhlcgogdG9rZW5zIGFwcGVhcmluZyBvbiB0aG9zZSBsaW5lcywgd2lsbCBiZSB0cmVhdGVkIGFzIGEgc2luZ2xlIGNvbW1lbnQuCgogbGVhZGluZ19kZXRhY2hlZF9jb21tZW50cyB3aWxsIGtlZXAgcGFyYWdyYXBocyBvZiBjb21tZW50cyB0aGF0IGFwcGVhcgogYmVmb3JlIChidXQgbm90IGNvbm5lY3RlZCB0bykgdGhlIGN1cnJlbnQgZWxlbWVudC4gRWFjaCBwYXJhZ3JhcGgsCiBzZXBhcmF0ZWQgYnkgZW1wdHkgbGluZXMsIHdpbGwgYmUgb25lIGNvbW1lbnQgZWxlbWVudCBpbiB0aGUgcmVwZWF0ZWQKIGZpZWxkLgoKIE9ubHkgdGhlIGNvbW1lbnQgY29udGVudCBpcyBwcm92aWRlZDsgY29tbWVudCBtYXJrZXJzIChlLmcuIC8vKSBhcmUKIHN0cmlwcGVkIG91dC4gIEZvciBibG9jayBjb21tZW50cywgbGVhZGluZyB3aGl0ZXNwYWNlIGFuZCBhbiBhc3Rlcmlzawogd2lsbCBiZSBzdHJpcHBlZCBmcm9tIHRoZSBiZWdpbm5pbmcgb2YgZWFjaCBsaW5lIG90aGVyIHRoYW4gdGhlIGZpcnN0LgogTmV3bGluZXMgYXJlIGluY2x1ZGVkIGluIHRoZSBvdXRwdXQuCgogRXhhbXBsZXM6CgogICBvcHRpb25hbCBpbnQzMiBmb28gPSAxOyAgLy8gQ29tbWVudCBhdHRhY2hlZCB0byBmb28uCiAgIC8vIENvbW1lbnQgYXR0YWNoZWQgdG8gYmFyLgogICBvcHRpb25hbCBpbnQzMiBiYXIgPSAyOwoKICAgb3B0aW9uYWwgc3RyaW5nIGJheiA9IDM7CiAgIC8vIENvbW1lbnQgYXR0YWNoZWQgdG8gYmF6LgogICAvLyBBbm90aGVyIGxpbmUgYXR0YWNoZWQgdG8gYmF6LgoKICAgLy8gQ29tbWVudCBhdHRhY2hlZCB0byBxdXguCiAgIC8vCiAgIC8vIEFub3RoZXIgbGluZSBhdHRhY2hlZCB0byBxdXguCiAgIG9wdGlvbmFsIGRvdWJsZSBxdXggPSA0OwoKICAgLy8gRGV0YWNoZWQgY29tbWVudCBmb3IgY29yZ2UuIFRoaXMgaXMgbm90IGxlYWRpbmcgb3IgdHJhaWxpbmcgY29tbWVudHMKICAgLy8gdG8gcXV4IG9yIGNvcmdlIGJlY2F1c2UgdGhlcmUgYXJlIGJsYW5rIGxpbmVzIHNlcGFyYXRpbmcgaXQgZnJvbQogICAvLyBib3RoLgoKICAgLy8gRGV0YWNoZWQgY29tbWVudCBmb3IgY29yZ2UgcGFyYWdyYXBoIDIuCgogICBvcHRpb25hbCBzdHJpbmcgY29yZ2UgPSA1OwogICAvKiBCbG9jayBjb21tZW50IGF0dGFjaGVkCiAgICAqIHRvIGNvcmdlLiAgTGVhZGluZyBhc3Rlcmlza3MKICAgICogd2lsbCBiZSByZW1vdmVkLiAqLwogICAvKiBCbG9jayBjb21tZW50IGF0dGFjaGVkIHRvCiAgICAqIGdyYXVsdC4gKi8KICAgb3B0aW9uYWwgaW50MzIgZ3JhdWx0ID0gNjsKCiAgIC8vIGlnbm9yZWQgZGV0YWNoZWQgY29tbWVudHMuCgoPCgcEEwMAAgIEEgTJBgQMCg8KBwQTAwACAgUSBMkGDRMKDwoHBBMDAAICARIEyQYUJAoPCgcEEwMAAgIDEgTJBicoCg4KBgQTAwACAxIEygYEKgoPCgcEEwMAAgMEEgTKBgQMCg8KBwQTAwACAwUSBMoGDRMKDwoHBBMDAAIDARIEygYUJQoPCgcEEwMAAgMDEgTKBigpCg4KBgQTAwACBBIEywYEMgoPCgcEEwMAAgQEEgTLBgQMCg8KBwQTAwACBAUSBMsGDRMKDwoHBBMDAAIEARIEywYULQoPCgcEEwMAAgQDEgTLBjAxCu4BCgIEFBIG0gYA5wYBGt8BIERlc2NyaWJlcyB0aGUgcmVsYXRpb25zaGlwIGJldHdlZW4gZ2VuZXJhdGVkIGNvZGUgYW5kIGl0cyBvcmlnaW5hbCBzb3VyY2UKIGZpbGUuIEEgR2VuZXJhdGVkQ29kZUluZm8gbWVzc2FnZSBpcyBhc3NvY2lhdGVkIHdpdGggb25seSBvbmUgZ2VuZXJhdGVkCiBzb3VyY2UgZmlsZSwgYnV0IG1heSBjb250YWluIHJlZmVyZW5jZXMgdG8gZGlmZmVyZW50IHNvdXJjZSAucHJvdG8gZmlsZXMuCgoLCgMEFAESBNIGCBkKeAoEBBQCABIE1QYCJRpqIEFuIEFubm90YXRpb24gY29ubmVjdHMgc29tZSBzcGFuIG9mIHRleHQgaW4gZ2VuZXJhdGVkIGNvZGUgdG8gYW4gZWxlbWVudAogb2YgaXRzIGdlbmVyYXRpbmcgLnByb3RvIGZpbGUuCgoNCgUEFAIABBIE1QYCCgoNCgUEFAIABhIE1QYLFQoNCgUEFAIAARIE1QYWIAoNCgUEFAIAAxIE1QYjJAoOCgQEFAMAEgbWBgLmBgMKDQoFBBQDAAESBNYGChQKjwEKBgQUAwACABIE2QYEKhp/IElkZW50aWZpZXMgdGhlIGVsZW1lbnQgaW4gdGhlIG9yaWdpbmFsIHNvdXJjZSAucHJvdG8gZmlsZS4gVGhpcyBmaWVsZAogaXMgZm9ybWF0dGVkIHRoZSBzYW1lIGFzIFNvdXJjZUNvZGVJbmZvLkxvY2F0aW9uLnBhdGguCgoPCgcEFAMAAgAEEgTZBgQMCg8KBwQUAwACAAUSBNkGDRIKDwoHBBQDAAIAARIE2QYTFwoPCgcEFAMAAgADEgTZBhobCg8KBwQUAwACAAgSBNkGHCkKEgoKBBQDAAIACOcHABIE2QYdKAoTCgsEFAMAAgAI5wcAAhIE2QYdIwoUCgwEFAMAAgAI5wcAAgASBNkGHSMKFQoNBBQDAAIACOcHAAIAARIE2QYdIwoTCgsEFAMAAgAI5wcAAxIE2QYkKApPCgYEFAMAAgESBNwGBCQaPyBJZGVudGlmaWVzIHRoZSBmaWxlc3lzdGVtIHBhdGggdG8gdGhlIG9yaWdpbmFsIHNvdXJjZSAucHJvdG8uCgoPCgcEFAMAAgEEEgTcBgQMCg8KBwQUAwACAQUSBNwGDRMKDwoHBBQDAAIBARIE3AYUHwoPCgcEFAMAAgEDEgTcBiIjCncKBgQUAwACAhIE4AYEHRpnIElkZW50aWZpZXMgdGhlIHN0YXJ0aW5nIG9mZnNldCBpbiBieXRlcyBpbiB0aGUgZ2VuZXJhdGVkIGNvZGUKIHRoYXQgcmVsYXRlcyB0byB0aGUgaWRlbnRpZmllZCBvYmplY3QuCgoPCgcEFAMAAgIEEgTgBgQMCg8KBwQUAwACAgUSBOAGDRIKDwoHBBQDAAICARIE4AYTGAoPCgcEFAMAAgIDEgTgBhscCtsBCgYEFAMAAgMSBOUGBBsaygEgSWRlbnRpZmllcyB0aGUgZW5kaW5nIG9mZnNldCBpbiBieXRlcyBpbiB0aGUgZ2VuZXJhdGVkIGNvZGUgdGhhdAogcmVsYXRlcyB0byB0aGUgaWRlbnRpZmllZCBvZmZzZXQuIFRoZSBlbmQgb2Zmc2V0IHNob3VsZCBiZSBvbmUgcGFzdAogdGhlIGxhc3QgcmVsZXZhbnQgYnl0ZSAoc28gdGhlIGxlbmd0aCBvZiB0aGUgdGV4dCA9IGVuZCAtIGJlZ2luKS4KCg8KBwQUAwACAwQSBOUGBAwKDwoHBBQDAAIDBRIE5QYNEgoPCgcEFAMAAgMBEgTlBhMWCg8KBwQUAwACAwMSBOUGGRoKqV0KFGdvZ29wcm90by9nb2dvLnByb3RvEglnb2dvcHJvdG8aIGdvb2dsZS9wcm90b2J1Zi9kZXNjcmlwdG9yLnByb3RvOk4KE2dvcHJvdG9fZW51bV9wcmVmaXgSHC5nb29nbGUucHJvdG9idWYuRW51bU9wdGlvbnMYseQDIAEoCFIRZ29wcm90b0VudW1QcmVmaXg6UgoVZ29wcm90b19lbnVtX3N0cmluZ2VyEhwuZ29vZ2xlLnByb3RvYnVmLkVudW1PcHRpb25zGMXkAyABKAhSE2dvcHJvdG9FbnVtU3RyaW5nZXI6QwoNZW51bV9zdHJpbmdlchIcLmdvb2dsZS5wcm90b2J1Zi5FbnVtT3B0aW9ucxjG5AMgASgIUgxlbnVtU3RyaW5nZXI6RwoPZW51bV9jdXN0b21uYW1lEhwuZ29vZ2xlLnByb3RvYnVmLkVudW1PcHRpb25zGMfkAyABKAlSDmVudW1DdXN0b21uYW1lOjoKCGVudW1kZWNsEhwuZ29vZ2xlLnByb3RvYnVmLkVudW1PcHRpb25zGMjkAyABKAhSCGVudW1kZWNsOlYKFGVudW12YWx1ZV9jdXN0b21uYW1lEiEuZ29vZ2xlLnByb3RvYnVmLkVudW1WYWx1ZU9wdGlvbnMY0YMEIAEoCVITZW51bXZhbHVlQ3VzdG9tbmFtZTpOChNnb3Byb3RvX2dldHRlcnNfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJnsAyABKAhSEWdvcHJvdG9HZXR0ZXJzQWxsOlUKF2dvcHJvdG9fZW51bV9wcmVmaXhfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJrsAyABKAhSFGdvcHJvdG9FbnVtUHJlZml4QWxsOlAKFGdvcHJvdG9fc3RyaW5nZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJvsAyABKAhSEmdvcHJvdG9TdHJpbmdlckFsbDpKChF2ZXJib3NlX2VxdWFsX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxic7AMgASgIUg92ZXJib3NlRXF1YWxBbGw6OQoIZmFjZV9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYnewDIAEoCFIHZmFjZUFsbDpBCgxnb3N0cmluZ19hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYnuwDIAEoCFILZ29zdHJpbmdBbGw6QQoMcG9wdWxhdGVfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJ/sAyABKAhSC3BvcHVsYXRlQWxsOkEKDHN0cmluZ2VyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxig7AMgASgIUgtzdHJpbmdlckFsbDo/Cgtvbmx5b25lX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxih7AMgASgIUgpvbmx5b25lQWxsOjsKCWVxdWFsX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxil7AMgASgIUghlcXVhbEFsbDpHCg9kZXNjcmlwdGlvbl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYpuwDIAEoCFIOZGVzY3JpcHRpb25BbGw6PwoLdGVzdGdlbl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYp+wDIAEoCFIKdGVzdGdlbkFsbDpBCgxiZW5jaGdlbl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYqOwDIAEoCFILYmVuY2hnZW5BbGw6QwoNbWFyc2hhbGVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxip7AMgASgIUgxtYXJzaGFsZXJBbGw6RwoPdW5tYXJzaGFsZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGKrsAyABKAhSDnVubWFyc2hhbGVyQWxsOlAKFHN0YWJsZV9tYXJzaGFsZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGKvsAyABKAhSEnN0YWJsZU1hcnNoYWxlckFsbDo7CglzaXplcl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYrOwDIAEoCFIIc2l6ZXJBbGw6WQoZZ29wcm90b19lbnVtX3N0cmluZ2VyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxit7AMgASgIUhZnb3Byb3RvRW51bVN0cmluZ2VyQWxsOkoKEWVudW1fc3RyaW5nZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGK7sAyABKAhSD2VudW1TdHJpbmdlckFsbDpQChR1bnNhZmVfbWFyc2hhbGVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxiv7AMgASgIUhJ1bnNhZmVNYXJzaGFsZXJBbGw6VAoWdW5zYWZlX3VubWFyc2hhbGVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxiw7AMgASgIUhR1bnNhZmVVbm1hcnNoYWxlckFsbDpbChpnb3Byb3RvX2V4dGVuc2lvbnNfbWFwX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxix7AMgASgIUhdnb3Byb3RvRXh0ZW5zaW9uc01hcEFsbDpYChhnb3Byb3RvX3VucmVjb2duaXplZF9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYsuwDIAEoCFIWZ29wcm90b1VucmVjb2duaXplZEFsbDpJChBnb2dvcHJvdG9faW1wb3J0EhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGLPsAyABKAhSD2dvZ29wcm90b0ltcG9ydDpFCg5wcm90b3NpemVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi07AMgASgIUg1wcm90b3NpemVyQWxsOj8KC2NvbXBhcmVfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGLXsAyABKAhSCmNvbXBhcmVBbGw6QQoMdHlwZWRlY2xfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGLbsAyABKAhSC3R5cGVkZWNsQWxsOkEKDGVudW1kZWNsX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi37AMgASgIUgtlbnVtZGVjbEFsbDpRChRnb3Byb3RvX3JlZ2lzdHJhdGlvbhIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi47AMgASgIUhNnb3Byb3RvUmVnaXN0cmF0aW9uOkcKD21lc3NhZ2VuYW1lX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi57AMgASgIUg5tZXNzYWdlbmFtZUFsbDpKCg9nb3Byb3RvX2dldHRlcnMSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYgfQDIAEoCFIOZ29wcm90b0dldHRlcnM6TAoQZ29wcm90b19zdHJpbmdlchIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiD9AMgASgIUg9nb3Byb3RvU3RyaW5nZXI6RgoNdmVyYm9zZV9lcXVhbBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiE9AMgASgIUgx2ZXJib3NlRXF1YWw6NQoEZmFjZRIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiF9AMgASgIUgRmYWNlOj0KCGdvc3RyaW5nEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGIb0AyABKAhSCGdvc3RyaW5nOj0KCHBvcHVsYXRlEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGIf0AyABKAhSCHBvcHVsYXRlOj0KCHN0cmluZ2VyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGMCLBCABKAhSCHN0cmluZ2VyOjsKB29ubHlvbmUSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYifQDIAEoCFIHb25seW9uZTo3CgVlcXVhbBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiN9AMgASgIUgVlcXVhbDpDCgtkZXNjcmlwdGlvbhIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiO9AMgASgIUgtkZXNjcmlwdGlvbjo7Cgd0ZXN0Z2VuEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGI/0AyABKAhSB3Rlc3RnZW46PQoIYmVuY2hnZW4SHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYkPQDIAEoCFIIYmVuY2hnZW46PwoJbWFyc2hhbGVyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJH0AyABKAhSCW1hcnNoYWxlcjpDCgt1bm1hcnNoYWxlchIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiS9AMgASgIUgt1bm1hcnNoYWxlcjpMChBzdGFibGVfbWFyc2hhbGVyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJP0AyABKAhSD3N0YWJsZU1hcnNoYWxlcjo3CgVzaXplchIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiU9AMgASgIUgVzaXplcjpMChB1bnNhZmVfbWFyc2hhbGVyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJf0AyABKAhSD3Vuc2FmZU1hcnNoYWxlcjpQChJ1bnNhZmVfdW5tYXJzaGFsZXISHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYmPQDIAEoCFIRdW5zYWZlVW5tYXJzaGFsZXI6VwoWZ29wcm90b19leHRlbnNpb25zX21hcBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiZ9AMgASgIUhRnb3Byb3RvRXh0ZW5zaW9uc01hcDpUChRnb3Byb3RvX3VucmVjb2duaXplZBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxia9AMgASgIUhNnb3Byb3RvVW5yZWNvZ25pemVkOkEKCnByb3Rvc2l6ZXISHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYnPQDIAEoCFIKcHJvdG9zaXplcjo7Cgdjb21wYXJlEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJ30AyABKAhSB2NvbXBhcmU6PQoIdHlwZWRlY2wSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYnvQDIAEoCFIIdHlwZWRlY2w6QwoLbWVzc2FnZW5hbWUSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYofQDIAEoCFILbWVzc2FnZW5hbWU6OwoIbnVsbGFibGUSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGOn7AyABKAhSCG51bGxhYmxlOjUKBWVtYmVkEh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9ucxjq+wMgASgIUgVlbWJlZDo/CgpjdXN0b210eXBlEh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9ucxjr+wMgASgJUgpjdXN0b210eXBlOj8KCmN1c3RvbW5hbWUSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGOz7AyABKAlSCmN1c3RvbW5hbWU6OQoHanNvbnRhZxIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY7fsDIAEoCVIHanNvbnRhZzo7Cghtb3JldGFncxIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY7vsDIAEoCVIIbW9yZXRhZ3M6OwoIY2FzdHR5cGUSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGO/7AyABKAlSCGNhc3R0eXBlOjkKB2Nhc3RrZXkSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGPD7AyABKAlSB2Nhc3RrZXk6PQoJY2FzdHZhbHVlEh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9ucxjx+wMgASgJUgljYXN0dmFsdWU6OQoHc3RkdGltZRIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY8vsDIAEoCFIHc3RkdGltZTpBCgtzdGRkdXJhdGlvbhIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY8/sDIAEoCFILc3RkZHVyYXRpb25CRQoTY29tLmdvb2dsZS5wcm90b2J1ZkIKR29Hb1Byb3Rvc1oiZ2l0aHViLmNvbS9nb2dvL3Byb3RvYnVmL2dvZ29wcm90b0qaNQoHEgUcAIcBAQr8CgoBDBIDHAASMvEKIFByb3RvY29sIEJ1ZmZlcnMgZm9yIEdvIHdpdGggR2FkZ2V0cwoKIENvcHlyaWdodCAoYykgMjAxMywgVGhlIEdvR28gQXV0aG9ycy4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KIGh0dHA6Ly9naXRodWIuY29tL2dvZ28vcHJvdG9idWYKCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUKIG1ldDoKCiAgICAgKiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodAogbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgogICAgICogUmVkaXN0cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZQogY29weXJpZ2h0IG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lcgogaW4gdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogZGlzdHJpYnV0aW9uLgoKIFRISVMgU09GVFdBUkUgSVMgUFJPVklERUQgQlkgVEhFIENPUFlSSUdIVCBIT0xERVJTIEFORCBDT05UUklCVVRPUlMKICJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCiBMSU1JVEVEIFRPLCBUSEUgSU1QTElFRCBXQVJSQU5USUVTIE9GIE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVTUyBGT1IKIEEgUEFSVElDVUxBUiBQVVJQT1NFIEFSRSBESVNDTEFJTUVELiBJTiBOTyBFVkVOVCBTSEFMTCBUSEUgQ09QWVJJR0hUCiBPV05FUiBPUiBDT05UUklCVVRPUlMgQkUgTElBQkxFIEZPUiBBTlkgRElSRUNULCBJTkRJUkVDVCwgSU5DSURFTlRBTCwKIFNQRUNJQUwsIEVYRU1QTEFSWSwgT1IgQ09OU0VRVUVOVElBTCBEQU1BR0VTIChJTkNMVURJTkcsIEJVVCBOT1QKIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLAogREFUQSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBUSU9OKSBIT1dFVkVSIENBVVNFRCBBTkQgT04gQU5ZCiBUSEVPUlkgT0YgTElBQklMSVRZLCBXSEVUSEVSIElOIENPTlRSQUNULCBTVFJJQ1QgTElBQklMSVRZLCBPUiBUT1JUCiAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UKIE9GIFRISVMgU09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkgT0YgU1VDSCBEQU1BR0UuCgoICgECEgMdCBEKCQoCAwASAx8HKQoICgEIEgMhACwKCwoECOcHABIDIQAsCgwKBQjnBwACEgMhBxMKDQoGCOcHAAIAEgMhBxMKDgoHCOcHAAIAARIDIQcTCgwKBQjnBwAHEgMhFisKCAoBCBIDIgArCgsKBAjnBwESAyIAKwoMCgUI5wcBAhIDIgcbCg0KBgjnBwECABIDIgcbCg4KBwjnBwECAAESAyIHGwoMCgUI5wcBBxIDIh4qCggKAQgSAyMAOQoLCgQI5wcCEgMjADkKDAoFCOcHAgISAyMHEQoNCgYI5wcCAgASAyMHEQoOCgcI5wcCAgABEgMjBxEKDAoFCOcHAgcSAyMUOAoJCgEHEgQlACsBCgkKAgcAEgMmCDIKCgoDBwACEgMlByIKCgoDBwAEEgMmCBAKCgoDBwAFEgMmERUKCgoDBwABEgMmFikKCgoDBwADEgMmLDEKCQoCBwESAycINAoKCgMHAQISAyUHIgoKCgMHAQQSAycIEAoKCgMHAQUSAycRFQoKCgMHAQESAycWKwoKCgMHAQMSAycuMwoJCgIHAhIDKAgsCgoKAwcCAhIDJQciCgoKAwcCBBIDKAgQCgoKAwcCBRIDKBEVCgoKAwcCARIDKBYjCgoKAwcCAxIDKCYrCgkKAgcDEgMpCDAKCgoDBwMCEgMlByIKCgoDBwMEEgMpCBAKCgoDBwMFEgMpERcKCgoDBwMBEgMpGCcKCgoDBwMDEgMpKi8KCQoCBwQSAyoIJwoKCgMHBAISAyUHIgoKCgMHBAQSAyoIEAoKCgMHBAUSAyoRFQoKCgMHBAESAyoWHgoKCgMHBAMSAyohJgoJCgEHEgQtAC8BCgkKAgcFEgMuCDUKCgoDBwUCEgMtBycKCgoDBwUEEgMuCBAKCgoDBwUFEgMuERcKCgoDBwUBEgMuGCwKCgoDBwUDEgMuLzQKCQoBBxIEMQBWAQoJCgIHBhIDMggyCgoKAwcGAhIDMQciCgoKAwcGBBIDMggQCgoKAwcGBRIDMhEVCgoKAwcGARIDMhYpCgoKAwcGAxIDMiwxCgkKAgcHEgMzCDYKCgoDBwcCEgMxByIKCgoDBwcEEgMzCBAKCgoDBwcFEgMzERUKCgoDBwcBEgMzFi0KCgoDBwcDEgMzMDUKCQoCBwgSAzQIMwoKCgMHCAISAzEHIgoKCgMHCAQSAzQIEAoKCgMHCAUSAzQRFQoKCgMHCAESAzQWKgoKCgMHCAMSAzQtMgoJCgIHCRIDNQgwCgoKAwcJAhIDMQciCgoKAwcJBBIDNQgQCgoKAwcJBRIDNREVCgoKAwcJARIDNRYnCgoKAwcJAxIDNSovCgkKAgcKEgM2CCcKCgoDBwoCEgMxByIKCgoDBwoEEgM2CBAKCgoDBwoFEgM2ERUKCgoDBwoBEgM2Fh4KCgoDBwoDEgM2ISYKCQoCBwsSAzcIKwoKCgMHCwISAzEHIgoKCgMHCwQSAzcIEAoKCgMHCwUSAzcRFQoKCgMHCwESAzcWIgoKCgMHCwMSAzclKgoJCgIHDBIDOAgrCgoKAwcMAhIDMQciCgoKAwcMBBIDOAgQCgoKAwcMBRIDOBEVCgoKAwcMARIDOBYiCgoKAwcMAxIDOCUqCgkKAgcNEgM5CCsKCgoDBw0CEgMxByIKCgoDBw0EEgM5CBAKCgoDBw0FEgM5ERUKCgoDBw0BEgM5FiIKCgoDBw0DEgM5JSoKCQoCBw4SAzoIKgoKCgMHDgISAzEHIgoKCgMHDgQSAzoIEAoKCgMHDgUSAzoRFQoKCgMHDgESAzoWIQoKCgMHDgMSAzokKQoJCgIHDxIDPAgoCgoKAwcPAhIDMQciCgoKAwcPBBIDPAgQCgoKAwcPBRIDPBEVCgoKAwcPARIDPBYfCgoKAwcPAxIDPCInCgkKAgcQEgM9CC4KCgoDBxACEgMxByIKCgoDBxAEEgM9CBAKCgoDBxAFEgM9ERUKCgoDBxABEgM9FiUKCgoDBxADEgM9KC0KCQoCBxESAz4IKgoKCgMHEQISAzEHIgoKCgMHEQQSAz4IEAoKCgMHEQUSAz4RFQoKCgMHEQESAz4WIQoKCgMHEQMSAz4kKQoJCgIHEhIDPwgrCgoKAwcSAhIDMQciCgoKAwcSBBIDPwgQCgoKAwcSBRIDPxEVCgoKAwcSARIDPxYiCgoKAwcSAxIDPyUqCgkKAgcTEgNACCwKCgoDBxMCEgMxByIKCgoDBxMEEgNACBAKCgoDBxMFEgNAERUKCgoDBxMBEgNAFiMKCgoDBxMDEgNAJisKCQoCBxQSA0EILgoKCgMHFAISAzEHIgoKCgMHFAQSA0EIEAoKCgMHFAUSA0ERFQoKCgMHFAESA0EWJQoKCgMHFAMSA0EoLQoJCgIHFRIDQggzCgoKAwcVAhIDMQciCgoKAwcVBBIDQggQCgoKAwcVBRIDQhEVCgoKAwcVARIDQhYqCgoKAwcVAxIDQi0yCgkKAgcWEgNECCgKCgoDBxYCEgMxByIKCgoDBxYEEgNECBAKCgoDBxYFEgNEERUKCgoDBxYBEgNEFh8KCgoDBxYDEgNEIicKCQoCBxcSA0YIOAoKCgMHFwISAzEHIgoKCgMHFwQSA0YIEAoKCgMHFwUSA0YRFQoKCgMHFwESA0YWLwoKCgMHFwMSA0YyNwoJCgIHGBIDRwgwCgoKAwcYAhIDMQciCgoKAwcYBBIDRwgQCgoKAwcYBRIDRxEVCgoKAwcYARIDRxYnCgoKAwcYAxIDRyovCgkKAgcZEgNJCDMKCgoDBxkCEgMxByIKCgoDBxkEEgNJCBAKCgoDBxkFEgNJERUKCgoDBxkBEgNJFioKCgoDBxkDEgNJLTIKCQoCBxoSA0oINQoKCgMHGgISAzEHIgoKCgMHGgQSA0oIEAoKCgMHGgUSA0oRFQoKCgMHGgESA0oWLAoKCgMHGgMSA0ovNAoJCgIHGxIDTAg5CgoKAwcbAhIDMQciCgoKAwcbBBIDTAgQCgoKAwcbBRIDTBEVCgoKAwcbARIDTBYwCgoKAwcbAxIDTDM4CgkKAgccEgNNCDcKCgoDBxwCEgMxByIKCgoDBxwEEgNNCBAKCgoDBxwFEgNNERUKCgoDBxwBEgNNFi4KCgoDBxwDEgNNMTYKCQoCBx0SA04ILwoKCgMHHQISAzEHIgoKCgMHHQQSA04IEAoKCgMHHQUSA04RFQoKCgMHHQESA04WJgoKCgMHHQMSA04pLgoJCgIHHhIDTwgtCgoKAwceAhIDMQciCgoKAwceBBIDTwgQCgoKAwceBRIDTxEVCgoKAwceARIDTxYkCgoKAwceAxIDTycsCgkKAgcfEgNQCCoKCgoDBx8CEgMxByIKCgoDBx8EEgNQCBAKCgoDBx8FEgNQERUKCgoDBx8BEgNQFiEKCgoDBx8DEgNQJCkKCQoCByASA1EEJwoKCgMHIAISAzEHIgoKCgMHIAQSA1EEDAoKCgMHIAUSA1ENEQoKCgMHIAESA1ESHgoKCgMHIAMSA1EhJgoJCgIHIRIDUgQnCgoKAwchAhIDMQciCgoKAwchBBIDUgQMCgoKAwchBRIDUg0RCgoKAwchARIDUhIeCgoKAwchAxIDUiEmCgkKAgciEgNUCDMKCgoDByICEgMxByIKCgoDByIEEgNUCBAKCgoDByIFEgNUERUKCgoDByIBEgNUFioKCgoDByIDEgNULTIKCQoCByMSA1UILgoKCgMHIwISAzEHIgoKCgMHIwQSA1UIEAoKCgMHIwUSA1URFQoKCgMHIwESA1UWJQoKCgMHIwMSA1UoLQoJCgEHEgRYAHgBCgkKAgckEgNZCC4KCgoDByQCEgNYByUKCgoDByQEEgNZCBAKCgoDByQFEgNZERUKCgoDByQBEgNZFiUKCgoDByQDEgNZKC0KCQoCByUSA1oILwoKCgMHJQISA1gHJQoKCgMHJQQSA1oIEAoKCgMHJQUSA1oRFQoKCgMHJQESA1oWJgoKCgMHJQMSA1opLgoJCgIHJhIDWwgsCgoKAwcmAhIDWAclCgoKAwcmBBIDWwgQCgoKAwcmBRIDWxEVCgoKAwcmARIDWxYjCgoKAwcmAxIDWyYrCgkKAgcnEgNcCCMKCgoDBycCEgNYByUKCgoDBycEEgNcCBAKCgoDBycFEgNcERUKCgoDBycBEgNcFhoKCgoDBycDEgNcHSIKCQoCBygSA10IJwoKCgMHKAISA1gHJQoKCgMHKAQSA10IEAoKCgMHKAUSA10RFQoKCgMHKAESA10WHgoKCgMHKAMSA10hJgoJCgIHKRIDXggnCgoKAwcpAhIDWAclCgoKAwcpBBIDXggQCgoKAwcpBRIDXhEVCgoKAwcpARIDXhYeCgoKAwcpAxIDXiEmCgkKAgcqEgNfCCcKCgoDByoCEgNYByUKCgoDByoEEgNfCBAKCgoDByoFEgNfERUKCgoDByoBEgNfFh4KCgoDByoDEgNfISYKCQoCBysSA2AIJgoKCgMHKwISA1gHJQoKCgMHKwQSA2AIEAoKCgMHKwUSA2ARFQoKCgMHKwESA2AWHQoKCgMHKwMSA2AgJQoJCgIHLBIDYggkCgoKAwcsAhIDWAclCgoKAwcsBBIDYggQCgoKAwcsBRIDYhEVCgoKAwcsARIDYhYbCgoKAwcsAxIDYh4jCgkKAgctEgNjCCoKCgoDBy0CEgNYByUKCgoDBy0EEgNjCBAKCgoDBy0FEgNjERUKCgoDBy0BEgNjFiEKCgoDBy0DEgNjJCkKCQoCBy4SA2QIJgoKCgMHLgISA1gHJQoKCgMHLgQSA2QIEAoKCgMHLgUSA2QRFQoKCgMHLgESA2QWHQoKCgMHLgMSA2QgJQoJCgIHLxIDZQgnCgoKAwcvAhIDWAclCgoKAwcvBBIDZQgQCgoKAwcvBRIDZREVCgoKAwcvARIDZRYeCgoKAwcvAxIDZSEmCgkKAgcwEgNmCCgKCgoDBzACEgNYByUKCgoDBzAEEgNmCBAKCgoDBzAFEgNmERUKCgoDBzABEgNmFh8KCgoDBzADEgNmIicKCQoCBzESA2cIKgoKCgMHMQISA1gHJQoKCgMHMQQSA2cIEAoKCgMHMQUSA2cRFQoKCgMHMQESA2cWIQoKCgMHMQMSA2ckKQoJCgIHMhIDaAgvCgoKAwcyAhIDWAclCgoKAwcyBBIDaAgQCgoKAwcyBRIDaBEVCgoKAwcyARIDaBYmCgoKAwcyAxIDaCkuCgkKAgczEgNqCCQKCgoDBzMCEgNYByUKCgoDBzMEEgNqCBAKCgoDBzMFEgNqERUKCgoDBzMBEgNqFhsKCgoDBzMDEgNqHiMKCQoCBzQSA2wILwoKCgMHNAISA1gHJQoKCgMHNAQSA2wIEAoKCgMHNAUSA2wRFQoKCgMHNAESA2wWJgoKCgMHNAMSA2wpLgoJCgIHNRIDbQgxCgoKAwc1AhIDWAclCgoKAwc1BBIDbQgQCgoKAwc1BRIDbREVCgoKAwc1ARIDbRYoCgoKAwc1AxIDbSswCgkKAgc2EgNvCDUKCgoDBzYCEgNYByUKCgoDBzYEEgNvCBAKCgoDBzYFEgNvERUKCgoDBzYBEgNvFiwKCgoDBzYDEgNvLzQKCQoCBzcSA3AIMwoKCgMHNwISA1gHJQoKCgMHNwQSA3AIEAoKCgMHNwUSA3ARFQoKCgMHNwESA3AWKgoKCgMHNwMSA3AtMgoJCgIHOBIDcggpCgoKAwc4AhIDWAclCgoKAwc4BBIDcggQCgoKAwc4BRIDchEVCgoKAwc4ARIDchYgCgoKAwc4AxIDciMoCgkKAgc5EgNzCCYKCgoDBzkCEgNYByUKCgoDBzkEEgNzCBAKCgoDBzkFEgNzERUKCgoDBzkBEgNzFh0KCgoDBzkDEgNzICUKCQoCBzoSA3UIJwoKCgMHOgISA1gHJQoKCgMHOgQSA3UIEAoKCgMHOgUSA3URFQoKCgMHOgESA3UWHgoKCgMHOgMSA3UhJgoJCgIHOxIDdwgqCgoKAwc7AhIDWAclCgoKAwc7BBIDdwgQCgoKAwc7BRIDdxEVCgoKAwc7ARIDdxYhCgoKAwc7AxIDdyQpCgoKAQcSBXoAhwEBCgkKAgc8EgN7CCcKCgoDBzwCEgN6ByMKCgoDBzwEEgN7CBAKCgoDBzwFEgN7ERUKCgoDBzwBEgN7Fh4KCgoDBzwDEgN7ISYKCQoCBz0SA3wIJAoKCgMHPQISA3oHIwoKCgMHPQQSA3wIEAoKCgMHPQUSA3wRFQoKCgMHPQESA3wWGwoKCgMHPQMSA3weIwoJCgIHPhIDfQgrCgoKAwc+AhIDegcjCgoKAwc+BBIDfQgQCgoKAwc+BRIDfREXCgoKAwc+ARIDfRgiCgoKAwc+AxIDfSUqCgkKAgc/EgN+CCsKCgoDBz8CEgN6ByMKCgoDBz8EEgN+CBAKCgoDBz8FEgN+ERcKCgoDBz8BEgN+GCIKCgoDBz8DEgN+JSoKCQoCB0ASA38IKAoKCgMHQAISA3oHIwoKCgMHQAQSA38IEAoKCgMHQAUSA38RFwoKCgMHQAESA38YHwoKCgMHQAMSA38iJwoKCgIHQRIEgAEIKQoKCgMHQQISA3oHIwoLCgMHQQQSBIABCBAKCwoDB0EFEgSAAREXCgsKAwdBARIEgAEYIAoLCgMHQQMSBIABIygKCgoCB0ISBIEBCCkKCgoDB0ICEgN6ByMKCwoDB0IEEgSBAQgQCgsKAwdCBRIEgQERFwoLCgMHQgESBIEBGCAKCwoDB0IDEgSBASMoCgoKAgdDEgSCAQgoCgoKAwdDAhIDegcjCgsKAwdDBBIEggEIEAoLCgMHQwUSBIIBERcKCwoDB0MBEgSCARgfCgsKAwdDAxIEggEiJwoKCgIHRBIEgwEIKgoKCgMHRAISA3oHIwoLCgMHRAQSBIMBCBAKCwoDB0QFEgSDAREXCgsKAwdEARIEgwEYIQoLCgMHRAMSBIMBJCkKCgoCB0USBIUBCCYKCgoDB0UCEgN6ByMKCwoDB0UEEgSFAQgQCgsKAwdFBRIEhQERFQoLCgMHRQESBIUBFh0KCwoDB0UDEgSFASAlCgoKAgdGEgSGAQgqCgoKAwdGAhIDegcjCgsKAwdGBBIEhgEIEAoLCgMHRgUSBIYBERUKCwoDB0YBEgSGARYhCgsKAwdGAxIEhgEkKQqXBAogYXV0aHphZGFwdG9yL2NvbmZpZy9jb25maWcucHJvdG8SBmNvbmZpZxoeZ29vZ2xlL3Byb3RvYnVmL2R1cmF0aW9uLnByb3RvGhRnb2dvcHJvdG8vZ29nby5wcm90byJUCgZQYXJhbXMSSgoOdmFsaWRfZHVyYXRpb24YASABKAsyGS5nb29nbGUucHJvdG9idWYuRHVyYXRpb25CCMjeHwCY3x8BUg12YWxpZER1cmF0aW9uStYCCgYSBAAABgEKCAoBDBIDAAASCgkKAgMAEgMBBycKCQoCAwESAwIHHQoICgECEgMDCA4KCgoCBAASBAQABgEKCgoDBAABEgMECA4KCwoEBAACABIDBQJrCg0KBQQAAgAEEgQFAgQQCgwKBQQAAgAGEgMFAhoKDAoFBAACAAESAwUbKQoMCgUEAAIAAxIDBSwtCgwKBQQAAgAIEgMFLmoKDwoIBAACAAjnBwASAwUvSQoQCgkEAAIACOcHAAISAwUvQwoRCgoEAAIACOcHAAIAEgMFL0MKEgoLBAACAAjnBwACAAESAwUwQgoQCgkEAAIACOcHAAMSAwVESQoPCggEAAIACOcHARIDBUtpChAKCQQAAgAI5wcBAhIDBUtiChEKCgQAAgAI5wcBAgASAwVLYgoSCgsEAAIACOcHAQIAARIDBUxhChAKCQQAAgAI5wcBAxIDBWVpYgZwcm90bzM= +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/deployment.yaml new file mode 100644 index 0000000000..5a5ac891cb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + run: authzadaptor + name: authzadaptor +spec: + replicas: 1 + selector: + matchLabels: + run: authzadaptor + template: + metadata: + labels: + run: authzadaptor + spec: + containers: + - image: seedjeffwan/istio-adapter:0.1 + imagePullPolicy: Always + name: authzadaptor + ports: + - containerPort: 9070 + protocol: TCP \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/handler.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/handler.yaml new file mode 100644 index 0000000000..6dfb5e3a0b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/handler.yaml @@ -0,0 +1,10 @@ +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: authzadaptor-handler +spec: + adapter: authzadaptor + connection: + address: authzadaptor:9070 + params: + valid_duration: 1s \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/instance.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/instance.yaml new file mode 100644 index 0000000000..6498c6a9c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/instance.yaml @@ -0,0 +1,8 @@ +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: authzadaptor-instance +spec: + template: authzadaptor + params: + key: request.headers["$(origin-header)"] | "unknown" \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/kustomization.yaml new file mode 100644 index 0000000000..b78c0c9f04 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/kustomization.yaml @@ -0,0 +1,46 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: istio-system +resources: +- deployment.yaml +- service.yaml +- template.yaml +- authzadaptor.yaml +- handler.yaml +- instance.yaml +- rule.yaml +commonLabels: + kustomize.component: aws-authzadaptor +images: +- name: seedjeffwan/istio-adapter + newName: seedjeffwan/istio-adapter + newTag: "0.1" +configMapGenerator: + - name: aws-authzadaptor-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: istio-namespace + objref: + kind: ConfigMap + name: aws-authzadaptor-parameters + apiVersion: v1 + fieldref: + fieldpath: data.istio-namespace +- name: origin-header + objref: + kind: ConfigMap + name: aws-authzadaptor-parameters + apiVersion: v1 + fieldref: + fieldpath: data.origin-header +- name: custom-header + objref: + kind: ConfigMap + name: aws-authzadaptor-parameters + apiVersion: v1 + fieldref: + fieldpath: data.custom-header +configurations: +- params.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.env new file mode 100644 index 0000000000..127605c860 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.env @@ -0,0 +1,3 @@ +origin-header=x-amzn-oidc-header +custom-header=kubeflow-userid +istio-namespace=istio-system \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.yaml new file mode 100644 index 0000000000..bb65c6b2fc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: spec/actions/handler + kind: rule +- path: spec/requestHeaderOperations/name + kind: rule +- path: spec/params/key + kind: instance \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml new file mode 100644 index 0000000000..990473c051 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/rule.yaml @@ -0,0 +1,17 @@ +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: authzadaptor-rule +spec: + # restrict the rule to the ingress gateway proxy workload only + match: context.reporter.kind == "outbound" && source.labels["istio"] == "ingressgateway" + actions: + - handler: authzadaptor-handler.$(istio-namespace) + instances: ["authzadaptor-instance"] + # assign a name to the action + name: action + requestHeaderOperations: + # set header to the output value of action "action" in the request + - name: $(custom-header) + values: + - action.output.email \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/service.yaml new file mode 100644 index 0000000000..7eed756348 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: authzadaptor +spec: + ports: + - port: 9070 + protocol: TCP + targetPort: 9070 + selector: + run: authzadaptor + type: ClusterIP \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/template.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/template.yaml new file mode 100644 index 0000000000..d10a94d97b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/base/template.yaml @@ -0,0 +1,9 @@ +# this config is created through command +# mixgen template -d $REPO_ROOT/authzadaptor/template_handler_service.descriptor_set -o $REPO_ROOT/authzadaptor/template.yaml -n authzadaptor +apiVersion: "config.istio.io/v1alpha2" +kind: template +metadata: + name: authzadaptor +spec: + descriptor: "CvD6AgogZ29vZ2xlL3Byb3RvYnVmL2Rlc2NyaXB0b3IucHJvdG8SD2dvb2dsZS5wcm90b2J1ZiJNChFGaWxlRGVzY3JpcHRvclNldBI4CgRmaWxlGAEgAygLMiQuZ29vZ2xlLnByb3RvYnVmLkZpbGVEZXNjcmlwdG9yUHJvdG9SBGZpbGUi5AQKE0ZpbGVEZXNjcmlwdG9yUHJvdG8SEgoEbmFtZRgBIAEoCVIEbmFtZRIYCgdwYWNrYWdlGAIgASgJUgdwYWNrYWdlEh4KCmRlcGVuZGVuY3kYAyADKAlSCmRlcGVuZGVuY3kSKwoRcHVibGljX2RlcGVuZGVuY3kYCiADKAVSEHB1YmxpY0RlcGVuZGVuY3kSJwoPd2Vha19kZXBlbmRlbmN5GAsgAygFUg53ZWFrRGVwZW5kZW5jeRJDCgxtZXNzYWdlX3R5cGUYBCADKAsyIC5nb29nbGUucHJvdG9idWYuRGVzY3JpcHRvclByb3RvUgttZXNzYWdlVHlwZRJBCgllbnVtX3R5cGUYBSADKAsyJC5nb29nbGUucHJvdG9idWYuRW51bURlc2NyaXB0b3JQcm90b1IIZW51bVR5cGUSQQoHc2VydmljZRgGIAMoCzInLmdvb2dsZS5wcm90b2J1Zi5TZXJ2aWNlRGVzY3JpcHRvclByb3RvUgdzZXJ2aWNlEkMKCWV4dGVuc2lvbhgHIAMoCzIlLmdvb2dsZS5wcm90b2J1Zi5GaWVsZERlc2NyaXB0b3JQcm90b1IJZXh0ZW5zaW9uEjYKB29wdGlvbnMYCCABKAsyHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnNSB29wdGlvbnMSSQoQc291cmNlX2NvZGVfaW5mbxgJIAEoCzIfLmdvb2dsZS5wcm90b2J1Zi5Tb3VyY2VDb2RlSW5mb1IOc291cmNlQ29kZUluZm8SFgoGc3ludGF4GAwgASgJUgZzeW50YXgiuQYKD0Rlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEjsKBWZpZWxkGAIgAygLMiUuZ29vZ2xlLnByb3RvYnVmLkZpZWxkRGVzY3JpcHRvclByb3RvUgVmaWVsZBJDCglleHRlbnNpb24YBiADKAsyJS5nb29nbGUucHJvdG9idWYuRmllbGREZXNjcmlwdG9yUHJvdG9SCWV4dGVuc2lvbhJBCgtuZXN0ZWRfdHlwZRgDIAMoCzIgLmdvb2dsZS5wcm90b2J1Zi5EZXNjcmlwdG9yUHJvdG9SCm5lc3RlZFR5cGUSQQoJZW51bV90eXBlGAQgAygLMiQuZ29vZ2xlLnByb3RvYnVmLkVudW1EZXNjcmlwdG9yUHJvdG9SCGVudW1UeXBlElgKD2V4dGVuc2lvbl9yYW5nZRgFIAMoCzIvLmdvb2dsZS5wcm90b2J1Zi5EZXNjcmlwdG9yUHJvdG8uRXh0ZW5zaW9uUmFuZ2VSDmV4dGVuc2lvblJhbmdlEkQKCm9uZW9mX2RlY2wYCCADKAsyJS5nb29nbGUucHJvdG9idWYuT25lb2ZEZXNjcmlwdG9yUHJvdG9SCW9uZW9mRGVjbBI5CgdvcHRpb25zGAcgASgLMh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zUgdvcHRpb25zElUKDnJlc2VydmVkX3JhbmdlGAkgAygLMi4uZ29vZ2xlLnByb3RvYnVmLkRlc2NyaXB0b3JQcm90by5SZXNlcnZlZFJhbmdlUg1yZXNlcnZlZFJhbmdlEiMKDXJlc2VydmVkX25hbWUYCiADKAlSDHJlc2VydmVkTmFtZRp6Cg5FeHRlbnNpb25SYW5nZRIUCgVzdGFydBgBIAEoBVIFc3RhcnQSEAoDZW5kGAIgASgFUgNlbmQSQAoHb3B0aW9ucxgDIAEoCzImLmdvb2dsZS5wcm90b2J1Zi5FeHRlbnNpb25SYW5nZU9wdGlvbnNSB29wdGlvbnMaNwoNUmVzZXJ2ZWRSYW5nZRIUCgVzdGFydBgBIAEoBVIFc3RhcnQSEAoDZW5kGAIgASgFUgNlbmQifAoVRXh0ZW5zaW9uUmFuZ2VPcHRpb25zElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uKgkI6AcQgICAgAIimAYKFEZpZWxkRGVzY3JpcHRvclByb3RvEhIKBG5hbWUYASABKAlSBG5hbWUSFgoGbnVtYmVyGAMgASgFUgZudW1iZXISQQoFbGFiZWwYBCABKA4yKy5nb29nbGUucHJvdG9idWYuRmllbGREZXNjcmlwdG9yUHJvdG8uTGFiZWxSBWxhYmVsEj4KBHR5cGUYBSABKA4yKi5nb29nbGUucHJvdG9idWYuRmllbGREZXNjcmlwdG9yUHJvdG8uVHlwZVIEdHlwZRIbCgl0eXBlX25hbWUYBiABKAlSCHR5cGVOYW1lEhoKCGV4dGVuZGVlGAIgASgJUghleHRlbmRlZRIjCg1kZWZhdWx0X3ZhbHVlGAcgASgJUgxkZWZhdWx0VmFsdWUSHwoLb25lb2ZfaW5kZXgYCSABKAVSCm9uZW9mSW5kZXgSGwoJanNvbl9uYW1lGAogASgJUghqc29uTmFtZRI3CgdvcHRpb25zGAggASgLMh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9uc1IHb3B0aW9ucyK2AgoEVHlwZRIPCgtUWVBFX0RPVUJMRRABEg4KClRZUEVfRkxPQVQQAhIOCgpUWVBFX0lOVDY0EAMSDwoLVFlQRV9VSU5UNjQQBBIOCgpUWVBFX0lOVDMyEAUSEAoMVFlQRV9GSVhFRDY0EAYSEAoMVFlQRV9GSVhFRDMyEAcSDQoJVFlQRV9CT09MEAgSDwoLVFlQRV9TVFJJTkcQCRIOCgpUWVBFX0dST1VQEAoSEAoMVFlQRV9NRVNTQUdFEAsSDgoKVFlQRV9CWVRFUxAMEg8KC1RZUEVfVUlOVDMyEA0SDQoJVFlQRV9FTlVNEA4SEQoNVFlQRV9TRklYRUQzMhAPEhEKDVRZUEVfU0ZJWEVENjQQEBIPCgtUWVBFX1NJTlQzMhAREg8KC1RZUEVfU0lOVDY0EBIiQwoFTGFiZWwSEgoOTEFCRUxfT1BUSU9OQUwQARISCg5MQUJFTF9SRVFVSVJFRBACEhIKDkxBQkVMX1JFUEVBVEVEEAMiYwoUT25lb2ZEZXNjcmlwdG9yUHJvdG8SEgoEbmFtZRgBIAEoCVIEbmFtZRI3CgdvcHRpb25zGAIgASgLMh0uZ29vZ2xlLnByb3RvYnVmLk9uZW9mT3B0aW9uc1IHb3B0aW9ucyLjAgoTRW51bURlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEj8KBXZhbHVlGAIgAygLMikuZ29vZ2xlLnByb3RvYnVmLkVudW1WYWx1ZURlc2NyaXB0b3JQcm90b1IFdmFsdWUSNgoHb3B0aW9ucxgDIAEoCzIcLmdvb2dsZS5wcm90b2J1Zi5FbnVtT3B0aW9uc1IHb3B0aW9ucxJdCg5yZXNlcnZlZF9yYW5nZRgEIAMoCzI2Lmdvb2dsZS5wcm90b2J1Zi5FbnVtRGVzY3JpcHRvclByb3RvLkVudW1SZXNlcnZlZFJhbmdlUg1yZXNlcnZlZFJhbmdlEiMKDXJlc2VydmVkX25hbWUYBSADKAlSDHJlc2VydmVkTmFtZRo7ChFFbnVtUmVzZXJ2ZWRSYW5nZRIUCgVzdGFydBgBIAEoBVIFc3RhcnQSEAoDZW5kGAIgASgFUgNlbmQigwEKGEVudW1WYWx1ZURlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEhYKBm51bWJlchgCIAEoBVIGbnVtYmVyEjsKB29wdGlvbnMYAyABKAsyIS5nb29nbGUucHJvdG9idWYuRW51bVZhbHVlT3B0aW9uc1IHb3B0aW9ucyKnAQoWU2VydmljZURlc2NyaXB0b3JQcm90bxISCgRuYW1lGAEgASgJUgRuYW1lEj4KBm1ldGhvZBgCIAMoCzImLmdvb2dsZS5wcm90b2J1Zi5NZXRob2REZXNjcmlwdG9yUHJvdG9SBm1ldGhvZBI5CgdvcHRpb25zGAMgASgLMh8uZ29vZ2xlLnByb3RvYnVmLlNlcnZpY2VPcHRpb25zUgdvcHRpb25zIokCChVNZXRob2REZXNjcmlwdG9yUHJvdG8SEgoEbmFtZRgBIAEoCVIEbmFtZRIdCgppbnB1dF90eXBlGAIgASgJUglpbnB1dFR5cGUSHwoLb3V0cHV0X3R5cGUYAyABKAlSCm91dHB1dFR5cGUSOAoHb3B0aW9ucxgEIAEoCzIeLmdvb2dsZS5wcm90b2J1Zi5NZXRob2RPcHRpb25zUgdvcHRpb25zEjAKEGNsaWVudF9zdHJlYW1pbmcYBSABKAg6BWZhbHNlUg9jbGllbnRTdHJlYW1pbmcSMAoQc2VydmVyX3N0cmVhbWluZxgGIAEoCDoFZmFsc2VSD3NlcnZlclN0cmVhbWluZyK5CAoLRmlsZU9wdGlvbnMSIQoMamF2YV9wYWNrYWdlGAEgASgJUgtqYXZhUGFja2FnZRIwChRqYXZhX291dGVyX2NsYXNzbmFtZRgIIAEoCVISamF2YU91dGVyQ2xhc3NuYW1lEjUKE2phdmFfbXVsdGlwbGVfZmlsZXMYCiABKAg6BWZhbHNlUhFqYXZhTXVsdGlwbGVGaWxlcxJECh1qYXZhX2dlbmVyYXRlX2VxdWFsc19hbmRfaGFzaBgUIAEoCEICGAFSGWphdmFHZW5lcmF0ZUVxdWFsc0FuZEhhc2gSOgoWamF2YV9zdHJpbmdfY2hlY2tfdXRmOBgbIAEoCDoFZmFsc2VSE2phdmFTdHJpbmdDaGVja1V0ZjgSUwoMb3B0aW1pemVfZm9yGAkgASgOMikuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zLk9wdGltaXplTW9kZToFU1BFRURSC29wdGltaXplRm9yEh0KCmdvX3BhY2thZ2UYCyABKAlSCWdvUGFja2FnZRI1ChNjY19nZW5lcmljX3NlcnZpY2VzGBAgASgIOgVmYWxzZVIRY2NHZW5lcmljU2VydmljZXMSOQoVamF2YV9nZW5lcmljX3NlcnZpY2VzGBEgASgIOgVmYWxzZVITamF2YUdlbmVyaWNTZXJ2aWNlcxI1ChNweV9nZW5lcmljX3NlcnZpY2VzGBIgASgIOgVmYWxzZVIRcHlHZW5lcmljU2VydmljZXMSNwoUcGhwX2dlbmVyaWNfc2VydmljZXMYKiABKAg6BWZhbHNlUhJwaHBHZW5lcmljU2VydmljZXMSJQoKZGVwcmVjYXRlZBgXIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSLwoQY2NfZW5hYmxlX2FyZW5hcxgfIAEoCDoFZmFsc2VSDmNjRW5hYmxlQXJlbmFzEioKEW9iamNfY2xhc3NfcHJlZml4GCQgASgJUg9vYmpjQ2xhc3NQcmVmaXgSKQoQY3NoYXJwX25hbWVzcGFjZRglIAEoCVIPY3NoYXJwTmFtZXNwYWNlEiEKDHN3aWZ0X3ByZWZpeBgnIAEoCVILc3dpZnRQcmVmaXgSKAoQcGhwX2NsYXNzX3ByZWZpeBgoIAEoCVIOcGhwQ2xhc3NQcmVmaXgSIwoNcGhwX25hbWVzcGFjZRgpIAEoCVIMcGhwTmFtZXNwYWNlElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uIjoKDE9wdGltaXplTW9kZRIJCgVTUEVFRBABEg0KCUNPREVfU0laRRACEhAKDExJVEVfUlVOVElNRRADKgkI6AcQgICAgAJKBAgmECci0QIKDk1lc3NhZ2VPcHRpb25zEjwKF21lc3NhZ2Vfc2V0X3dpcmVfZm9ybWF0GAEgASgIOgVmYWxzZVIUbWVzc2FnZVNldFdpcmVGb3JtYXQSTAofbm9fc3RhbmRhcmRfZGVzY3JpcHRvcl9hY2Nlc3NvchgCIAEoCDoFZmFsc2VSHG5vU3RhbmRhcmREZXNjcmlwdG9yQWNjZXNzb3ISJQoKZGVwcmVjYXRlZBgDIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSGwoJbWFwX2VudHJ5GAcgASgIUghtYXBFbnRyeRJYChR1bmludGVycHJldGVkX29wdGlvbhjnByADKAsyJC5nb29nbGUucHJvdG9idWYuVW5pbnRlcnByZXRlZE9wdGlvblITdW5pbnRlcnByZXRlZE9wdGlvbioJCOgHEICAgIACSgQICBAJSgQICRAKIuIDCgxGaWVsZE9wdGlvbnMSQQoFY3R5cGUYASABKA4yIy5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zLkNUeXBlOgZTVFJJTkdSBWN0eXBlEhYKBnBhY2tlZBgCIAEoCFIGcGFja2VkEkcKBmpzdHlwZRgGIAEoDjIkLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMuSlNUeXBlOglKU19OT1JNQUxSBmpzdHlwZRIZCgRsYXp5GAUgASgIOgVmYWxzZVIEbGF6eRIlCgpkZXByZWNhdGVkGAMgASgIOgVmYWxzZVIKZGVwcmVjYXRlZBIZCgR3ZWFrGAogASgIOgVmYWxzZVIEd2VhaxJYChR1bmludGVycHJldGVkX29wdGlvbhjnByADKAsyJC5nb29nbGUucHJvdG9idWYuVW5pbnRlcnByZXRlZE9wdGlvblITdW5pbnRlcnByZXRlZE9wdGlvbiIvCgVDVHlwZRIKCgZTVFJJTkcQABIICgRDT1JEEAESEAoMU1RSSU5HX1BJRUNFEAIiNQoGSlNUeXBlEg0KCUpTX05PUk1BTBAAEg0KCUpTX1NUUklORxABEg0KCUpTX05VTUJFUhACKgkI6AcQgICAgAJKBAgEEAUicwoMT25lb2ZPcHRpb25zElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uKgkI6AcQgICAgAIiwAEKC0VudW1PcHRpb25zEh8KC2FsbG93X2FsaWFzGAIgASgIUgphbGxvd0FsaWFzEiUKCmRlcHJlY2F0ZWQYAyABKAg6BWZhbHNlUgpkZXByZWNhdGVkElgKFHVuaW50ZXJwcmV0ZWRfb3B0aW9uGOcHIAMoCzIkLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uUhN1bmludGVycHJldGVkT3B0aW9uKgkI6AcQgICAgAJKBAgFEAYingEKEEVudW1WYWx1ZU9wdGlvbnMSJQoKZGVwcmVjYXRlZBgBIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSWAoUdW5pbnRlcnByZXRlZF9vcHRpb24Y5wcgAygLMiQuZ29vZ2xlLnByb3RvYnVmLlVuaW50ZXJwcmV0ZWRPcHRpb25SE3VuaW50ZXJwcmV0ZWRPcHRpb24qCQjoBxCAgICAAiKcAQoOU2VydmljZU9wdGlvbnMSJQoKZGVwcmVjYXRlZBghIAEoCDoFZmFsc2VSCmRlcHJlY2F0ZWQSWAoUdW5pbnRlcnByZXRlZF9vcHRpb24Y5wcgAygLMiQuZ29vZ2xlLnByb3RvYnVmLlVuaW50ZXJwcmV0ZWRPcHRpb25SE3VuaW50ZXJwcmV0ZWRPcHRpb24qCQjoBxCAgICAAiLgAgoNTWV0aG9kT3B0aW9ucxIlCgpkZXByZWNhdGVkGCEgASgIOgVmYWxzZVIKZGVwcmVjYXRlZBJxChFpZGVtcG90ZW5jeV9sZXZlbBgiIAEoDjIvLmdvb2dsZS5wcm90b2J1Zi5NZXRob2RPcHRpb25zLklkZW1wb3RlbmN5TGV2ZWw6E0lERU1QT1RFTkNZX1VOS05PV05SEGlkZW1wb3RlbmN5TGV2ZWwSWAoUdW5pbnRlcnByZXRlZF9vcHRpb24Y5wcgAygLMiQuZ29vZ2xlLnByb3RvYnVmLlVuaW50ZXJwcmV0ZWRPcHRpb25SE3VuaW50ZXJwcmV0ZWRPcHRpb24iUAoQSWRlbXBvdGVuY3lMZXZlbBIXChNJREVNUE9URU5DWV9VTktOT1dOEAASEwoPTk9fU0lERV9FRkZFQ1RTEAESDgoKSURFTVBPVEVOVBACKgkI6AcQgICAgAIimgMKE1VuaW50ZXJwcmV0ZWRPcHRpb24SQQoEbmFtZRgCIAMoCzItLmdvb2dsZS5wcm90b2J1Zi5VbmludGVycHJldGVkT3B0aW9uLk5hbWVQYXJ0UgRuYW1lEikKEGlkZW50aWZpZXJfdmFsdWUYAyABKAlSD2lkZW50aWZpZXJWYWx1ZRIsChJwb3NpdGl2ZV9pbnRfdmFsdWUYBCABKARSEHBvc2l0aXZlSW50VmFsdWUSLAoSbmVnYXRpdmVfaW50X3ZhbHVlGAUgASgDUhBuZWdhdGl2ZUludFZhbHVlEiEKDGRvdWJsZV92YWx1ZRgGIAEoAVILZG91YmxlVmFsdWUSIQoMc3RyaW5nX3ZhbHVlGAcgASgMUgtzdHJpbmdWYWx1ZRInCg9hZ2dyZWdhdGVfdmFsdWUYCCABKAlSDmFnZ3JlZ2F0ZVZhbHVlGkoKCE5hbWVQYXJ0EhsKCW5hbWVfcGFydBgBIAIoCVIIbmFtZVBhcnQSIQoMaXNfZXh0ZW5zaW9uGAIgAigIUgtpc0V4dGVuc2lvbiKnAgoOU291cmNlQ29kZUluZm8SRAoIbG9jYXRpb24YASADKAsyKC5nb29nbGUucHJvdG9idWYuU291cmNlQ29kZUluZm8uTG9jYXRpb25SCGxvY2F0aW9uGs4BCghMb2NhdGlvbhIWCgRwYXRoGAEgAygFQgIQAVIEcGF0aBIWCgRzcGFuGAIgAygFQgIQAVIEc3BhbhIpChBsZWFkaW5nX2NvbW1lbnRzGAMgASgJUg9sZWFkaW5nQ29tbWVudHMSKwoRdHJhaWxpbmdfY29tbWVudHMYBCABKAlSEHRyYWlsaW5nQ29tbWVudHMSOgoZbGVhZGluZ19kZXRhY2hlZF9jb21tZW50cxgGIAMoCVIXbGVhZGluZ0RldGFjaGVkQ29tbWVudHMi0QEKEUdlbmVyYXRlZENvZGVJbmZvEk0KCmFubm90YXRpb24YASADKAsyLS5nb29nbGUucHJvdG9idWYuR2VuZXJhdGVkQ29kZUluZm8uQW5ub3RhdGlvblIKYW5ub3RhdGlvbhptCgpBbm5vdGF0aW9uEhYKBHBhdGgYASADKAVCAhABUgRwYXRoEh8KC3NvdXJjZV9maWxlGAIgASgJUgpzb3VyY2VGaWxlEhQKBWJlZ2luGAMgASgFUgViZWdpbhIQCgNlbmQYBCABKAVSA2VuZEKPAQoTY29tLmdvb2dsZS5wcm90b2J1ZkIQRGVzY3JpcHRvclByb3Rvc0gBWj5naXRodWIuY29tL2dvbGFuZy9wcm90b2J1Zi9wcm90b2MtZ2VuLWdvL2Rlc2NyaXB0b3I7ZGVzY3JpcHRvcvgBAaICA0dQQqoCGkdvb2dsZS5Qcm90b2J1Zi5SZWZsZWN0aW9uSqrAAgoHEgUnAOcGAQqqDwoBDBIDJwASMsEMIFByb3RvY29sIEJ1ZmZlcnMgLSBHb29nbGUncyBkYXRhIGludGVyY2hhbmdlIGZvcm1hdAogQ29weXJpZ2h0IDIwMDggR29vZ2xlIEluYy4gIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiBodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9wcm90b2NvbC1idWZmZXJzLwoKIFJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dAogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVkIHByb3ZpZGVkIHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zIGFyZQogbWV0OgoKICAgICAqIFJlZGlzdHJpYnV0aW9ucyBvZiBzb3VyY2UgY29kZSBtdXN0IHJldGFpbiB0aGUgYWJvdmUgY29weXJpZ2h0CiBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuCiAgICAgKiBSZWRpc3RyaWJ1dGlvbnMgaW4gYmluYXJ5IGZvcm0gbXVzdCByZXByb2R1Y2UgdGhlIGFib3ZlCiBjb3B5cmlnaHQgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyCiBpbiB0aGUgZG9jdW1lbnRhdGlvbiBhbmQvb3Igb3RoZXIgbWF0ZXJpYWxzIHByb3ZpZGVkIHdpdGggdGhlCiBkaXN0cmlidXRpb24uCiAgICAgKiBOZWl0aGVyIHRoZSBuYW1lIG9mIEdvb2dsZSBJbmMuIG5vciB0aGUgbmFtZXMgb2YgaXRzCiBjb250cmlidXRvcnMgbWF5IGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1Y3RzIGRlcml2ZWQgZnJvbQogdGhpcyBzb2Z0d2FyZSB3aXRob3V0IHNwZWNpZmljIHByaW9yIHdyaXR0ZW4gcGVybWlzc2lvbi4KCiBUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09OVFJJQlVUT1JTCiAiQVMgSVMiIEFORCBBTlkgRVhQUkVTUyBPUiBJTVBMSUVEIFdBUlJBTlRJRVMsIElOQ0xVRElORywgQlVUIE5PVAogTElNSVRFRCBUTywgVEhFIElNUExJRUQgV0FSUkFOVElFUyBPRiBNRVJDSEFOVEFCSUxJVFkgQU5EIEZJVE5FU1MgRk9SCiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgVEhFIENPUFlSSUdIVAogT1dORVIgT1IgQ09OVFJJQlVUT1JTIEJFIExJQUJMRSBGT1IgQU5ZIERJUkVDVCwgSU5ESVJFQ1QsIElOQ0lERU5UQUwsCiBTUEVDSUFMLCBFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UCiBMSU1JVEVEIFRPLCBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdPT0RTIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVTRSwKIERBVEEsIE9SIFBST0ZJVFM7IE9SIEJVU0lORVNTIElOVEVSUlVQVElPTikgSE9XRVZFUiBDQVVTRUQgQU5EIE9OIEFOWQogVEhFT1JZIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVAogKElOQ0xVRElORyBORUdMSUdFTkNFIE9SIE9USEVSV0lTRSkgQVJJU0lORyBJTiBBTlkgV0FZIE9VVCBPRiBUSEUgVVNFCiBPRiBUSElTIFNPRlRXQVJFLCBFVkVOIElGIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GIFNVQ0ggREFNQUdFLgoy2wIgQXV0aG9yOiBrZW50b25AZ29vZ2xlLmNvbSAoS2VudG9uIFZhcmRhKQogIEJhc2VkIG9uIG9yaWdpbmFsIFByb3RvY29sIEJ1ZmZlcnMgZGVzaWduIGJ5CiAgU2FuamF5IEdoZW1hd2F0LCBKZWZmIERlYW4sIGFuZCBvdGhlcnMuCgogVGhlIG1lc3NhZ2VzIGluIHRoaXMgZmlsZSBkZXNjcmliZSB0aGUgZGVmaW5pdGlvbnMgZm91bmQgaW4gLnByb3RvIGZpbGVzLgogQSB2YWxpZCAucHJvdG8gZmlsZSBjYW4gYmUgdHJhbnNsYXRlZCBkaXJlY3RseSB0byBhIEZpbGVEZXNjcmlwdG9yUHJvdG8KIHdpdGhvdXQgYW55IG90aGVyIGluZm9ybWF0aW9uIChlLmcuIHdpdGhvdXQgcmVhZGluZyBpdHMgaW1wb3J0cykuCgoICgECEgMpCBcKCAoBCBIDKgBVCgsKBAjnBwASAyoAVQoMCgUI5wcAAhIDKgcRCg0KBgjnBwACABIDKgcRCg4KBwjnBwACAAESAyoHEQoMCgUI5wcABxIDKhRUCggKAQgSAysALAoLCgQI5wcBEgMrACwKDAoFCOcHAQISAysHEwoNCgYI5wcBAgASAysHEwoOCgcI5wcBAgABEgMrBxMKDAoFCOcHAQcSAysWKwoICgEIEgMsADEKCwoECOcHAhIDLAAxCgwKBQjnBwICEgMsBxsKDQoGCOcHAgIAEgMsBxsKDgoHCOcHAgIAARIDLAcbCgwKBQjnBwIHEgMsHjAKCAoBCBIDLQA3CgsKBAjnBwMSAy0ANwoMCgUI5wcDAhIDLQcXCg0KBgjnBwMCABIDLQcXCg4KBwjnBwMCAAESAy0HFwoMCgUI5wcDBxIDLRo2CggKAQgSAy4AIQoLCgQI5wcEEgMuACEKDAoFCOcHBAISAy4HGAoNCgYI5wcEAgASAy4HGAoOCgcI5wcEAgABEgMuBxgKDAoFCOcHBAcSAy4bIAoICgEIEgMvAB8KCwoECOcHBRIDLwAfCgwKBQjnBwUCEgMvBxcKDQoGCOcHBQIAEgMvBxcKDgoHCOcHBQIAARIDLwcXCgwKBQjnBwUDEgMvGh4KCAoBCBIDMwAcCoEBCgQI5wcGEgMzABwadCBkZXNjcmlwdG9yLnByb3RvIG11c3QgYmUgb3B0aW1pemVkIGZvciBzcGVlZCBiZWNhdXNlIHJlZmxlY3Rpb24tYmFzZWQKIGFsZ29yaXRobXMgZG9uJ3Qgd29yayBkdXJpbmcgYm9vdHN0cmFwcGluZy4KCgwKBQjnBwYCEgMzBxMKDQoGCOcHBgIAEgMzBxMKDgoHCOcHBgIAARIDMwcTCgwKBQjnBwYDEgMzFhsKagoCBAASBDcAOQEaXiBUaGUgcHJvdG9jb2wgY29tcGlsZXIgY2FuIG91dHB1dCBhIEZpbGVEZXNjcmlwdG9yU2V0IGNvbnRhaW5pbmcgdGhlIC5wcm90bwogZmlsZXMgaXQgcGFyc2VzLgoKCgoDBAABEgM3CBkKCwoEBAACABIDOAIoCgwKBQQAAgAEEgM4AgoKDAoFBAACAAYSAzgLHgoMCgUEAAIAARIDOB8jCgwKBQQAAgADEgM4JicKLwoCBAESBDwAWQEaIyBEZXNjcmliZXMgYSBjb21wbGV0ZSAucHJvdG8gZmlsZS4KCgoKAwQBARIDPAgbCjkKBAQBAgASAz0CGyIsIGZpbGUgbmFtZSwgcmVsYXRpdmUgdG8gcm9vdCBvZiBzb3VyY2UgdHJlZQoKDAoFBAECAAQSAz0CCgoMCgUEAQIABRIDPQsRCgwKBQQBAgABEgM9EhYKDAoFBAECAAMSAz0ZGgoqCgQEAQIBEgM+Ah4iHSBlLmcuICJmb28iLCAiZm9vLmJhciIsIGV0Yy4KCgwKBQQBAgEEEgM+AgoKDAoFBAECAQUSAz4LEQoMCgUEAQIBARIDPhIZCgwKBQQBAgEDEgM+HB0KNAoEBAECAhIDQQIhGicgTmFtZXMgb2YgZmlsZXMgaW1wb3J0ZWQgYnkgdGhpcyBmaWxlLgoKDAoFBAECAgQSA0ECCgoMCgUEAQICBRIDQQsRCgwKBQQBAgIBEgNBEhwKDAoFBAECAgMSA0EfIApRCgQEAQIDEgNDAigaRCBJbmRleGVzIG9mIHRoZSBwdWJsaWMgaW1wb3J0ZWQgZmlsZXMgaW4gdGhlIGRlcGVuZGVuY3kgbGlzdCBhYm92ZS4KCgwKBQQBAgMEEgNDAgoKDAoFBAECAwUSA0MLEAoMCgUEAQIDARIDQxEiCgwKBQQBAgMDEgNDJScKegoEBAECBBIDRgImGm0gSW5kZXhlcyBvZiB0aGUgd2VhayBpbXBvcnRlZCBmaWxlcyBpbiB0aGUgZGVwZW5kZW5jeSBsaXN0LgogRm9yIEdvb2dsZS1pbnRlcm5hbCBtaWdyYXRpb24gb25seS4gRG8gbm90IHVzZS4KCgwKBQQBAgQEEgNGAgoKDAoFBAECBAUSA0YLEAoMCgUEAQIEARIDRhEgCgwKBQQBAgQDEgNGIyUKNgoEBAECBRIDSQIsGikgQWxsIHRvcC1sZXZlbCBkZWZpbml0aW9ucyBpbiB0aGlzIGZpbGUuCgoMCgUEAQIFBBIDSQIKCgwKBQQBAgUGEgNJCxoKDAoFBAECBQESA0kbJwoMCgUEAQIFAxIDSSorCgsKBAQBAgYSA0oCLQoMCgUEAQIGBBIDSgIKCgwKBQQBAgYGEgNKCx4KDAoFBAECBgESA0ofKAoMCgUEAQIGAxIDSissCgsKBAQBAgcSA0sCLgoMCgUEAQIHBBIDSwIKCgwKBQQBAgcGEgNLCyEKDAoFBAECBwESA0siKQoMCgUEAQIHAxIDSywtCgsKBAQBAggSA0wCLgoMCgUEAQIIBBIDTAIKCgwKBQQBAggGEgNMCx8KDAoFBAECCAESA0wgKQoMCgUEAQIIAxIDTCwtCgsKBAQBAgkSA04CIwoMCgUEAQIJBBIDTgIKCgwKBQQBAgkGEgNOCxYKDAoFBAECCQESA04XHgoMCgUEAQIJAxIDTiEiCvQBCgQEAQIKEgNUAi8a5gEgVGhpcyBmaWVsZCBjb250YWlucyBvcHRpb25hbCBpbmZvcm1hdGlvbiBhYm91dCB0aGUgb3JpZ2luYWwgc291cmNlIGNvZGUuCiBZb3UgbWF5IHNhZmVseSByZW1vdmUgdGhpcyBlbnRpcmUgZmllbGQgd2l0aG91dCBoYXJtaW5nIHJ1bnRpbWUKIGZ1bmN0aW9uYWxpdHkgb2YgdGhlIGRlc2NyaXB0b3JzIC0tIHRoZSBpbmZvcm1hdGlvbiBpcyBuZWVkZWQgb25seSBieQogZGV2ZWxvcG1lbnQgdG9vbHMuCgoMCgUEAQIKBBIDVAIKCgwKBQQBAgoGEgNUCxkKDAoFBAECCgESA1QaKgoMCgUEAQIKAxIDVC0uCl0KBAQBAgsSA1gCHhpQIFRoZSBzeW50YXggb2YgdGhlIHByb3RvIGZpbGUuCiBUaGUgc3VwcG9ydGVkIHZhbHVlcyBhcmUgInByb3RvMiIgYW5kICJwcm90bzMiLgoKDAoFBAECCwQSA1gCCgoMCgUEAQILBRIDWAsRCgwKBQQBAgsBEgNYEhgKDAoFBAECCwMSA1gbHQonCgIEAhIEXAB8ARobIERlc2NyaWJlcyBhIG1lc3NhZ2UgdHlwZS4KCgoKAwQCARIDXAgXCgsKBAQCAgASA10CGwoMCgUEAgIABBIDXQIKCgwKBQQCAgAFEgNdCxEKDAoFBAICAAESA10SFgoMCgUEAgIAAxIDXRkaCgsKBAQCAgESA18CKgoMCgUEAgIBBBIDXwIKCgwKBQQCAgEGEgNfCx8KDAoFBAICAQESA18gJQoMCgUEAgIBAxIDXygpCgsKBAQCAgISA2ACLgoMCgUEAgICBBIDYAIKCgwKBQQCAgIGEgNgCx8KDAoFBAICAgESA2AgKQoMCgUEAgICAxIDYCwtCgsKBAQCAgMSA2ICKwoMCgUEAgIDBBIDYgIKCgwKBQQCAgMGEgNiCxoKDAoFBAICAwESA2IbJgoMCgUEAgIDAxIDYikqCgsKBAQCAgQSA2MCLQoMCgUEAgIEBBIDYwIKCgwKBQQCAgQGEgNjCx4KDAoFBAICBAESA2MfKAoMCgUEAgIEAxIDYyssCgwKBAQCAwASBGUCagMKDAoFBAIDAAESA2UKGAoNCgYEAgMAAgASA2YEHQoOCgcEAgMAAgAEEgNmBAwKDgoHBAIDAAIABRIDZg0SCg4KBwQCAwACAAESA2YTGAoOCgcEAgMAAgADEgNmGxwKDQoGBAIDAAIBEgNnBBsKDgoHBAIDAAIBBBIDZwQMCg4KBwQCAwACAQUSA2cNEgoOCgcEAgMAAgEBEgNnExYKDgoHBAIDAAIBAxIDZxkaCg0KBgQCAwACAhIDaQQvCg4KBwQCAwACAgQSA2kEDAoOCgcEAgMAAgIGEgNpDSIKDgoHBAIDAAICARIDaSMqCg4KBwQCAwACAgMSA2ktLgoLCgQEAgIFEgNrAi4KDAoFBAICBQQSA2sCCgoMCgUEAgIFBhIDawsZCgwKBQQCAgUBEgNrGikKDAoFBAICBQMSA2ssLQoLCgQEAgIGEgNtAi8KDAoFBAICBgQSA20CCgoMCgUEAgIGBhIDbQsfCgwKBQQCAgYBEgNtICoKDAoFBAICBgMSA20tLgoLCgQEAgIHEgNvAiYKDAoFBAICBwQSA28CCgoMCgUEAgIHBhIDbwsZCgwKBQQCAgcBEgNvGiEKDAoFBAICBwMSA28kJQqqAQoEBAIDARIEdAJ3AxqbASBSYW5nZSBvZiByZXNlcnZlZCB0YWcgbnVtYmVycy4gUmVzZXJ2ZWQgdGFnIG51bWJlcnMgbWF5IG5vdCBiZSB1c2VkIGJ5CiBmaWVsZHMgb3IgZXh0ZW5zaW9uIHJhbmdlcyBpbiB0aGUgc2FtZSBtZXNzYWdlLiBSZXNlcnZlZCByYW5nZXMgbWF5CiBub3Qgb3ZlcmxhcC4KCgwKBQQCAwEBEgN0ChcKGwoGBAIDAQIAEgN1BB0iDCBJbmNsdXNpdmUuCgoOCgcEAgMBAgAEEgN1BAwKDgoHBAIDAQIABRIDdQ0SCg4KBwQCAwECAAESA3UTGAoOCgcEAgMBAgADEgN1GxwKGwoGBAIDAQIBEgN2BBsiDCBFeGNsdXNpdmUuCgoOCgcEAgMBAgEEEgN2BAwKDgoHBAIDAQIBBRIDdg0SCg4KBwQCAwECAQESA3YTFgoOCgcEAgMBAgEDEgN2GRoKCwoEBAICCBIDeAIsCgwKBQQCAggEEgN4AgoKDAoFBAICCAYSA3gLGAoMCgUEAgIIARIDeBknCgwKBQQCAggDEgN4KisKggEKBAQCAgkSA3sCJRp1IFJlc2VydmVkIGZpZWxkIG5hbWVzLCB3aGljaCBtYXkgbm90IGJlIHVzZWQgYnkgZmllbGRzIGluIHRoZSBzYW1lIG1lc3NhZ2UuCiBBIGdpdmVuIG5hbWUgbWF5IG9ubHkgYmUgcmVzZXJ2ZWQgb25jZS4KCgwKBQQCAgkEEgN7AgoKDAoFBAICCQUSA3sLEQoMCgUEAgIJARIDexIfCgwKBQQCAgkDEgN7IiQKCwoCBAMSBX4AhAEBCgoKAwQDARIDfggdCk8KBAQDAgASBIABAjoaQSBUaGUgcGFyc2VyIHN0b3JlcyBvcHRpb25zIGl0IGRvZXNuJ3QgcmVjb2duaXplIGhlcmUuIFNlZSBhYm92ZS4KCg0KBQQDAgAEEgSAAQIKCg0KBQQDAgAGEgSAAQseCg0KBQQDAgABEgSAAR8zCg0KBQQDAgADEgSAATY5CloKAwQDBRIEgwECGRpNIENsaWVudHMgY2FuIGRlZmluZSBjdXN0b20gb3B0aW9ucyBpbiBleHRlbnNpb25zIG9mIHRoaXMgbWVzc2FnZS4gU2VlIGFib3ZlLgoKDAoEBAMFABIEgwENGAoNCgUEAwUAARIEgwENEQoNCgUEAwUAAhIEgwEVGAozCgIEBBIGhwEA1QEBGiUgRGVzY3JpYmVzIGEgZmllbGQgd2l0aGluIGEgbWVzc2FnZS4KCgsKAwQEARIEhwEIHAoOCgQEBAQAEgaIAQKnAQMKDQoFBAQEAAESBIgBBwsKUwoGBAQEAAIAEgSLAQQcGkMgMCBpcyByZXNlcnZlZCBmb3IgZXJyb3JzLgogT3JkZXIgaXMgd2VpcmQgZm9yIGhpc3RvcmljYWwgcmVhc29ucy4KCg8KBwQEBAACAAESBIsBBA8KDwoHBAQEAAIAAhIEiwEaGwoOCgYEBAQAAgESBIwBBBwKDwoHBAQEAAIBARIEjAEEDgoPCgcEBAQAAgECEgSMARobCncKBgQEBAACAhIEjwEEHBpnIE5vdCBaaWdaYWcgZW5jb2RlZC4gIE5lZ2F0aXZlIG51bWJlcnMgdGFrZSAxMCBieXRlcy4gIFVzZSBUWVBFX1NJTlQ2NCBpZgogbmVnYXRpdmUgdmFsdWVzIGFyZSBsaWtlbHkuCgoPCgcEBAQAAgIBEgSPAQQOCg8KBwQEBAACAgISBI8BGhsKDgoGBAQEAAIDEgSQAQQcCg8KBwQEBAACAwESBJABBA8KDwoHBAQEAAIDAhIEkAEaGwp3CgYEBAQAAgQSBJMBBBwaZyBOb3QgWmlnWmFnIGVuY29kZWQuICBOZWdhdGl2ZSBudW1iZXJzIHRha2UgMTAgYnl0ZXMuICBVc2UgVFlQRV9TSU5UMzIgaWYKIG5lZ2F0aXZlIHZhbHVlcyBhcmUgbGlrZWx5LgoKDwoHBAQEAAIEARIEkwEEDgoPCgcEBAQAAgQCEgSTARobCg4KBgQEBAACBRIElAEEHAoPCgcEBAQAAgUBEgSUAQQQCg8KBwQEBAACBQISBJQBGhsKDgoGBAQEAAIGEgSVAQQcCg8KBwQEBAACBgESBJUBBBAKDwoHBAQEAAIGAhIElQEaGwoOCgYEBAQAAgcSBJYBBBwKDwoHBAQEAAIHARIElgEEDQoPCgcEBAQAAgcCEgSWARobCg4KBgQEBAACCBIElwEEHAoPCgcEBAQAAggBEgSXAQQPCg8KBwQEBAACCAISBJcBGhsK4gEKBgQEBAACCRIEnAEEHRrRASBUYWctZGVsaW1pdGVkIGFnZ3JlZ2F0ZS4KIEdyb3VwIHR5cGUgaXMgZGVwcmVjYXRlZCBhbmQgbm90IHN1cHBvcnRlZCBpbiBwcm90bzMuIEhvd2V2ZXIsIFByb3RvMwogaW1wbGVtZW50YXRpb25zIHNob3VsZCBzdGlsbCBiZSBhYmxlIHRvIHBhcnNlIHRoZSBncm91cCB3aXJlIGZvcm1hdCBhbmQKIHRyZWF0IGdyb3VwIGZpZWxkcyBhcyB1bmtub3duIGZpZWxkcy4KCg8KBwQEBAACCQESBJwBBA4KDwoHBAQEAAIJAhIEnAEaHAotCgYEBAQAAgoSBJ0BBB0iHSBMZW5ndGgtZGVsaW1pdGVkIGFnZ3JlZ2F0ZS4KCg8KBwQEBAACCgESBJ0BBBAKDwoHBAQEAAIKAhIEnQEaHAojCgYEBAQAAgsSBKABBB0aEyBOZXcgaW4gdmVyc2lvbiAyLgoKDwoHBAQEAAILARIEoAEEDgoPCgcEBAQAAgsCEgSgARocCg4KBgQEBAACDBIEoQEEHQoPCgcEBAQAAgwBEgShAQQPCg8KBwQEBAACDAISBKEBGhwKDgoGBAQEAAINEgSiAQQdCg8KBwQEBAACDQESBKIBBA0KDwoHBAQEAAINAhIEogEaHAoOCgYEBAQAAg4SBKMBBB0KDwoHBAQEAAIOARIEowEEEQoPCgcEBAQAAg4CEgSjARocCg4KBgQEBAACDxIEpAEEHQoPCgcEBAQAAg8BEgSkAQQRCg8KBwQEBAACDwISBKQBGhwKJwoGBAQEAAIQEgSlAQQdIhcgVXNlcyBaaWdaYWcgZW5jb2RpbmcuCgoPCgcEBAQAAhABEgSlAQQPCg8KBwQEBAACEAISBKUBGhwKJwoGBAQEAAIREgSmAQQdIhcgVXNlcyBaaWdaYWcgZW5jb2RpbmcuCgoPCgcEBAQAAhEBEgSmAQQPCg8KBwQEBAACEQISBKYBGhwKDgoEBAQEARIGqQECrgEDCg0KBQQEBAEBEgSpAQcMCioKBgQEBAECABIEqwEEHBoaIDAgaXMgcmVzZXJ2ZWQgZm9yIGVycm9ycwoKDwoHBAQEAQIAARIEqwEEEgoPCgcEBAQBAgACEgSrARobCg4KBgQEBAECARIErAEEHAoPCgcEBAQBAgEBEgSsAQQSCg8KBwQEBAECAQISBKwBGhsKDgoGBAQEAQICEgStAQQcCg8KBwQEBAECAgESBK0BBBIKDwoHBAQEAQICAhIErQEaGwoMCgQEBAIAEgSwAQIbCg0KBQQEAgAEEgSwAQIKCg0KBQQEAgAFEgSwAQsRCg0KBQQEAgABEgSwARIWCg0KBQQEAgADEgSwARkaCgwKBAQEAgESBLEBAhwKDQoFBAQCAQQSBLEBAgoKDQoFBAQCAQUSBLEBCxAKDQoFBAQCAQESBLEBERcKDQoFBAQCAQMSBLEBGhsKDAoEBAQCAhIEsgECGwoNCgUEBAICBBIEsgECCgoNCgUEBAICBhIEsgELEAoNCgUEBAICARIEsgERFgoNCgUEBAICAxIEsgEZGgqcAQoEBAQCAxIEtgECGRqNASBJZiB0eXBlX25hbWUgaXMgc2V0LCB0aGlzIG5lZWQgbm90IGJlIHNldC4gIElmIGJvdGggdGhpcyBhbmQgdHlwZV9uYW1lCiBhcmUgc2V0LCB0aGlzIG11c3QgYmUgb25lIG9mIFRZUEVfRU5VTSwgVFlQRV9NRVNTQUdFIG9yIFRZUEVfR1JPVVAuCgoNCgUEBAIDBBIEtgECCgoNCgUEBAIDBhIEtgELDwoNCgUEBAIDARIEtgEQFAoNCgUEBAIDAxIEtgEXGAq3AgoEBAQCBBIEvQECIBqoAiBGb3IgbWVzc2FnZSBhbmQgZW51bSB0eXBlcywgdGhpcyBpcyB0aGUgbmFtZSBvZiB0aGUgdHlwZS4gIElmIHRoZSBuYW1lCiBzdGFydHMgd2l0aCBhICcuJywgaXQgaXMgZnVsbHktcXVhbGlmaWVkLiAgT3RoZXJ3aXNlLCBDKystbGlrZSBzY29waW5nCiBydWxlcyBhcmUgdXNlZCB0byBmaW5kIHRoZSB0eXBlIChpLmUuIGZpcnN0IHRoZSBuZXN0ZWQgdHlwZXMgd2l0aGluIHRoaXMKIG1lc3NhZ2UgYXJlIHNlYXJjaGVkLCB0aGVuIHdpdGhpbiB0aGUgcGFyZW50LCBvbiB1cCB0byB0aGUgcm9vdAogbmFtZXNwYWNlKS4KCg0KBQQEAgQEEgS9AQIKCg0KBQQEAgQFEgS9AQsRCg0KBQQEAgQBEgS9ARIbCg0KBQQEAgQDEgS9AR4fCn4KBAQEAgUSBMEBAh8acCBGb3IgZXh0ZW5zaW9ucywgdGhpcyBpcyB0aGUgbmFtZSBvZiB0aGUgdHlwZSBiZWluZyBleHRlbmRlZC4gIEl0IGlzCiByZXNvbHZlZCBpbiB0aGUgc2FtZSBtYW5uZXIgYXMgdHlwZV9uYW1lLgoKDQoFBAQCBQQSBMEBAgoKDQoFBAQCBQUSBMEBCxEKDQoFBAQCBQESBMEBEhoKDQoFBAQCBQMSBMEBHR4KsQIKBAQEAgYSBMgBAiQaogIgRm9yIG51bWVyaWMgdHlwZXMsIGNvbnRhaW5zIHRoZSBvcmlnaW5hbCB0ZXh0IHJlcHJlc2VudGF0aW9uIG9mIHRoZSB2YWx1ZS4KIEZvciBib29sZWFucywgInRydWUiIG9yICJmYWxzZSIuCiBGb3Igc3RyaW5ncywgY29udGFpbnMgdGhlIGRlZmF1bHQgdGV4dCBjb250ZW50cyAobm90IGVzY2FwZWQgaW4gYW55IHdheSkuCiBGb3IgYnl0ZXMsIGNvbnRhaW5zIHRoZSBDIGVzY2FwZWQgdmFsdWUuICBBbGwgYnl0ZXMgPj0gMTI4IGFyZSBlc2NhcGVkLgogVE9ETyhrZW50b24pOiAgQmFzZS02NCBlbmNvZGU/CgoNCgUEBAIGBBIEyAECCgoNCgUEBAIGBRIEyAELEQoNCgUEBAIGARIEyAESHwoNCgUEBAIGAxIEyAEiIwqEAQoEBAQCBxIEzAECIRp2IElmIHNldCwgZ2l2ZXMgdGhlIGluZGV4IG9mIGEgb25lb2YgaW4gdGhlIGNvbnRhaW5pbmcgdHlwZSdzIG9uZW9mX2RlY2wKIGxpc3QuICBUaGlzIGZpZWxkIGlzIGEgbWVtYmVyIG9mIHRoYXQgb25lb2YuCgoNCgUEBAIHBBIEzAECCgoNCgUEBAIHBRIEzAELEAoNCgUEBAIHARIEzAERHAoNCgUEBAIHAxIEzAEfIAr6AQoEBAQCCBIE0gECIRrrASBKU09OIG5hbWUgb2YgdGhpcyBmaWVsZC4gVGhlIHZhbHVlIGlzIHNldCBieSBwcm90b2NvbCBjb21waWxlci4gSWYgdGhlCiB1c2VyIGhhcyBzZXQgYSAianNvbl9uYW1lIiBvcHRpb24gb24gdGhpcyBmaWVsZCwgdGhhdCBvcHRpb24ncyB2YWx1ZQogd2lsbCBiZSB1c2VkLiBPdGhlcndpc2UsIGl0J3MgZGVkdWNlZCBmcm9tIHRoZSBmaWVsZCdzIG5hbWUgYnkgY29udmVydGluZwogaXQgdG8gY2FtZWxDYXNlLgoKDQoFBAQCCAQSBNIBAgoKDQoFBAQCCAUSBNIBCxEKDQoFBAQCCAESBNIBEhsKDQoFBAQCCAMSBNIBHiAKDAoEBAQCCRIE1AECJAoNCgUEBAIJBBIE1AECCgoNCgUEBAIJBhIE1AELFwoNCgUEBAIJARIE1AEYHwoNCgUEBAIJAxIE1AEiIwoiCgIEBRIG2AEA2wEBGhQgRGVzY3JpYmVzIGEgb25lb2YuCgoLCgMEBQESBNgBCBwKDAoEBAUCABIE2QECGwoNCgUEBQIABBIE2QECCgoNCgUEBQIABRIE2QELEQoNCgUEBQIAARIE2QESFgoNCgUEBQIAAxIE2QEZGgoMCgQEBQIBEgTaAQIkCg0KBQQFAgEEEgTaAQIKCg0KBQQFAgEGEgTaAQsXCg0KBQQFAgEBEgTaARgfCg0KBQQFAgEDEgTaASIjCicKAgQGEgbeAQD4AQEaGSBEZXNjcmliZXMgYW4gZW51bSB0eXBlLgoKCwoDBAYBEgTeAQgbCgwKBAQGAgASBN8BAhsKDQoFBAYCAAQSBN8BAgoKDQoFBAYCAAUSBN8BCxEKDQoFBAYCAAESBN8BEhYKDQoFBAYCAAMSBN8BGRoKDAoEBAYCARIE4QECLgoNCgUEBgIBBBIE4QECCgoNCgUEBgIBBhIE4QELIwoNCgUEBgIBARIE4QEkKQoNCgUEBgIBAxIE4QEsLQoMCgQEBgICEgTjAQIjCg0KBQQGAgIEEgTjAQIKCg0KBQQGAgIGEgTjAQsWCg0KBQQGAgIBEgTjARceCg0KBQQGAgIDEgTjASEiCq8CCgQEBgMAEgbrAQLuAQMangIgUmFuZ2Ugb2YgcmVzZXJ2ZWQgbnVtZXJpYyB2YWx1ZXMuIFJlc2VydmVkIHZhbHVlcyBtYXkgbm90IGJlIHVzZWQgYnkKIGVudHJpZXMgaW4gdGhlIHNhbWUgZW51bS4gUmVzZXJ2ZWQgcmFuZ2VzIG1heSBub3Qgb3ZlcmxhcC4KCiBOb3RlIHRoYXQgdGhpcyBpcyBkaXN0aW5jdCBmcm9tIERlc2NyaXB0b3JQcm90by5SZXNlcnZlZFJhbmdlIGluIHRoYXQgaXQKIGlzIGluY2x1c2l2ZSBzdWNoIHRoYXQgaXQgY2FuIGFwcHJvcHJpYXRlbHkgcmVwcmVzZW50IHRoZSBlbnRpcmUgaW50MzIKIGRvbWFpbi4KCg0KBQQGAwABEgTrAQobChwKBgQGAwACABIE7AEEHSIMIEluY2x1c2l2ZS4KCg8KBwQGAwACAAQSBOwBBAwKDwoHBAYDAAIABRIE7AENEgoPCgcEBgMAAgABEgTsARMYCg8KBwQGAwACAAMSBOwBGxwKHAoGBAYDAAIBEgTtAQQbIgwgSW5jbHVzaXZlLgoKDwoHBAYDAAIBBBIE7QEEDAoPCgcEBgMAAgEFEgTtAQ0SCg8KBwQGAwACAQESBO0BExYKDwoHBAYDAAIBAxIE7QEZGgqqAQoEBAYCAxIE8wECMBqbASBSYW5nZSBvZiByZXNlcnZlZCBudW1lcmljIHZhbHVlcy4gUmVzZXJ2ZWQgbnVtZXJpYyB2YWx1ZXMgbWF5IG5vdCBiZSB1c2VkCiBieSBlbnVtIHZhbHVlcyBpbiB0aGUgc2FtZSBlbnVtIGRlY2xhcmF0aW9uLiBSZXNlcnZlZCByYW5nZXMgbWF5IG5vdAogb3ZlcmxhcC4KCg0KBQQGAgMEEgTzAQIKCg0KBQQGAgMGEgTzAQscCg0KBQQGAgMBEgTzAR0rCg0KBQQGAgMDEgTzAS4vCmwKBAQGAgQSBPcBAiQaXiBSZXNlcnZlZCBlbnVtIHZhbHVlIG5hbWVzLCB3aGljaCBtYXkgbm90IGJlIHJldXNlZC4gQSBnaXZlbiBuYW1lIG1heSBvbmx5CiBiZSByZXNlcnZlZCBvbmNlLgoKDQoFBAYCBAQSBPcBAgoKDQoFBAYCBAUSBPcBCxEKDQoFBAYCBAESBPcBEh8KDQoFBAYCBAMSBPcBIiMKMQoCBAcSBvsBAIACARojIERlc2NyaWJlcyBhIHZhbHVlIHdpdGhpbiBhbiBlbnVtLgoKCwoDBAcBEgT7AQggCgwKBAQHAgASBPwBAhsKDQoFBAcCAAQSBPwBAgoKDQoFBAcCAAUSBPwBCxEKDQoFBAcCAAESBPwBEhYKDQoFBAcCAAMSBPwBGRoKDAoEBAcCARIE/QECHAoNCgUEBwIBBBIE/QECCgoNCgUEBwIBBRIE/QELEAoNCgUEBwIBARIE/QERFwoNCgUEBwIBAxIE/QEaGwoMCgQEBwICEgT/AQIoCg0KBQQHAgIEEgT/AQIKCg0KBQQHAgIGEgT/AQsbCg0KBQQHAgIBEgT/ARwjCg0KBQQHAgIDEgT/ASYnCiQKAgQIEgaDAgCIAgEaFiBEZXNjcmliZXMgYSBzZXJ2aWNlLgoKCwoDBAgBEgSDAggeCgwKBAQIAgASBIQCAhsKDQoFBAgCAAQSBIQCAgoKDQoFBAgCAAUSBIQCCxEKDQoFBAgCAAESBIQCEhYKDQoFBAgCAAMSBIQCGRoKDAoEBAgCARIEhQICLAoNCgUECAIBBBIEhQICCgoNCgUECAIBBhIEhQILIAoNCgUECAIBARIEhQIhJwoNCgUECAIBAxIEhQIqKwoMCgQECAICEgSHAgImCg0KBQQIAgIEEgSHAgIKCg0KBQQIAgIGEgSHAgsZCg0KBQQIAgIBEgSHAhohCg0KBQQIAgIDEgSHAiQlCjAKAgQJEgaLAgCZAgEaIiBEZXNjcmliZXMgYSBtZXRob2Qgb2YgYSBzZXJ2aWNlLgoKCwoDBAkBEgSLAggdCgwKBAQJAgASBIwCAhsKDQoFBAkCAAQSBIwCAgoKDQoFBAkCAAUSBIwCCxEKDQoFBAkCAAESBIwCEhYKDQoFBAkCAAMSBIwCGRoKlwEKBAQJAgESBJACAiEaiAEgSW5wdXQgYW5kIG91dHB1dCB0eXBlIG5hbWVzLiAgVGhlc2UgYXJlIHJlc29sdmVkIGluIHRoZSBzYW1lIHdheSBhcwogRmllbGREZXNjcmlwdG9yUHJvdG8udHlwZV9uYW1lLCBidXQgbXVzdCByZWZlciB0byBhIG1lc3NhZ2UgdHlwZS4KCg0KBQQJAgEEEgSQAgIKCg0KBQQJAgEFEgSQAgsRCg0KBQQJAgEBEgSQAhIcCg0KBQQJAgEDEgSQAh8gCgwKBAQJAgISBJECAiIKDQoFBAkCAgQSBJECAgoKDQoFBAkCAgUSBJECCxEKDQoFBAkCAgESBJECEh0KDQoFBAkCAgMSBJECICEKDAoEBAkCAxIEkwICJQoNCgUECQIDBBIEkwICCgoNCgUECQIDBhIEkwILGAoNCgUECQIDARIEkwIZIAoNCgUECQIDAxIEkwIjJApFCgQECQIEEgSWAgI1GjcgSWRlbnRpZmllcyBpZiBjbGllbnQgc3RyZWFtcyBtdWx0aXBsZSBjbGllbnQgbWVzc2FnZXMKCg0KBQQJAgQEEgSWAgIKCg0KBQQJAgQFEgSWAgsPCg0KBQQJAgQBEgSWAhAgCg0KBQQJAgQDEgSWAiMkCg0KBQQJAgQIEgSWAiU0Cg0KBQQJAgQHEgSWAi4zCkUKBAQJAgUSBJgCAjUaNyBJZGVudGlmaWVzIGlmIHNlcnZlciBzdHJlYW1zIG11bHRpcGxlIHNlcnZlciBtZXNzYWdlcwoKDQoFBAkCBQQSBJgCAgoKDQoFBAkCBQUSBJgCCw8KDQoFBAkCBQESBJgCECAKDQoFBAkCBQMSBJgCIyQKDQoFBAkCBQgSBJgCJTQKDQoFBAkCBQcSBJgCLjMKrw4KAgQKEga9AgCsAwEyTiA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiBPcHRpb25zCjLQDSBFYWNoIG9mIHRoZSBkZWZpbml0aW9ucyBhYm92ZSBtYXkgaGF2ZSAib3B0aW9ucyIgYXR0YWNoZWQuICBUaGVzZSBhcmUKIGp1c3QgYW5ub3RhdGlvbnMgd2hpY2ggbWF5IGNhdXNlIGNvZGUgdG8gYmUgZ2VuZXJhdGVkIHNsaWdodGx5IGRpZmZlcmVudGx5CiBvciBtYXkgY29udGFpbiBoaW50cyBmb3IgY29kZSB0aGF0IG1hbmlwdWxhdGVzIHByb3RvY29sIG1lc3NhZ2VzLgoKIENsaWVudHMgbWF5IGRlZmluZSBjdXN0b20gb3B0aW9ucyBhcyBleHRlbnNpb25zIG9mIHRoZSAqT3B0aW9ucyBtZXNzYWdlcy4KIFRoZXNlIGV4dGVuc2lvbnMgbWF5IG5vdCB5ZXQgYmUga25vd24gYXQgcGFyc2luZyB0aW1lLCBzbyB0aGUgcGFyc2VyIGNhbm5vdAogc3RvcmUgdGhlIHZhbHVlcyBpbiB0aGVtLiAgSW5zdGVhZCBpdCBzdG9yZXMgdGhlbSBpbiBhIGZpZWxkIGluIHRoZSAqT3B0aW9ucwogbWVzc2FnZSBjYWxsZWQgdW5pbnRlcnByZXRlZF9vcHRpb24uIFRoaXMgZmllbGQgbXVzdCBoYXZlIHRoZSBzYW1lIG5hbWUKIGFjcm9zcyBhbGwgKk9wdGlvbnMgbWVzc2FnZXMuIFdlIHRoZW4gdXNlIHRoaXMgZmllbGQgdG8gcG9wdWxhdGUgdGhlCiBleHRlbnNpb25zIHdoZW4gd2UgYnVpbGQgYSBkZXNjcmlwdG9yLCBhdCB3aGljaCBwb2ludCBhbGwgcHJvdG9zIGhhdmUgYmVlbgogcGFyc2VkIGFuZCBzbyBhbGwgZXh0ZW5zaW9ucyBhcmUga25vd24uCgogRXh0ZW5zaW9uIG51bWJlcnMgZm9yIGN1c3RvbSBvcHRpb25zIG1heSBiZSBjaG9zZW4gYXMgZm9sbG93czoKICogRm9yIG9wdGlvbnMgd2hpY2ggd2lsbCBvbmx5IGJlIHVzZWQgd2l0aGluIGEgc2luZ2xlIGFwcGxpY2F0aW9uIG9yCiAgIG9yZ2FuaXphdGlvbiwgb3IgZm9yIGV4cGVyaW1lbnRhbCBvcHRpb25zLCB1c2UgZmllbGQgbnVtYmVycyA1MDAwMAogICB0aHJvdWdoIDk5OTk5LiAgSXQgaXMgdXAgdG8geW91IHRvIGVuc3VyZSB0aGF0IHlvdSBkbyBub3QgdXNlIHRoZQogICBzYW1lIG51bWJlciBmb3IgbXVsdGlwbGUgb3B0aW9ucy4KICogRm9yIG9wdGlvbnMgd2hpY2ggd2lsbCBiZSBwdWJsaXNoZWQgYW5kIHVzZWQgcHVibGljbHkgYnkgbXVsdGlwbGUKICAgaW5kZXBlbmRlbnQgZW50aXRpZXMsIGUtbWFpbCBwcm90b2J1Zi1nbG9iYWwtZXh0ZW5zaW9uLXJlZ2lzdHJ5QGdvb2dsZS5jb20KICAgdG8gcmVzZXJ2ZSBleHRlbnNpb24gbnVtYmVycy4gU2ltcGx5IHByb3ZpZGUgeW91ciBwcm9qZWN0IG5hbWUgKGUuZy4KICAgT2JqZWN0aXZlLUMgcGx1Z2luKSBhbmQgeW91ciBwcm9qZWN0IHdlYnNpdGUgKGlmIGF2YWlsYWJsZSkgLS0gdGhlcmUncyBubwogICBuZWVkIHRvIGV4cGxhaW4gaG93IHlvdSBpbnRlbmQgdG8gdXNlIHRoZW0uIFVzdWFsbHkgeW91IG9ubHkgbmVlZCBvbmUKICAgZXh0ZW5zaW9uIG51bWJlci4gWW91IGNhbiBkZWNsYXJlIG11bHRpcGxlIG9wdGlvbnMgd2l0aCBvbmx5IG9uZSBleHRlbnNpb24KICAgbnVtYmVyIGJ5IHB1dHRpbmcgdGhlbSBpbiBhIHN1Yi1tZXNzYWdlLiBTZWUgdGhlIEN1c3RvbSBPcHRpb25zIHNlY3Rpb24gb2YKICAgdGhlIGRvY3MgZm9yIGV4YW1wbGVzOgogICBodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9wcm90b2NvbC1idWZmZXJzL2RvY3MvcHJvdG8jb3B0aW9ucwogICBJZiB0aGlzIHR1cm5zIG91dCB0byBiZSBwb3B1bGFyLCBhIHdlYiBzZXJ2aWNlIHdpbGwgYmUgc2V0IHVwCiAgIHRvIGF1dG9tYXRpY2FsbHkgYXNzaWduIG9wdGlvbiBudW1iZXJzLgoKCwoDBAoBEgS9AggTCvQBCgQECgIAEgTDAgIjGuUBIFNldHMgdGhlIEphdmEgcGFja2FnZSB3aGVyZSBjbGFzc2VzIGdlbmVyYXRlZCBmcm9tIHRoaXMgLnByb3RvIHdpbGwgYmUKIHBsYWNlZC4gIEJ5IGRlZmF1bHQsIHRoZSBwcm90byBwYWNrYWdlIGlzIHVzZWQsIGJ1dCB0aGlzIGlzIG9mdGVuCiBpbmFwcHJvcHJpYXRlIGJlY2F1c2UgcHJvdG8gcGFja2FnZXMgZG8gbm90IG5vcm1hbGx5IHN0YXJ0IHdpdGggYmFja3dhcmRzCiBkb21haW4gbmFtZXMuCgoNCgUECgIABBIEwwICCgoNCgUECgIABRIEwwILEQoNCgUECgIAARIEwwISHgoNCgUECgIAAxIEwwIhIgq/AgoEBAoCARIEywICKxqwAiBJZiBzZXQsIGFsbCB0aGUgY2xhc3NlcyBmcm9tIHRoZSAucHJvdG8gZmlsZSBhcmUgd3JhcHBlZCBpbiBhIHNpbmdsZQogb3V0ZXIgY2xhc3Mgd2l0aCB0aGUgZ2l2ZW4gbmFtZS4gIFRoaXMgYXBwbGllcyB0byBib3RoIFByb3RvMQogKGVxdWl2YWxlbnQgdG8gdGhlIG9sZCAiLS1vbmVfamF2YV9maWxlIiBvcHRpb24pIGFuZCBQcm90bzIgKHdoZXJlCiBhIC5wcm90byBhbHdheXMgdHJhbnNsYXRlcyB0byBhIHNpbmdsZSBjbGFzcywgYnV0IHlvdSBtYXkgd2FudCB0bwogZXhwbGljaXRseSBjaG9vc2UgdGhlIGNsYXNzIG5hbWUpLgoKDQoFBAoCAQQSBMsCAgoKDQoFBAoCAQUSBMsCCxEKDQoFBAoCAQESBMsCEiYKDQoFBAoCAQMSBMsCKSoKowMKBAQKAgISBNMCAjkalAMgSWYgc2V0IHRydWUsIHRoZW4gdGhlIEphdmEgY29kZSBnZW5lcmF0b3Igd2lsbCBnZW5lcmF0ZSBhIHNlcGFyYXRlIC5qYXZhCiBmaWxlIGZvciBlYWNoIHRvcC1sZXZlbCBtZXNzYWdlLCBlbnVtLCBhbmQgc2VydmljZSBkZWZpbmVkIGluIHRoZSAucHJvdG8KIGZpbGUuICBUaHVzLCB0aGVzZSB0eXBlcyB3aWxsICpub3QqIGJlIG5lc3RlZCBpbnNpZGUgdGhlIG91dGVyIGNsYXNzCiBuYW1lZCBieSBqYXZhX291dGVyX2NsYXNzbmFtZS4gIEhvd2V2ZXIsIHRoZSBvdXRlciBjbGFzcyB3aWxsIHN0aWxsIGJlCiBnZW5lcmF0ZWQgdG8gY29udGFpbiB0aGUgZmlsZSdzIGdldERlc2NyaXB0b3IoKSBtZXRob2QgYXMgd2VsbCBhcyBhbnkKIHRvcC1sZXZlbCBleHRlbnNpb25zIGRlZmluZWQgaW4gdGhlIGZpbGUuCgoNCgUECgICBBIE0wICCgoNCgUECgICBRIE0wILDwoNCgUECgICARIE0wIQIwoNCgUECgICAxIE0wImKAoNCgUECgICCBIE0wIpOAoNCgUECgICBxIE0wIyNwopCgQECgIDEgTWAgJFGhsgVGhpcyBvcHRpb24gZG9lcyBub3RoaW5nLgoKDQoFBAoCAwQSBNYCAgoKDQoFBAoCAwUSBNYCCw8KDQoFBAoCAwESBNYCEC0KDQoFBAoCAwMSBNYCMDIKDQoFBAoCAwgSBNYCM0QKEAoIBAoCAwjnBwASBNYCNEMKEQoJBAoCAwjnBwACEgTWAjQ+ChIKCgQKAgMI5wcAAgASBNYCND4KEwoLBAoCAwjnBwACAAESBNYCND4KEQoJBAoCAwjnBwADEgTWAj9DCuYCCgQECgIEEgTeAgI8GtcCIElmIHNldCB0cnVlLCB0aGVuIHRoZSBKYXZhMiBjb2RlIGdlbmVyYXRvciB3aWxsIGdlbmVyYXRlIGNvZGUgdGhhdAogdGhyb3dzIGFuIGV4Y2VwdGlvbiB3aGVuZXZlciBhbiBhdHRlbXB0IGlzIG1hZGUgdG8gYXNzaWduIGEgbm9uLVVURi04CiBieXRlIHNlcXVlbmNlIHRvIGEgc3RyaW5nIGZpZWxkLgogTWVzc2FnZSByZWZsZWN0aW9uIHdpbGwgZG8gdGhlIHNhbWUuCiBIb3dldmVyLCBhbiBleHRlbnNpb24gZmllbGQgc3RpbGwgYWNjZXB0cyBub24tVVRGLTggYnl0ZSBzZXF1ZW5jZXMuCiBUaGlzIG9wdGlvbiBoYXMgbm8gZWZmZWN0IG9uIHdoZW4gdXNlZCB3aXRoIHRoZSBsaXRlIHJ1bnRpbWUuCgoNCgUECgIEBBIE3gICCgoNCgUECgIEBRIE3gILDwoNCgUECgIEARIE3gIQJgoNCgUECgIEAxIE3gIpKwoNCgUECgIECBIE3gIsOwoNCgUECgIEBxIE3gI1OgpMCgQECgQAEgbiAgLnAgMaPCBHZW5lcmF0ZWQgY2xhc3NlcyBjYW4gYmUgb3B0aW1pemVkIGZvciBzcGVlZCBvciBjb2RlIHNpemUuCgoNCgUECgQAARIE4gIHEwpECgYECgQAAgASBOMCBA4iNCBHZW5lcmF0ZSBjb21wbGV0ZSBjb2RlIGZvciBwYXJzaW5nLCBzZXJpYWxpemF0aW9uLAoKDwoHBAoEAAIAARIE4wIECQoPCgcECgQAAgACEgTjAgwNCkcKBgQKBAACARIE5QIEEhoGIGV0Yy4KIi8gVXNlIFJlZmxlY3Rpb25PcHMgdG8gaW1wbGVtZW50IHRoZXNlIG1ldGhvZHMuCgoPCgcECgQAAgEBEgTlAgQNCg8KBwQKBAACAQISBOUCEBEKRwoGBAoEAAICEgTmAgQVIjcgR2VuZXJhdGUgY29kZSB1c2luZyBNZXNzYWdlTGl0ZSBhbmQgdGhlIGxpdGUgcnVudGltZS4KCg8KBwQKBAACAgESBOYCBBAKDwoHBAoEAAICAhIE5gITFAoMCgQECgIFEgToAgI5Cg0KBQQKAgUEEgToAgIKCg0KBQQKAgUGEgToAgsXCg0KBQQKAgUBEgToAhgkCg0KBQQKAgUDEgToAicoCg0KBQQKAgUIEgToAik4Cg0KBQQKAgUHEgToAjI3CuICCgQECgIGEgTvAgIiGtMCIFNldHMgdGhlIEdvIHBhY2thZ2Ugd2hlcmUgc3RydWN0cyBnZW5lcmF0ZWQgZnJvbSB0aGlzIC5wcm90byB3aWxsIGJlCiBwbGFjZWQuIElmIG9taXR0ZWQsIHRoZSBHbyBwYWNrYWdlIHdpbGwgYmUgZGVyaXZlZCBmcm9tIHRoZSBmb2xsb3dpbmc6CiAgIC0gVGhlIGJhc2VuYW1lIG9mIHRoZSBwYWNrYWdlIGltcG9ydCBwYXRoLCBpZiBwcm92aWRlZC4KICAgLSBPdGhlcndpc2UsIHRoZSBwYWNrYWdlIHN0YXRlbWVudCBpbiB0aGUgLnByb3RvIGZpbGUsIGlmIHByZXNlbnQuCiAgIC0gT3RoZXJ3aXNlLCB0aGUgYmFzZW5hbWUgb2YgdGhlIC5wcm90byBmaWxlLCB3aXRob3V0IGV4dGVuc2lvbi4KCg0KBQQKAgYEEgTvAgIKCg0KBQQKAgYFEgTvAgsRCg0KBQQKAgYBEgTvAhIcCg0KBQQKAgYDEgTvAh8hCtQECgQECgIHEgT9AgI5GsUEIFNob3VsZCBnZW5lcmljIHNlcnZpY2VzIGJlIGdlbmVyYXRlZCBpbiBlYWNoIGxhbmd1YWdlPyAgIkdlbmVyaWMiIHNlcnZpY2VzCiBhcmUgbm90IHNwZWNpZmljIHRvIGFueSBwYXJ0aWN1bGFyIFJQQyBzeXN0ZW0uICBUaGV5IGFyZSBnZW5lcmF0ZWQgYnkgdGhlCiBtYWluIGNvZGUgZ2VuZXJhdG9ycyBpbiBlYWNoIGxhbmd1YWdlICh3aXRob3V0IGFkZGl0aW9uYWwgcGx1Z2lucykuCiBHZW5lcmljIHNlcnZpY2VzIHdlcmUgdGhlIG9ubHkga2luZCBvZiBzZXJ2aWNlIGdlbmVyYXRpb24gc3VwcG9ydGVkIGJ5CiBlYXJseSB2ZXJzaW9ucyBvZiBnb29nbGUucHJvdG9idWYuCgogR2VuZXJpYyBzZXJ2aWNlcyBhcmUgbm93IGNvbnNpZGVyZWQgZGVwcmVjYXRlZCBpbiBmYXZvciBvZiB1c2luZyBwbHVnaW5zCiB0aGF0IGdlbmVyYXRlIGNvZGUgc3BlY2lmaWMgdG8geW91ciBwYXJ0aWN1bGFyIFJQQyBzeXN0ZW0uICBUaGVyZWZvcmUsCiB0aGVzZSBkZWZhdWx0IHRvIGZhbHNlLiAgT2xkIGNvZGUgd2hpY2ggZGVwZW5kcyBvbiBnZW5lcmljIHNlcnZpY2VzIHNob3VsZAogZXhwbGljaXRseSBzZXQgdGhlbSB0byB0cnVlLgoKDQoFBAoCBwQSBP0CAgoKDQoFBAoCBwUSBP0CCw8KDQoFBAoCBwESBP0CECMKDQoFBAoCBwMSBP0CJigKDQoFBAoCBwgSBP0CKTgKDQoFBAoCBwcSBP0CMjcKDAoEBAoCCBIE/gICOwoNCgUECgIIBBIE/gICCgoNCgUECgIIBRIE/gILDwoNCgUECgIIARIE/gIQJQoNCgUECgIIAxIE/gIoKgoNCgUECgIICBIE/gIrOgoNCgUECgIIBxIE/gI0OQoMCgQECgIJEgT/AgI5Cg0KBQQKAgkEEgT/AgIKCg0KBQQKAgkFEgT/AgsPCg0KBQQKAgkBEgT/AhAjCg0KBQQKAgkDEgT/AiYoCg0KBQQKAgkIEgT/Aik4Cg0KBQQKAgkHEgT/AjI3CgwKBAQKAgoSBIADAjoKDQoFBAoCCgQSBIADAgoKDQoFBAoCCgUSBIADCw8KDQoFBAoCCgESBIADECQKDQoFBAoCCgMSBIADJykKDQoFBAoCCggSBIADKjkKDQoFBAoCCgcSBIADMzgK8wEKBAQKAgsSBIYDAjAa5AEgSXMgdGhpcyBmaWxlIGRlcHJlY2F0ZWQ/CiBEZXBlbmRpbmcgb24gdGhlIHRhcmdldCBwbGF0Zm9ybSwgdGhpcyBjYW4gZW1pdCBEZXByZWNhdGVkIGFubm90YXRpb25zCiBmb3IgZXZlcnl0aGluZyBpbiB0aGUgZmlsZSwgb3IgaXQgd2lsbCBiZSBjb21wbGV0ZWx5IGlnbm9yZWQ7IGluIHRoZSB2ZXJ5CiBsZWFzdCwgdGhpcyBpcyBhIGZvcm1hbGl6YXRpb24gZm9yIGRlcHJlY2F0aW5nIGZpbGVzLgoKDQoFBAoCCwQSBIYDAgoKDQoFBAoCCwUSBIYDCw8KDQoFBAoCCwESBIYDEBoKDQoFBAoCCwMSBIYDHR8KDQoFBAoCCwgSBIYDIC8KDQoFBAoCCwcSBIYDKS4KfwoEBAoCDBIEigMCNhpxIEVuYWJsZXMgdGhlIHVzZSBvZiBhcmVuYXMgZm9yIHRoZSBwcm90byBtZXNzYWdlcyBpbiB0aGlzIGZpbGUuIFRoaXMgYXBwbGllcwogb25seSB0byBnZW5lcmF0ZWQgY2xhc3NlcyBmb3IgQysrLgoKDQoFBAoCDAQSBIoDAgoKDQoFBAoCDAUSBIoDCw8KDQoFBAoCDAESBIoDECAKDQoFBAoCDAMSBIoDIyUKDQoFBAoCDAgSBIoDJjUKDQoFBAoCDAcSBIoDLzQKkgEKBAQKAg0SBI8DAikagwEgU2V0cyB0aGUgb2JqZWN0aXZlIGMgY2xhc3MgcHJlZml4IHdoaWNoIGlzIHByZXBlbmRlZCB0byBhbGwgb2JqZWN0aXZlIGMKIGdlbmVyYXRlZCBjbGFzc2VzIGZyb20gdGhpcyAucHJvdG8uIFRoZXJlIGlzIG5vIGRlZmF1bHQuCgoNCgUECgINBBIEjwMCCgoNCgUECgINBRIEjwMLEQoNCgUECgINARIEjwMSIwoNCgUECgINAxIEjwMmKApJCgQECgIOEgSSAwIoGjsgTmFtZXNwYWNlIGZvciBnZW5lcmF0ZWQgY2xhc3NlczsgZGVmYXVsdHMgdG8gdGhlIHBhY2thZ2UuCgoNCgUECgIOBBIEkgMCCgoNCgUECgIOBRIEkgMLEQoNCgUECgIOARIEkgMSIgoNCgUECgIOAxIEkgMlJwqRAgoEBAoCDxIEmAMCJBqCAiBCeSBkZWZhdWx0IFN3aWZ0IGdlbmVyYXRvcnMgd2lsbCB0YWtlIHRoZSBwcm90byBwYWNrYWdlIGFuZCBDYW1lbENhc2UgaXQKIHJlcGxhY2luZyAnLicgd2l0aCB1bmRlcnNjb3JlIGFuZCB1c2UgdGhhdCB0byBwcmVmaXggdGhlIHR5cGVzL3N5bWJvbHMKIGRlZmluZWQuIFdoZW4gdGhpcyBvcHRpb25zIGlzIHByb3ZpZGVkLCB0aGV5IHdpbGwgdXNlIHRoaXMgdmFsdWUgaW5zdGVhZAogdG8gcHJlZml4IHRoZSB0eXBlcy9zeW1ib2xzIGRlZmluZWQuCgoNCgUECgIPBBIEmAMCCgoNCgUECgIPBRIEmAMLEQoNCgUECgIPARIEmAMSHgoNCgUECgIPAxIEmAMhIwp+CgQECgIQEgScAwIoGnAgU2V0cyB0aGUgcGhwIGNsYXNzIHByZWZpeCB3aGljaCBpcyBwcmVwZW5kZWQgdG8gYWxsIHBocCBnZW5lcmF0ZWQgY2xhc3NlcwogZnJvbSB0aGlzIC5wcm90by4gRGVmYXVsdCBpcyBlbXB0eS4KCg0KBQQKAhAEEgScAwIKCg0KBQQKAhAFEgScAwsRCg0KBQQKAhABEgScAxIiCg0KBQQKAhADEgScAyUnCr4BCgQECgIREgShAwIlGq8BIFVzZSB0aGlzIG9wdGlvbiB0byBjaGFuZ2UgdGhlIG5hbWVzcGFjZSBvZiBwaHAgZ2VuZXJhdGVkIGNsYXNzZXMuIERlZmF1bHQKIGlzIGVtcHR5LiBXaGVuIHRoaXMgb3B0aW9uIGlzIGVtcHR5LCB0aGUgcGFja2FnZSBuYW1lIHdpbGwgYmUgdXNlZCBmb3IKIGRldGVybWluaW5nIHRoZSBuYW1lc3BhY2UuCgoNCgUECgIRBBIEoQMCCgoNCgUECgIRBRIEoQMLEQoNCgUECgIRARIEoQMSHwoNCgUECgIRAxIEoQMiJAp8CgQECgISEgSlAwI6Gm4gVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLgogU2VlIHRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgIk9wdGlvbnMiIHNlY3Rpb24gYWJvdmUuCgoNCgUECgISBBIEpQMCCgoNCgUECgISBhIEpQMLHgoNCgUECgISARIEpQMfMwoNCgUECgISAxIEpQM2OQqHAQoDBAoFEgSpAwIZGnogQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLgogU2VlIHRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgIk9wdGlvbnMiIHNlY3Rpb24gYWJvdmUuCgoMCgQECgUAEgSpAw0YCg0KBQQKBQABEgSpAw0RCg0KBQQKBQACEgSpAxUYCgsKAwQKCRIEqwMLDgoMCgQECgkAEgSrAwsNCg0KBQQKCQABEgSrAwsNCg0KBQQKCQACEgSrAwsNCgwKAgQLEgauAwDtAwEKCwoDBAsBEgSuAwgWCtgFCgQECwIAEgTBAwI8GskFIFNldCB0cnVlIHRvIHVzZSB0aGUgb2xkIHByb3RvMSBNZXNzYWdlU2V0IHdpcmUgZm9ybWF0IGZvciBleHRlbnNpb25zLgogVGhpcyBpcyBwcm92aWRlZCBmb3IgYmFja3dhcmRzLWNvbXBhdGliaWxpdHkgd2l0aCB0aGUgTWVzc2FnZVNldCB3aXJlCiBmb3JtYXQuICBZb3Ugc2hvdWxkIG5vdCB1c2UgdGhpcyBmb3IgYW55IG90aGVyIHJlYXNvbjogIEl0J3MgbGVzcwogZWZmaWNpZW50LCBoYXMgZmV3ZXIgZmVhdHVyZXMsIGFuZCBpcyBtb3JlIGNvbXBsaWNhdGVkLgoKIFRoZSBtZXNzYWdlIG11c3QgYmUgZGVmaW5lZCBleGFjdGx5IGFzIGZvbGxvd3M6CiAgIG1lc3NhZ2UgRm9vIHsKICAgICBvcHRpb24gbWVzc2FnZV9zZXRfd2lyZV9mb3JtYXQgPSB0cnVlOwogICAgIGV4dGVuc2lvbnMgNCB0byBtYXg7CiAgIH0KIE5vdGUgdGhhdCB0aGUgbWVzc2FnZSBjYW5ub3QgaGF2ZSBhbnkgZGVmaW5lZCBmaWVsZHM7IE1lc3NhZ2VTZXRzIG9ubHkKIGhhdmUgZXh0ZW5zaW9ucy4KCiBBbGwgZXh0ZW5zaW9ucyBvZiB5b3VyIHR5cGUgbXVzdCBiZSBzaW5ndWxhciBtZXNzYWdlczsgZS5nLiB0aGV5IGNhbm5vdAogYmUgaW50MzJzLCBlbnVtcywgb3IgcmVwZWF0ZWQgbWVzc2FnZXMuCgogQmVjYXVzZSB0aGlzIGlzIGFuIG9wdGlvbiwgdGhlIGFib3ZlIHR3byByZXN0cmljdGlvbnMgYXJlIG5vdCBlbmZvcmNlZCBieQogdGhlIHByb3RvY29sIGNvbXBpbGVyLgoKDQoFBAsCAAQSBMEDAgoKDQoFBAsCAAUSBMEDCw8KDQoFBAsCAAESBMEDECcKDQoFBAsCAAMSBMEDKisKDQoFBAsCAAgSBMEDLDsKDQoFBAsCAAcSBMEDNToK6wEKBAQLAgESBMYDAkQa3AEgRGlzYWJsZXMgdGhlIGdlbmVyYXRpb24gb2YgdGhlIHN0YW5kYXJkICJkZXNjcmlwdG9yKCkiIGFjY2Vzc29yLCB3aGljaCBjYW4KIGNvbmZsaWN0IHdpdGggYSBmaWVsZCBvZiB0aGUgc2FtZSBuYW1lLiAgVGhpcyBpcyBtZWFudCB0byBtYWtlIG1pZ3JhdGlvbgogZnJvbSBwcm90bzEgZWFzaWVyOyBuZXcgY29kZSBzaG91bGQgYXZvaWQgZmllbGRzIG5hbWVkICJkZXNjcmlwdG9yIi4KCg0KBQQLAgEEEgTGAwIKCg0KBQQLAgEFEgTGAwsPCg0KBQQLAgEBEgTGAxAvCg0KBQQLAgEDEgTGAzIzCg0KBQQLAgEIEgTGAzRDCg0KBQQLAgEHEgTGAz1CCu4BCgQECwICEgTMAwIvGt8BIElzIHRoaXMgbWVzc2FnZSBkZXByZWNhdGVkPwogRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgcGxhdGZvcm0sIHRoaXMgY2FuIGVtaXQgRGVwcmVjYXRlZCBhbm5vdGF0aW9ucwogZm9yIHRoZSBtZXNzYWdlLCBvciBpdCB3aWxsIGJlIGNvbXBsZXRlbHkgaWdub3JlZDsgaW4gdGhlIHZlcnkgbGVhc3QsCiB0aGlzIGlzIGEgZm9ybWFsaXphdGlvbiBmb3IgZGVwcmVjYXRpbmcgbWVzc2FnZXMuCgoNCgUECwICBBIEzAMCCgoNCgUECwICBRIEzAMLDwoNCgUECwICARIEzAMQGgoNCgUECwICAxIEzAMdHgoNCgUECwICCBIEzAMfLgoNCgUECwICBxIEzAMoLQqeBgoEBAsCAxIE4wMCHhqPBiBXaGV0aGVyIHRoZSBtZXNzYWdlIGlzIGFuIGF1dG9tYXRpY2FsbHkgZ2VuZXJhdGVkIG1hcCBlbnRyeSB0eXBlIGZvciB0aGUKIG1hcHMgZmllbGQuCgogRm9yIG1hcHMgZmllbGRzOgogICAgIG1hcDxLZXlUeXBlLCBWYWx1ZVR5cGU+IG1hcF9maWVsZCA9IDE7CiBUaGUgcGFyc2VkIGRlc2NyaXB0b3IgbG9va3MgbGlrZToKICAgICBtZXNzYWdlIE1hcEZpZWxkRW50cnkgewogICAgICAgICBvcHRpb24gbWFwX2VudHJ5ID0gdHJ1ZTsKICAgICAgICAgb3B0aW9uYWwgS2V5VHlwZSBrZXkgPSAxOwogICAgICAgICBvcHRpb25hbCBWYWx1ZVR5cGUgdmFsdWUgPSAyOwogICAgIH0KICAgICByZXBlYXRlZCBNYXBGaWVsZEVudHJ5IG1hcF9maWVsZCA9IDE7CgogSW1wbGVtZW50YXRpb25zIG1heSBjaG9vc2Ugbm90IHRvIGdlbmVyYXRlIHRoZSBtYXBfZW50cnk9dHJ1ZSBtZXNzYWdlLCBidXQKIHVzZSBhIG5hdGl2ZSBtYXAgaW4gdGhlIHRhcmdldCBsYW5ndWFnZSB0byBob2xkIHRoZSBrZXlzIGFuZCB2YWx1ZXMuCiBUaGUgcmVmbGVjdGlvbiBBUElzIGluIHN1Y2ggaW1wbGVtZW50aW9ucyBzdGlsbCBuZWVkIHRvIHdvcmsgYXMKIGlmIHRoZSBmaWVsZCBpcyBhIHJlcGVhdGVkIG1lc3NhZ2UgZmllbGQuCgogTk9URTogRG8gbm90IHNldCB0aGUgb3B0aW9uIGluIC5wcm90byBmaWxlcy4gQWx3YXlzIHVzZSB0aGUgbWFwcyBzeW50YXgKIGluc3RlYWQuIFRoZSBvcHRpb24gc2hvdWxkIG9ubHkgYmUgaW1wbGljaXRseSBzZXQgYnkgdGhlIHByb3RvIGNvbXBpbGVyCiBwYXJzZXIuCgoNCgUECwIDBBIE4wMCCgoNCgUECwIDBRIE4wMLDwoNCgUECwIDARIE4wMQGQoNCgUECwIDAxIE4wMcHQokCgMECwkSBOUDCw0iFyBqYXZhbGl0ZV9zZXJpYWxpemFibGUKCgwKBAQLCQASBOUDCwwKDQoFBAsJAAESBOUDCwwKDQoFBAsJAAISBOUDCwwKHwoDBAsJEgTmAwsNIhIgamF2YW5hbm9fYXNfbGl0ZQoKDAoEBAsJARIE5gMLDAoNCgUECwkBARIE5gMLDAoNCgUECwkBAhIE5gMLDApPCgQECwIEEgTpAwI6GkEgVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLiBTZWUgYWJvdmUuCgoNCgUECwIEBBIE6QMCCgoNCgUECwIEBhIE6QMLHgoNCgUECwIEARIE6QMfMwoNCgUECwIEAxIE6QM2OQpaCgMECwUSBOwDAhkaTSBDbGllbnRzIGNhbiBkZWZpbmUgY3VzdG9tIG9wdGlvbnMgaW4gZXh0ZW5zaW9ucyBvZiB0aGlzIG1lc3NhZ2UuIFNlZSBhYm92ZS4KCgwKBAQLBQASBOwDDRgKDQoFBAsFAAESBOwDDREKDQoFBAsFAAISBOwDFRgKDAoCBAwSBu8DAMoEAQoLCgMEDAESBO8DCBQKowIKBAQMAgASBPQDAi4alAIgVGhlIGN0eXBlIG9wdGlvbiBpbnN0cnVjdHMgdGhlIEMrKyBjb2RlIGdlbmVyYXRvciB0byB1c2UgYSBkaWZmZXJlbnQKIHJlcHJlc2VudGF0aW9uIG9mIHRoZSBmaWVsZCB0aGFuIGl0IG5vcm1hbGx5IHdvdWxkLiAgU2VlIHRoZSBzcGVjaWZpYwogb3B0aW9ucyBiZWxvdy4gIFRoaXMgb3B0aW9uIGlzIG5vdCB5ZXQgaW1wbGVtZW50ZWQgaW4gdGhlIG9wZW4gc291cmNlCiByZWxlYXNlIC0tIHNvcnJ5LCB3ZSdsbCB0cnkgdG8gaW5jbHVkZSBpdCBpbiBhIGZ1dHVyZSB2ZXJzaW9uIQoKDQoFBAwCAAQSBPQDAgoKDQoFBAwCAAYSBPQDCxAKDQoFBAwCAAESBPQDERYKDQoFBAwCAAMSBPQDGRoKDQoFBAwCAAgSBPQDGy0KDQoFBAwCAAcSBPQDJiwKDgoEBAwEABIG9QMC/AMDCg0KBQQMBAABEgT1AwcMCh8KBgQMBAACABIE9wMEDxoPIERlZmF1bHQgbW9kZS4KCg8KBwQMBAACAAESBPcDBAoKDwoHBAwEAAIAAhIE9wMNDgoOCgYEDAQAAgESBPkDBA0KDwoHBAwEAAIBARIE+QMECAoPCgcEDAQAAgECEgT5AwsMCg4KBgQMBAACAhIE+wMEFQoPCgcEDAQAAgIBEgT7AwQQCg8KBwQMBAACAgISBPsDExQK2gIKBAQMAgESBIIEAhsaywIgVGhlIHBhY2tlZCBvcHRpb24gY2FuIGJlIGVuYWJsZWQgZm9yIHJlcGVhdGVkIHByaW1pdGl2ZSBmaWVsZHMgdG8gZW5hYmxlCiBhIG1vcmUgZWZmaWNpZW50IHJlcHJlc2VudGF0aW9uIG9uIHRoZSB3aXJlLiBSYXRoZXIgdGhhbiByZXBlYXRlZGx5CiB3cml0aW5nIHRoZSB0YWcgYW5kIHR5cGUgZm9yIGVhY2ggZWxlbWVudCwgdGhlIGVudGlyZSBhcnJheSBpcyBlbmNvZGVkIGFzCiBhIHNpbmdsZSBsZW5ndGgtZGVsaW1pdGVkIGJsb2IuIEluIHByb3RvMywgb25seSBleHBsaWNpdCBzZXR0aW5nIGl0IHRvCiBmYWxzZSB3aWxsIGF2b2lkIHVzaW5nIHBhY2tlZCBlbmNvZGluZy4KCg0KBQQMAgEEEgSCBAIKCg0KBQQMAgEFEgSCBAsPCg0KBQQMAgEBEgSCBBAWCg0KBQQMAgEDEgSCBBkaCpoFCgQEDAICEgSPBAIzGosFIFRoZSBqc3R5cGUgb3B0aW9uIGRldGVybWluZXMgdGhlIEphdmFTY3JpcHQgdHlwZSB1c2VkIGZvciB2YWx1ZXMgb2YgdGhlCiBmaWVsZC4gIFRoZSBvcHRpb24gaXMgcGVybWl0dGVkIG9ubHkgZm9yIDY0IGJpdCBpbnRlZ3JhbCBhbmQgZml4ZWQgdHlwZXMKIChpbnQ2NCwgdWludDY0LCBzaW50NjQsIGZpeGVkNjQsIHNmaXhlZDY0KS4gIEEgZmllbGQgd2l0aCBqc3R5cGUgSlNfU1RSSU5HCiBpcyByZXByZXNlbnRlZCBhcyBKYXZhU2NyaXB0IHN0cmluZywgd2hpY2ggYXZvaWRzIGxvc3Mgb2YgcHJlY2lzaW9uIHRoYXQKIGNhbiBoYXBwZW4gd2hlbiBhIGxhcmdlIHZhbHVlIGlzIGNvbnZlcnRlZCB0byBhIGZsb2F0aW5nIHBvaW50IEphdmFTY3JpcHQuCiBTcGVjaWZ5aW5nIEpTX05VTUJFUiBmb3IgdGhlIGpzdHlwZSBjYXVzZXMgdGhlIGdlbmVyYXRlZCBKYXZhU2NyaXB0IGNvZGUgdG8KIHVzZSB0aGUgSmF2YVNjcmlwdCAibnVtYmVyIiB0eXBlLiAgVGhlIGJlaGF2aW9yIG9mIHRoZSBkZWZhdWx0IG9wdGlvbgogSlNfTk9STUFMIGlzIGltcGxlbWVudGF0aW9uIGRlcGVuZGVudC4KCiBUaGlzIG9wdGlvbiBpcyBhbiBlbnVtIHRvIHBlcm1pdCBhZGRpdGlvbmFsIHR5cGVzIHRvIGJlIGFkZGVkLCBlLmcuCiBnb29nLm1hdGguSW50ZWdlci4KCg0KBQQMAgIEEgSPBAIKCg0KBQQMAgIGEgSPBAsRCg0KBQQMAgIBEgSPBBIYCg0KBQQMAgIDEgSPBBscCg0KBQQMAgIIEgSPBB0yCg0KBQQMAgIHEgSPBCgxCg4KBAQMBAESBpAEApkEAwoNCgUEDAQBARIEkAQHDQonCgYEDAQBAgASBJIEBBIaFyBVc2UgdGhlIGRlZmF1bHQgdHlwZS4KCg8KBwQMBAECAAESBJIEBA0KDwoHBAwEAQIAAhIEkgQQEQopCgYEDAQBAgESBJUEBBIaGSBVc2UgSmF2YVNjcmlwdCBzdHJpbmdzLgoKDwoHBAwEAQIBARIElQQEDQoPCgcEDAQBAgECEgSVBBARCikKBgQMBAECAhIEmAQEEhoZIFVzZSBKYXZhU2NyaXB0IG51bWJlcnMuCgoPCgcEDAQBAgIBEgSYBAQNCg8KBwQMBAECAgISBJgEEBEK7wwKBAQMAgMSBLcEAika4AwgU2hvdWxkIHRoaXMgZmllbGQgYmUgcGFyc2VkIGxhemlseT8gIExhenkgYXBwbGllcyBvbmx5IHRvIG1lc3NhZ2UtdHlwZQogZmllbGRzLiAgSXQgbWVhbnMgdGhhdCB3aGVuIHRoZSBvdXRlciBtZXNzYWdlIGlzIGluaXRpYWxseSBwYXJzZWQsIHRoZQogaW5uZXIgbWVzc2FnZSdzIGNvbnRlbnRzIHdpbGwgbm90IGJlIHBhcnNlZCBidXQgaW5zdGVhZCBzdG9yZWQgaW4gZW5jb2RlZAogZm9ybS4gIFRoZSBpbm5lciBtZXNzYWdlIHdpbGwgYWN0dWFsbHkgYmUgcGFyc2VkIHdoZW4gaXQgaXMgZmlyc3QgYWNjZXNzZWQuCgogVGhpcyBpcyBvbmx5IGEgaGludC4gIEltcGxlbWVudGF0aW9ucyBhcmUgZnJlZSB0byBjaG9vc2Ugd2hldGhlciB0byB1c2UKIGVhZ2VyIG9yIGxhenkgcGFyc2luZyByZWdhcmRsZXNzIG9mIHRoZSB2YWx1ZSBvZiB0aGlzIG9wdGlvbi4gIEhvd2V2ZXIsCiBzZXR0aW5nIHRoaXMgb3B0aW9uIHRydWUgc3VnZ2VzdHMgdGhhdCB0aGUgcHJvdG9jb2wgYXV0aG9yIGJlbGlldmVzIHRoYXQKIHVzaW5nIGxhenkgcGFyc2luZyBvbiB0aGlzIGZpZWxkIGlzIHdvcnRoIHRoZSBhZGRpdGlvbmFsIGJvb2trZWVwaW5nCiBvdmVyaGVhZCB0eXBpY2FsbHkgbmVlZGVkIHRvIGltcGxlbWVudCBpdC4KCiBUaGlzIG9wdGlvbiBkb2VzIG5vdCBhZmZlY3QgdGhlIHB1YmxpYyBpbnRlcmZhY2Ugb2YgYW55IGdlbmVyYXRlZCBjb2RlOwogYWxsIG1ldGhvZCBzaWduYXR1cmVzIHJlbWFpbiB0aGUgc2FtZS4gIEZ1cnRoZXJtb3JlLCB0aHJlYWQtc2FmZXR5IG9mIHRoZQogaW50ZXJmYWNlIGlzIG5vdCBhZmZlY3RlZCBieSB0aGlzIG9wdGlvbjsgY29uc3QgbWV0aG9kcyByZW1haW4gc2FmZSB0bwogY2FsbCBmcm9tIG11bHRpcGxlIHRocmVhZHMgY29uY3VycmVudGx5LCB3aGlsZSBub24tY29uc3QgbWV0aG9kcyBjb250aW51ZQogdG8gcmVxdWlyZSBleGNsdXNpdmUgYWNjZXNzLgoKCiBOb3RlIHRoYXQgaW1wbGVtZW50YXRpb25zIG1heSBjaG9vc2Ugbm90IHRvIGNoZWNrIHJlcXVpcmVkIGZpZWxkcyB3aXRoaW4KIGEgbGF6eSBzdWItbWVzc2FnZS4gIFRoYXQgaXMsIGNhbGxpbmcgSXNJbml0aWFsaXplZCgpIG9uIHRoZSBvdXRlciBtZXNzYWdlCiBtYXkgcmV0dXJuIHRydWUgZXZlbiBpZiB0aGUgaW5uZXIgbWVzc2FnZSBoYXMgbWlzc2luZyByZXF1aXJlZCBmaWVsZHMuCiBUaGlzIGlzIG5lY2Vzc2FyeSBiZWNhdXNlIG90aGVyd2lzZSB0aGUgaW5uZXIgbWVzc2FnZSB3b3VsZCBoYXZlIHRvIGJlCiBwYXJzZWQgaW4gb3JkZXIgdG8gcGVyZm9ybSB0aGUgY2hlY2ssIGRlZmVhdGluZyB0aGUgcHVycG9zZSBvZiBsYXp5CiBwYXJzaW5nLiAgQW4gaW1wbGVtZW50YXRpb24gd2hpY2ggY2hvb3NlcyBub3QgdG8gY2hlY2sgcmVxdWlyZWQgZmllbGRzCiBtdXN0IGJlIGNvbnNpc3RlbnQgYWJvdXQgaXQuICBUaGF0IGlzLCBmb3IgYW55IHBhcnRpY3VsYXIgc3ViLW1lc3NhZ2UsIHRoZQogaW1wbGVtZW50YXRpb24gbXVzdCBlaXRoZXIgKmFsd2F5cyogY2hlY2sgaXRzIHJlcXVpcmVkIGZpZWxkcywgb3IgKm5ldmVyKgogY2hlY2sgaXRzIHJlcXVpcmVkIGZpZWxkcywgcmVnYXJkbGVzcyBvZiB3aGV0aGVyIG9yIG5vdCB0aGUgbWVzc2FnZSBoYXMKIGJlZW4gcGFyc2VkLgoKDQoFBAwCAwQSBLcEAgoKDQoFBAwCAwUSBLcECw8KDQoFBAwCAwESBLcEEBQKDQoFBAwCAwMSBLcEFxgKDQoFBAwCAwgSBLcEGSgKDQoFBAwCAwcSBLcEIicK6AEKBAQMAgQSBL0EAi8a2QEgSXMgdGhpcyBmaWVsZCBkZXByZWNhdGVkPwogRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgcGxhdGZvcm0sIHRoaXMgY2FuIGVtaXQgRGVwcmVjYXRlZCBhbm5vdGF0aW9ucwogZm9yIGFjY2Vzc29ycywgb3IgaXQgd2lsbCBiZSBjb21wbGV0ZWx5IGlnbm9yZWQ7IGluIHRoZSB2ZXJ5IGxlYXN0LCB0aGlzCiBpcyBhIGZvcm1hbGl6YXRpb24gZm9yIGRlcHJlY2F0aW5nIGZpZWxkcy4KCg0KBQQMAgQEEgS9BAIKCg0KBQQMAgQFEgS9BAsPCg0KBQQMAgQBEgS9BBAaCg0KBQQMAgQDEgS9BB0eCg0KBQQMAgQIEgS9BB8uCg0KBQQMAgQHEgS9BCgtCj8KBAQMAgUSBMAEAioaMSBGb3IgR29vZ2xlLWludGVybmFsIG1pZ3JhdGlvbiBvbmx5LiBEbyBub3QgdXNlLgoKDQoFBAwCBQQSBMAEAgoKDQoFBAwCBQUSBMAECw8KDQoFBAwCBQESBMAEEBQKDQoFBAwCBQMSBMAEFxkKDQoFBAwCBQgSBMAEGikKDQoFBAwCBQcSBMAEIygKTwoEBAwCBhIExAQCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBAwCBgQSBMQEAgoKDQoFBAwCBgYSBMQECx4KDQoFBAwCBgESBMQEHzMKDQoFBAwCBgMSBMQENjkKWgoDBAwFEgTHBAIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEDAUAEgTHBA0YCg0KBQQMBQABEgTHBA0RCg0KBQQMBQACEgTHBBUYChwKAwQMCRIEyQQLDSIPIHJlbW92ZWQganR5cGUKCgwKBAQMCQASBMkECwwKDQoFBAwJAAESBMkECwwKDQoFBAwJAAISBMkECwwKDAoCBA0SBswEANIEAQoLCgMEDQESBMwECBQKTwoEBA0CABIEzgQCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBA0CAAQSBM4EAgoKDQoFBA0CAAYSBM4ECx4KDQoFBA0CAAESBM4EHzMKDQoFBA0CAAMSBM4ENjkKWgoDBA0FEgTRBAIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEDQUAEgTRBA0YCg0KBQQNBQABEgTRBA0RCg0KBQQNBQACEgTRBBUYCgwKAgQOEgbUBADnBAEKCwoDBA4BEgTUBAgTCmAKBAQOAgASBNgEAiAaUiBTZXQgdGhpcyBvcHRpb24gdG8gdHJ1ZSB0byBhbGxvdyBtYXBwaW5nIGRpZmZlcmVudCB0YWcgbmFtZXMgdG8gdGhlIHNhbWUKIHZhbHVlLgoKDQoFBA4CAAQSBNgEAgoKDQoFBA4CAAUSBNgECw8KDQoFBA4CAAESBNgEEBsKDQoFBA4CAAMSBNgEHh8K5QEKBAQOAgESBN4EAi8a1gEgSXMgdGhpcyBlbnVtIGRlcHJlY2F0ZWQ/CiBEZXBlbmRpbmcgb24gdGhlIHRhcmdldCBwbGF0Zm9ybSwgdGhpcyBjYW4gZW1pdCBEZXByZWNhdGVkIGFubm90YXRpb25zCiBmb3IgdGhlIGVudW0sIG9yIGl0IHdpbGwgYmUgY29tcGxldGVseSBpZ25vcmVkOyBpbiB0aGUgdmVyeSBsZWFzdCwgdGhpcwogaXMgYSBmb3JtYWxpemF0aW9uIGZvciBkZXByZWNhdGluZyBlbnVtcy4KCg0KBQQOAgEEEgTeBAIKCg0KBQQOAgEFEgTeBAsPCg0KBQQOAgEBEgTeBBAaCg0KBQQOAgEDEgTeBB0eCg0KBQQOAgEIEgTeBB8uCg0KBQQOAgEHEgTeBCgtCh8KAwQOCRIE4AQLDSISIGphdmFuYW5vX2FzX2xpdGUKCgwKBAQOCQASBOAECwwKDQoFBA4JAAESBOAECwwKDQoFBA4JAAISBOAECwwKTwoEBA4CAhIE4wQCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBA4CAgQSBOMEAgoKDQoFBA4CAgYSBOMECx4KDQoFBA4CAgESBOMEHzMKDQoFBA4CAgMSBOMENjkKWgoDBA4FEgTmBAIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEDgUAEgTmBA0YCg0KBQQOBQABEgTmBA0RCg0KBQQOBQACEgTmBBUYCgwKAgQPEgbpBAD1BAEKCwoDBA8BEgTpBAgYCvcBCgQEDwIAEgTuBAIvGugBIElzIHRoaXMgZW51bSB2YWx1ZSBkZXByZWNhdGVkPwogRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgcGxhdGZvcm0sIHRoaXMgY2FuIGVtaXQgRGVwcmVjYXRlZCBhbm5vdGF0aW9ucwogZm9yIHRoZSBlbnVtIHZhbHVlLCBvciBpdCB3aWxsIGJlIGNvbXBsZXRlbHkgaWdub3JlZDsgaW4gdGhlIHZlcnkgbGVhc3QsCiB0aGlzIGlzIGEgZm9ybWFsaXphdGlvbiBmb3IgZGVwcmVjYXRpbmcgZW51bSB2YWx1ZXMuCgoNCgUEDwIABBIE7gQCCgoNCgUEDwIABRIE7gQLDwoNCgUEDwIAARIE7gQQGgoNCgUEDwIAAxIE7gQdHgoNCgUEDwIACBIE7gQfLgoNCgUEDwIABxIE7gQoLQpPCgQEDwIBEgTxBAI6GkEgVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLiBTZWUgYWJvdmUuCgoNCgUEDwIBBBIE8QQCCgoNCgUEDwIBBhIE8QQLHgoNCgUEDwIBARIE8QQfMwoNCgUEDwIBAxIE8QQ2OQpaCgMEDwUSBPQEAhkaTSBDbGllbnRzIGNhbiBkZWZpbmUgY3VzdG9tIG9wdGlvbnMgaW4gZXh0ZW5zaW9ucyBvZiB0aGlzIG1lc3NhZ2UuIFNlZSBhYm92ZS4KCgwKBAQPBQASBPQEDRgKDQoFBA8FAAESBPQEDREKDQoFBA8FAAISBPQEFRgKDAoCBBASBvcEAIkFAQoLCgMEEAESBPcECBYK2QMKBAQQAgASBIIFAjAa3wEgSXMgdGhpcyBzZXJ2aWNlIGRlcHJlY2F0ZWQ/CiBEZXBlbmRpbmcgb24gdGhlIHRhcmdldCBwbGF0Zm9ybSwgdGhpcyBjYW4gZW1pdCBEZXByZWNhdGVkIGFubm90YXRpb25zCiBmb3IgdGhlIHNlcnZpY2UsIG9yIGl0IHdpbGwgYmUgY29tcGxldGVseSBpZ25vcmVkOyBpbiB0aGUgdmVyeSBsZWFzdCwKIHRoaXMgaXMgYSBmb3JtYWxpemF0aW9uIGZvciBkZXByZWNhdGluZyBzZXJ2aWNlcy4KMugBIE5vdGU6ICBGaWVsZCBudW1iZXJzIDEgdGhyb3VnaCAzMiBhcmUgcmVzZXJ2ZWQgZm9yIEdvb2dsZSdzIGludGVybmFsIFJQQwogICBmcmFtZXdvcmsuICBXZSBhcG9sb2dpemUgZm9yIGhvYXJkaW5nIHRoZXNlIG51bWJlcnMgdG8gb3Vyc2VsdmVzLCBidXQKICAgd2Ugd2VyZSBhbHJlYWR5IHVzaW5nIHRoZW0gbG9uZyBiZWZvcmUgd2UgZGVjaWRlZCB0byByZWxlYXNlIFByb3RvY29sCiAgIEJ1ZmZlcnMuCgoNCgUEEAIABBIEggUCCgoNCgUEEAIABRIEggULDwoNCgUEEAIAARIEggUQGgoNCgUEEAIAAxIEggUdHwoNCgUEEAIACBIEggUgLwoNCgUEEAIABxIEggUpLgpPCgQEEAIBEgSFBQI6GkEgVGhlIHBhcnNlciBzdG9yZXMgb3B0aW9ucyBpdCBkb2Vzbid0IHJlY29nbml6ZSBoZXJlLiBTZWUgYWJvdmUuCgoNCgUEEAIBBBIEhQUCCgoNCgUEEAIBBhIEhQULHgoNCgUEEAIBARIEhQUfMwoNCgUEEAIBAxIEhQU2OQpaCgMEEAUSBIgFAhkaTSBDbGllbnRzIGNhbiBkZWZpbmUgY3VzdG9tIG9wdGlvbnMgaW4gZXh0ZW5zaW9ucyBvZiB0aGlzIG1lc3NhZ2UuIFNlZSBhYm92ZS4KCgwKBAQQBQASBIgFDRgKDQoFBBAFAAESBIgFDREKDQoFBBAFAAISBIgFFRgKDAoCBBESBosFAKgFAQoLCgMEEQESBIsFCBUK1gMKBAQRAgASBJYFAjAa3AEgSXMgdGhpcyBtZXRob2QgZGVwcmVjYXRlZD8KIERlcGVuZGluZyBvbiB0aGUgdGFyZ2V0IHBsYXRmb3JtLCB0aGlzIGNhbiBlbWl0IERlcHJlY2F0ZWQgYW5ub3RhdGlvbnMKIGZvciB0aGUgbWV0aG9kLCBvciBpdCB3aWxsIGJlIGNvbXBsZXRlbHkgaWdub3JlZDsgaW4gdGhlIHZlcnkgbGVhc3QsCiB0aGlzIGlzIGEgZm9ybWFsaXphdGlvbiBmb3IgZGVwcmVjYXRpbmcgbWV0aG9kcy4KMugBIE5vdGU6ICBGaWVsZCBudW1iZXJzIDEgdGhyb3VnaCAzMiBhcmUgcmVzZXJ2ZWQgZm9yIEdvb2dsZSdzIGludGVybmFsIFJQQwogICBmcmFtZXdvcmsuICBXZSBhcG9sb2dpemUgZm9yIGhvYXJkaW5nIHRoZXNlIG51bWJlcnMgdG8gb3Vyc2VsdmVzLCBidXQKICAgd2Ugd2VyZSBhbHJlYWR5IHVzaW5nIHRoZW0gbG9uZyBiZWZvcmUgd2UgZGVjaWRlZCB0byByZWxlYXNlIFByb3RvY29sCiAgIEJ1ZmZlcnMuCgoNCgUEEQIABBIElgUCCgoNCgUEEQIABRIElgULDwoNCgUEEQIAARIElgUQGgoNCgUEEQIAAxIElgUdHwoNCgUEEQIACBIElgUgLwoNCgUEEQIABxIElgUpLgrwAQoEBBEEABIGmwUCnwUDGt8BIElzIHRoaXMgbWV0aG9kIHNpZGUtZWZmZWN0LWZyZWUgKG9yIHNhZmUgaW4gSFRUUCBwYXJsYW5jZSksIG9yIGlkZW1wb3RlbnQsCiBvciBuZWl0aGVyPyBIVFRQIGJhc2VkIFJQQyBpbXBsZW1lbnRhdGlvbiBtYXkgY2hvb3NlIEdFVCB2ZXJiIGZvciBzYWZlCiBtZXRob2RzLCBhbmQgUFVUIHZlcmIgZm9yIGlkZW1wb3RlbnQgbWV0aG9kcyBpbnN0ZWFkIG9mIHRoZSBkZWZhdWx0IFBPU1QuCgoNCgUEEQQAARIEmwUHFwoOCgYEEQQAAgASBJwFBBwKDwoHBBEEAAIAARIEnAUEFwoPCgcEEQQAAgACEgScBRobCiQKBgQRBAACARIEnQUEHCIUIGltcGxpZXMgaWRlbXBvdGVudAoKDwoHBBEEAAIBARIEnQUEEwoPCgcEEQQAAgECEgSdBRobCjcKBgQRBAACAhIEngUEHCInIGlkZW1wb3RlbnQsIGJ1dCBtYXkgaGF2ZSBzaWRlIGVmZmVjdHMKCg8KBwQRBAACAgESBJ4FBA4KDwoHBBEEAAICAhIEngUaGwoOCgQEEQIBEgagBQKhBScKDQoFBBECAQQSBKAFAgoKDQoFBBECAQYSBKAFCxsKDQoFBBECAQESBKAFHC0KDQoFBBECAQMSBKEFBggKDQoFBBECAQgSBKEFCSYKDQoFBBECAQcSBKEFEiUKTwoEBBECAhIEpAUCOhpBIFRoZSBwYXJzZXIgc3RvcmVzIG9wdGlvbnMgaXQgZG9lc24ndCByZWNvZ25pemUgaGVyZS4gU2VlIGFib3ZlLgoKDQoFBBECAgQSBKQFAgoKDQoFBBECAgYSBKQFCx4KDQoFBBECAgESBKQFHzMKDQoFBBECAgMSBKQFNjkKWgoDBBEFEgSnBQIZGk0gQ2xpZW50cyBjYW4gZGVmaW5lIGN1c3RvbSBvcHRpb25zIGluIGV4dGVuc2lvbnMgb2YgdGhpcyBtZXNzYWdlLiBTZWUgYWJvdmUuCgoMCgQEEQUAEgSnBQ0YCg0KBQQRBQABEgSnBQ0RCg0KBQQRBQACEgSnBRUYCosDCgIEEhIGsQUAxQUBGvwCIEEgbWVzc2FnZSByZXByZXNlbnRpbmcgYSBvcHRpb24gdGhlIHBhcnNlciBkb2VzIG5vdCByZWNvZ25pemUuIFRoaXMgb25seQogYXBwZWFycyBpbiBvcHRpb25zIHByb3RvcyBjcmVhdGVkIGJ5IHRoZSBjb21waWxlcjo6UGFyc2VyIGNsYXNzLgogRGVzY3JpcHRvclBvb2wgcmVzb2x2ZXMgdGhlc2Ugd2hlbiBidWlsZGluZyBEZXNjcmlwdG9yIG9iamVjdHMuIFRoZXJlZm9yZSwKIG9wdGlvbnMgcHJvdG9zIGluIGRlc2NyaXB0b3Igb2JqZWN0cyAoZS5nLiByZXR1cm5lZCBieSBEZXNjcmlwdG9yOjpvcHRpb25zKCksCiBvciBwcm9kdWNlZCBieSBEZXNjcmlwdG9yOjpDb3B5VG8oKSkgd2lsbCBuZXZlciBoYXZlIFVuaW50ZXJwcmV0ZWRPcHRpb25zCiBpbiB0aGVtLgoKCwoDBBIBEgSxBQgbCssCCgQEEgMAEga3BQK6BQMaugIgVGhlIG5hbWUgb2YgdGhlIHVuaW50ZXJwcmV0ZWQgb3B0aW9uLiAgRWFjaCBzdHJpbmcgcmVwcmVzZW50cyBhIHNlZ21lbnQgaW4KIGEgZG90LXNlcGFyYXRlZCBuYW1lLiAgaXNfZXh0ZW5zaW9uIGlzIHRydWUgaWZmIGEgc2VnbWVudCByZXByZXNlbnRzIGFuCiBleHRlbnNpb24gKGRlbm90ZWQgd2l0aCBwYXJlbnRoZXNlcyBpbiBvcHRpb25zIHNwZWNzIGluIC5wcm90byBmaWxlcykuCiBFLmcuLHsgWyJmb28iLCBmYWxzZV0sIFsiYmFyLmJheiIsIHRydWVdLCBbInF1eCIsIGZhbHNlXSB9IHJlcHJlc2VudHMKICJmb28uKGJhci5iYXopLnF1eCIuCgoNCgUEEgMAARIEtwUKEgoOCgYEEgMAAgASBLgFBCIKDwoHBBIDAAIABBIEuAUEDAoPCgcEEgMAAgAFEgS4BQ0TCg8KBwQSAwACAAESBLgFFB0KDwoHBBIDAAIAAxIEuAUgIQoOCgYEEgMAAgESBLkFBCMKDwoHBBIDAAIBBBIEuQUEDAoPCgcEEgMAAgEFEgS5BQ0RCg8KBwQSAwACAQESBLkFEh4KDwoHBBIDAAIBAxIEuQUhIgoMCgQEEgIAEgS7BQIdCg0KBQQSAgAEEgS7BQIKCg0KBQQSAgAGEgS7BQsTCg0KBQQSAgABEgS7BRQYCg0KBQQSAgADEgS7BRscCpwBCgQEEgIBEgS/BQInGo0BIFRoZSB2YWx1ZSBvZiB0aGUgdW5pbnRlcnByZXRlZCBvcHRpb24sIGluIHdoYXRldmVyIHR5cGUgdGhlIHRva2VuaXplcgogaWRlbnRpZmllZCBpdCBhcyBkdXJpbmcgcGFyc2luZy4gRXhhY3RseSBvbmUgb2YgdGhlc2Ugc2hvdWxkIGJlIHNldC4KCg0KBQQSAgEEEgS/BQIKCg0KBQQSAgEFEgS/BQsRCg0KBQQSAgEBEgS/BRIiCg0KBQQSAgEDEgS/BSUmCgwKBAQSAgISBMAFAikKDQoFBBICAgQSBMAFAgoKDQoFBBICAgUSBMAFCxEKDQoFBBICAgESBMAFEiQKDQoFBBICAgMSBMAFJygKDAoEBBICAxIEwQUCKAoNCgUEEgIDBBIEwQUCCgoNCgUEEgIDBRIEwQULEAoNCgUEEgIDARIEwQURIwoNCgUEEgIDAxIEwQUmJwoMCgQEEgIEEgTCBQIjCg0KBQQSAgQEEgTCBQIKCg0KBQQSAgQFEgTCBQsRCg0KBQQSAgQBEgTCBRIeCg0KBQQSAgQDEgTCBSEiCgwKBAQSAgUSBMMFAiIKDQoFBBICBQQSBMMFAgoKDQoFBBICBQUSBMMFCxAKDQoFBBICBQESBMMFER0KDQoFBBICBQMSBMMFICEKDAoEBBICBhIExAUCJgoNCgUEEgIGBBIExAUCCgoNCgUEEgIGBRIExAULEQoNCgUEEgIGARIExAUSIQoNCgUEEgIGAxIExAUkJQraAQoCBBMSBswFAM0GARpqIEVuY2Fwc3VsYXRlcyBpbmZvcm1hdGlvbiBhYm91dCB0aGUgb3JpZ2luYWwgc291cmNlIGZpbGUgZnJvbSB3aGljaCBhCiBGaWxlRGVzY3JpcHRvclByb3RvIHdhcyBnZW5lcmF0ZWQuCjJgID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KIE9wdGlvbmFsIHNvdXJjZSBjb2RlIGluZm8KCgsKAwQTARIEzAUIFgqCEQoEBBMCABIE+AUCIRrzECBBIExvY2F0aW9uIGlkZW50aWZpZXMgYSBwaWVjZSBvZiBzb3VyY2UgY29kZSBpbiBhIC5wcm90byBmaWxlIHdoaWNoCiBjb3JyZXNwb25kcyB0byBhIHBhcnRpY3VsYXIgZGVmaW5pdGlvbi4gIFRoaXMgaW5mb3JtYXRpb24gaXMgaW50ZW5kZWQKIHRvIGJlIHVzZWZ1bCB0byBJREVzLCBjb2RlIGluZGV4ZXJzLCBkb2N1bWVudGF0aW9uIGdlbmVyYXRvcnMsIGFuZCBzaW1pbGFyCiB0b29scy4KCiBGb3IgZXhhbXBsZSwgc2F5IHdlIGhhdmUgYSBmaWxlIGxpa2U6CiAgIG1lc3NhZ2UgRm9vIHsKICAgICBvcHRpb25hbCBzdHJpbmcgZm9vID0gMTsKICAgfQogTGV0J3MgbG9vayBhdCBqdXN0IHRoZSBmaWVsZCBkZWZpbml0aW9uOgogICBvcHRpb25hbCBzdHJpbmcgZm9vID0gMTsKICAgXiAgICAgICBeXiAgICAgXl4gIF4gIF5eXgogICBhICAgICAgIGJjICAgICBkZSAgZiAgZ2hpCiBXZSBoYXZlIHRoZSBmb2xsb3dpbmcgbG9jYXRpb25zOgogICBzcGFuICAgcGF0aCAgICAgICAgICAgICAgIHJlcHJlc2VudHMKICAgW2EsaSkgIFsgNCwgMCwgMiwgMCBdICAgICBUaGUgd2hvbGUgZmllbGQgZGVmaW5pdGlvbi4KICAgW2EsYikgIFsgNCwgMCwgMiwgMCwgNCBdICBUaGUgbGFiZWwgKG9wdGlvbmFsKS4KICAgW2MsZCkgIFsgNCwgMCwgMiwgMCwgNSBdICBUaGUgdHlwZSAoc3RyaW5nKS4KICAgW2UsZikgIFsgNCwgMCwgMiwgMCwgMSBdICBUaGUgbmFtZSAoZm9vKS4KICAgW2csaCkgIFsgNCwgMCwgMiwgMCwgMyBdICBUaGUgbnVtYmVyICgxKS4KCiBOb3RlczoKIC0gQSBsb2NhdGlvbiBtYXkgcmVmZXIgdG8gYSByZXBlYXRlZCBmaWVsZCBpdHNlbGYgKGkuZS4gbm90IHRvIGFueQogICBwYXJ0aWN1bGFyIGluZGV4IHdpdGhpbiBpdCkuICBUaGlzIGlzIHVzZWQgd2hlbmV2ZXIgYSBzZXQgb2YgZWxlbWVudHMgYXJlCiAgIGxvZ2ljYWxseSBlbmNsb3NlZCBpbiBhIHNpbmdsZSBjb2RlIHNlZ21lbnQuICBGb3IgZXhhbXBsZSwgYW4gZW50aXJlCiAgIGV4dGVuZCBibG9jayAocG9zc2libHkgY29udGFpbmluZyBtdWx0aXBsZSBleHRlbnNpb24gZGVmaW5pdGlvbnMpIHdpbGwKICAgaGF2ZSBhbiBvdXRlciBsb2NhdGlvbiB3aG9zZSBwYXRoIHJlZmVycyB0byB0aGUgImV4dGVuc2lvbnMiIHJlcGVhdGVkCiAgIGZpZWxkIHdpdGhvdXQgYW4gaW5kZXguCiAtIE11bHRpcGxlIGxvY2F0aW9ucyBtYXkgaGF2ZSB0aGUgc2FtZSBwYXRoLiAgVGhpcyBoYXBwZW5zIHdoZW4gYSBzaW5nbGUKICAgbG9naWNhbCBkZWNsYXJhdGlvbiBpcyBzcHJlYWQgb3V0IGFjcm9zcyBtdWx0aXBsZSBwbGFjZXMuICBUaGUgbW9zdAogICBvYnZpb3VzIGV4YW1wbGUgaXMgdGhlICJleHRlbmQiIGJsb2NrIGFnYWluIC0tIHRoZXJlIG1heSBiZSBtdWx0aXBsZQogICBleHRlbmQgYmxvY2tzIGluIHRoZSBzYW1lIHNjb3BlLCBlYWNoIG9mIHdoaWNoIHdpbGwgaGF2ZSB0aGUgc2FtZSBwYXRoLgogLSBBIGxvY2F0aW9uJ3Mgc3BhbiBpcyBub3QgYWx3YXlzIGEgc3Vic2V0IG9mIGl0cyBwYXJlbnQncyBzcGFuLiAgRm9yCiAgIGV4YW1wbGUsIHRoZSAiZXh0ZW5kZWUiIG9mIGFuIGV4dGVuc2lvbiBkZWNsYXJhdGlvbiBhcHBlYXJzIGF0IHRoZQogICBiZWdpbm5pbmcgb2YgdGhlICJleHRlbmQiIGJsb2NrIGFuZCBpcyBzaGFyZWQgYnkgYWxsIGV4dGVuc2lvbnMgd2l0aGluCiAgIHRoZSBibG9jay4KIC0gSnVzdCBiZWNhdXNlIGEgbG9jYXRpb24ncyBzcGFuIGlzIGEgc3Vic2V0IG9mIHNvbWUgb3RoZXIgbG9jYXRpb24ncyBzcGFuCiAgIGRvZXMgbm90IG1lYW4gdGhhdCBpdCBpcyBhIGRlc2NlbmRlbnQuICBGb3IgZXhhbXBsZSwgYSAiZ3JvdXAiIGRlZmluZXMKICAgYm90aCBhIHR5cGUgYW5kIGEgZmllbGQgaW4gYSBzaW5nbGUgZGVjbGFyYXRpb24uICBUaHVzLCB0aGUgbG9jYXRpb25zCiAgIGNvcnJlc3BvbmRpbmcgdG8gdGhlIHR5cGUgYW5kIGZpZWxkIGFuZCB0aGVpciBjb21wb25lbnRzIHdpbGwgb3ZlcmxhcC4KIC0gQ29kZSB3aGljaCB0cmllcyB0byBpbnRlcnByZXQgbG9jYXRpb25zIHNob3VsZCBwcm9iYWJseSBiZSBkZXNpZ25lZCB0bwogICBpZ25vcmUgdGhvc2UgdGhhdCBpdCBkb2Vzbid0IHVuZGVyc3RhbmQsIGFzIG1vcmUgdHlwZXMgb2YgbG9jYXRpb25zIGNvdWxkCiAgIGJlIHJlY29yZGVkIGluIHRoZSBmdXR1cmUuCgoNCgUEEwIABBIE+AUCCgoNCgUEEwIABhIE+AULEwoNCgUEEwIAARIE+AUUHAoNCgUEEwIAAxIE+AUfIAoOCgQEEwMAEgb5BQLMBgMKDQoFBBMDAAESBPkFChIKgwcKBgQTAwACABIEkQYEKhryBiBJZGVudGlmaWVzIHdoaWNoIHBhcnQgb2YgdGhlIEZpbGVEZXNjcmlwdG9yUHJvdG8gd2FzIGRlZmluZWQgYXQgdGhpcwogbG9jYXRpb24uCgogRWFjaCBlbGVtZW50IGlzIGEgZmllbGQgbnVtYmVyIG9yIGFuIGluZGV4LiAgVGhleSBmb3JtIGEgcGF0aCBmcm9tCiB0aGUgcm9vdCBGaWxlRGVzY3JpcHRvclByb3RvIHRvIHRoZSBwbGFjZSB3aGVyZSB0aGUgZGVmaW5pdGlvbi4gIEZvcgogZXhhbXBsZSwgdGhpcyBwYXRoOgogICBbIDQsIDMsIDIsIDcsIDEgXQogcmVmZXJzIHRvOgogICBmaWxlLm1lc3NhZ2VfdHlwZSgzKSAgLy8gNCwgMwogICAgICAgLmZpZWxkKDcpICAgICAgICAgLy8gMiwgNwogICAgICAgLm5hbWUoKSAgICAgICAgICAgLy8gMQogVGhpcyBpcyBiZWNhdXNlIEZpbGVEZXNjcmlwdG9yUHJvdG8ubWVzc2FnZV90eXBlIGhhcyBmaWVsZCBudW1iZXIgNDoKICAgcmVwZWF0ZWQgRGVzY3JpcHRvclByb3RvIG1lc3NhZ2VfdHlwZSA9IDQ7CiBhbmQgRGVzY3JpcHRvclByb3RvLmZpZWxkIGhhcyBmaWVsZCBudW1iZXIgMjoKICAgcmVwZWF0ZWQgRmllbGREZXNjcmlwdG9yUHJvdG8gZmllbGQgPSAyOwogYW5kIEZpZWxkRGVzY3JpcHRvclByb3RvLm5hbWUgaGFzIGZpZWxkIG51bWJlciAxOgogICBvcHRpb25hbCBzdHJpbmcgbmFtZSA9IDE7CgogVGh1cywgdGhlIGFib3ZlIHBhdGggZ2l2ZXMgdGhlIGxvY2F0aW9uIG9mIGEgZmllbGQgbmFtZS4gIElmIHdlIHJlbW92ZWQKIHRoZSBsYXN0IGVsZW1lbnQ6CiAgIFsgNCwgMywgMiwgNyBdCiB0aGlzIHBhdGggcmVmZXJzIHRvIHRoZSB3aG9sZSBmaWVsZCBkZWNsYXJhdGlvbiAoZnJvbSB0aGUgYmVnaW5uaW5nCiBvZiB0aGUgbGFiZWwgdG8gdGhlIHRlcm1pbmF0aW5nIHNlbWljb2xvbikuCgoPCgcEEwMAAgAEEgSRBgQMCg8KBwQTAwACAAUSBJEGDRIKDwoHBBMDAAIAARIEkQYTFwoPCgcEEwMAAgADEgSRBhobCg8KBwQTAwACAAgSBJEGHCkKEgoKBBMDAAIACOcHABIEkQYdKAoTCgsEEwMAAgAI5wcAAhIEkQYdIwoUCgwEEwMAAgAI5wcAAgASBJEGHSMKFQoNBBMDAAIACOcHAAIAARIEkQYdIwoTCgsEEwMAAgAI5wcAAxIEkQYkKArSAgoGBBMDAAIBEgSYBgQqGsECIEFsd2F5cyBoYXMgZXhhY3RseSB0aHJlZSBvciBmb3VyIGVsZW1lbnRzOiBzdGFydCBsaW5lLCBzdGFydCBjb2x1bW4sCiBlbmQgbGluZSAob3B0aW9uYWwsIG90aGVyd2lzZSBhc3N1bWVkIHNhbWUgYXMgc3RhcnQgbGluZSksIGVuZCBjb2x1bW4uCiBUaGVzZSBhcmUgcGFja2VkIGludG8gYSBzaW5nbGUgZmllbGQgZm9yIGVmZmljaWVuY3kuICBOb3RlIHRoYXQgbGluZQogYW5kIGNvbHVtbiBudW1iZXJzIGFyZSB6ZXJvLWJhc2VkIC0tIHR5cGljYWxseSB5b3Ugd2lsbCB3YW50IHRvIGFkZAogMSB0byBlYWNoIGJlZm9yZSBkaXNwbGF5aW5nIHRvIGEgdXNlci4KCg8KBwQTAwACAQQSBJgGBAwKDwoHBBMDAAIBBRIEmAYNEgoPCgcEEwMAAgEBEgSYBhMXCg8KBwQTAwACAQMSBJgGGhsKDwoHBBMDAAIBCBIEmAYcKQoSCgoEEwMAAgEI5wcAEgSYBh0oChMKCwQTAwACAQjnBwACEgSYBh0jChQKDAQTAwACAQjnBwACABIEmAYdIwoVCg0EEwMAAgEI5wcAAgABEgSYBh0jChMKCwQTAwACAQjnBwADEgSYBiQoCqUMCgYEEwMAAgISBMkGBCkalAwgSWYgdGhpcyBTb3VyY2VDb2RlSW5mbyByZXByZXNlbnRzIGEgY29tcGxldGUgZGVjbGFyYXRpb24sIHRoZXNlIGFyZSBhbnkKIGNvbW1lbnRzIGFwcGVhcmluZyBiZWZvcmUgYW5kIGFmdGVyIHRoZSBkZWNsYXJhdGlvbiB3aGljaCBhcHBlYXIgdG8gYmUKIGF0dGFjaGVkIHRvIHRoZSBkZWNsYXJhdGlvbi4KCiBBIHNlcmllcyBvZiBsaW5lIGNvbW1lbnRzIGFwcGVhcmluZyBvbiBjb25zZWN1dGl2ZSBsaW5lcywgd2l0aCBubyBvdGhlcgogdG9rZW5zIGFwcGVhcmluZyBvbiB0aG9zZSBsaW5lcywgd2lsbCBiZSB0cmVhdGVkIGFzIGEgc2luZ2xlIGNvbW1lbnQuCgogbGVhZGluZ19kZXRhY2hlZF9jb21tZW50cyB3aWxsIGtlZXAgcGFyYWdyYXBocyBvZiBjb21tZW50cyB0aGF0IGFwcGVhcgogYmVmb3JlIChidXQgbm90IGNvbm5lY3RlZCB0bykgdGhlIGN1cnJlbnQgZWxlbWVudC4gRWFjaCBwYXJhZ3JhcGgsCiBzZXBhcmF0ZWQgYnkgZW1wdHkgbGluZXMsIHdpbGwgYmUgb25lIGNvbW1lbnQgZWxlbWVudCBpbiB0aGUgcmVwZWF0ZWQKIGZpZWxkLgoKIE9ubHkgdGhlIGNvbW1lbnQgY29udGVudCBpcyBwcm92aWRlZDsgY29tbWVudCBtYXJrZXJzIChlLmcuIC8vKSBhcmUKIHN0cmlwcGVkIG91dC4gIEZvciBibG9jayBjb21tZW50cywgbGVhZGluZyB3aGl0ZXNwYWNlIGFuZCBhbiBhc3Rlcmlzawogd2lsbCBiZSBzdHJpcHBlZCBmcm9tIHRoZSBiZWdpbm5pbmcgb2YgZWFjaCBsaW5lIG90aGVyIHRoYW4gdGhlIGZpcnN0LgogTmV3bGluZXMgYXJlIGluY2x1ZGVkIGluIHRoZSBvdXRwdXQuCgogRXhhbXBsZXM6CgogICBvcHRpb25hbCBpbnQzMiBmb28gPSAxOyAgLy8gQ29tbWVudCBhdHRhY2hlZCB0byBmb28uCiAgIC8vIENvbW1lbnQgYXR0YWNoZWQgdG8gYmFyLgogICBvcHRpb25hbCBpbnQzMiBiYXIgPSAyOwoKICAgb3B0aW9uYWwgc3RyaW5nIGJheiA9IDM7CiAgIC8vIENvbW1lbnQgYXR0YWNoZWQgdG8gYmF6LgogICAvLyBBbm90aGVyIGxpbmUgYXR0YWNoZWQgdG8gYmF6LgoKICAgLy8gQ29tbWVudCBhdHRhY2hlZCB0byBxdXguCiAgIC8vCiAgIC8vIEFub3RoZXIgbGluZSBhdHRhY2hlZCB0byBxdXguCiAgIG9wdGlvbmFsIGRvdWJsZSBxdXggPSA0OwoKICAgLy8gRGV0YWNoZWQgY29tbWVudCBmb3IgY29yZ2UuIFRoaXMgaXMgbm90IGxlYWRpbmcgb3IgdHJhaWxpbmcgY29tbWVudHMKICAgLy8gdG8gcXV4IG9yIGNvcmdlIGJlY2F1c2UgdGhlcmUgYXJlIGJsYW5rIGxpbmVzIHNlcGFyYXRpbmcgaXQgZnJvbQogICAvLyBib3RoLgoKICAgLy8gRGV0YWNoZWQgY29tbWVudCBmb3IgY29yZ2UgcGFyYWdyYXBoIDIuCgogICBvcHRpb25hbCBzdHJpbmcgY29yZ2UgPSA1OwogICAvKiBCbG9jayBjb21tZW50IGF0dGFjaGVkCiAgICAqIHRvIGNvcmdlLiAgTGVhZGluZyBhc3Rlcmlza3MKICAgICogd2lsbCBiZSByZW1vdmVkLiAqLwogICAvKiBCbG9jayBjb21tZW50IGF0dGFjaGVkIHRvCiAgICAqIGdyYXVsdC4gKi8KICAgb3B0aW9uYWwgaW50MzIgZ3JhdWx0ID0gNjsKCiAgIC8vIGlnbm9yZWQgZGV0YWNoZWQgY29tbWVudHMuCgoPCgcEEwMAAgIEEgTJBgQMCg8KBwQTAwACAgUSBMkGDRMKDwoHBBMDAAICARIEyQYUJAoPCgcEEwMAAgIDEgTJBicoCg4KBgQTAwACAxIEygYEKgoPCgcEEwMAAgMEEgTKBgQMCg8KBwQTAwACAwUSBMoGDRMKDwoHBBMDAAIDARIEygYUJQoPCgcEEwMAAgMDEgTKBigpCg4KBgQTAwACBBIEywYEMgoPCgcEEwMAAgQEEgTLBgQMCg8KBwQTAwACBAUSBMsGDRMKDwoHBBMDAAIEARIEywYULQoPCgcEEwMAAgQDEgTLBjAxCu4BCgIEFBIG0gYA5wYBGt8BIERlc2NyaWJlcyB0aGUgcmVsYXRpb25zaGlwIGJldHdlZW4gZ2VuZXJhdGVkIGNvZGUgYW5kIGl0cyBvcmlnaW5hbCBzb3VyY2UKIGZpbGUuIEEgR2VuZXJhdGVkQ29kZUluZm8gbWVzc2FnZSBpcyBhc3NvY2lhdGVkIHdpdGggb25seSBvbmUgZ2VuZXJhdGVkCiBzb3VyY2UgZmlsZSwgYnV0IG1heSBjb250YWluIHJlZmVyZW5jZXMgdG8gZGlmZmVyZW50IHNvdXJjZSAucHJvdG8gZmlsZXMuCgoLCgMEFAESBNIGCBkKeAoEBBQCABIE1QYCJRpqIEFuIEFubm90YXRpb24gY29ubmVjdHMgc29tZSBzcGFuIG9mIHRleHQgaW4gZ2VuZXJhdGVkIGNvZGUgdG8gYW4gZWxlbWVudAogb2YgaXRzIGdlbmVyYXRpbmcgLnByb3RvIGZpbGUuCgoNCgUEFAIABBIE1QYCCgoNCgUEFAIABhIE1QYLFQoNCgUEFAIAARIE1QYWIAoNCgUEFAIAAxIE1QYjJAoOCgQEFAMAEgbWBgLmBgMKDQoFBBQDAAESBNYGChQKjwEKBgQUAwACABIE2QYEKhp/IElkZW50aWZpZXMgdGhlIGVsZW1lbnQgaW4gdGhlIG9yaWdpbmFsIHNvdXJjZSAucHJvdG8gZmlsZS4gVGhpcyBmaWVsZAogaXMgZm9ybWF0dGVkIHRoZSBzYW1lIGFzIFNvdXJjZUNvZGVJbmZvLkxvY2F0aW9uLnBhdGguCgoPCgcEFAMAAgAEEgTZBgQMCg8KBwQUAwACAAUSBNkGDRIKDwoHBBQDAAIAARIE2QYTFwoPCgcEFAMAAgADEgTZBhobCg8KBwQUAwACAAgSBNkGHCkKEgoKBBQDAAIACOcHABIE2QYdKAoTCgsEFAMAAgAI5wcAAhIE2QYdIwoUCgwEFAMAAgAI5wcAAgASBNkGHSMKFQoNBBQDAAIACOcHAAIAARIE2QYdIwoTCgsEFAMAAgAI5wcAAxIE2QYkKApPCgYEFAMAAgESBNwGBCQaPyBJZGVudGlmaWVzIHRoZSBmaWxlc3lzdGVtIHBhdGggdG8gdGhlIG9yaWdpbmFsIHNvdXJjZSAucHJvdG8uCgoPCgcEFAMAAgEEEgTcBgQMCg8KBwQUAwACAQUSBNwGDRMKDwoHBBQDAAIBARIE3AYUHwoPCgcEFAMAAgEDEgTcBiIjCncKBgQUAwACAhIE4AYEHRpnIElkZW50aWZpZXMgdGhlIHN0YXJ0aW5nIG9mZnNldCBpbiBieXRlcyBpbiB0aGUgZ2VuZXJhdGVkIGNvZGUKIHRoYXQgcmVsYXRlcyB0byB0aGUgaWRlbnRpZmllZCBvYmplY3QuCgoPCgcEFAMAAgIEEgTgBgQMCg8KBwQUAwACAgUSBOAGDRIKDwoHBBQDAAICARIE4AYTGAoPCgcEFAMAAgIDEgTgBhscCtsBCgYEFAMAAgMSBOUGBBsaygEgSWRlbnRpZmllcyB0aGUgZW5kaW5nIG9mZnNldCBpbiBieXRlcyBpbiB0aGUgZ2VuZXJhdGVkIGNvZGUgdGhhdAogcmVsYXRlcyB0byB0aGUgaWRlbnRpZmllZCBvZmZzZXQuIFRoZSBlbmQgb2Zmc2V0IHNob3VsZCBiZSBvbmUgcGFzdAogdGhlIGxhc3QgcmVsZXZhbnQgYnl0ZSAoc28gdGhlIGxlbmd0aCBvZiB0aGUgdGV4dCA9IGVuZCAtIGJlZ2luKS4KCg8KBwQUAwACAwQSBOUGBAwKDwoHBBQDAAIDBRIE5QYNEgoPCgcEFAMAAgMBEgTlBhMWCg8KBwQUAwACAwMSBOUGGRoKqV0KFGdvZ29wcm90by9nb2dvLnByb3RvEglnb2dvcHJvdG8aIGdvb2dsZS9wcm90b2J1Zi9kZXNjcmlwdG9yLnByb3RvOk4KE2dvcHJvdG9fZW51bV9wcmVmaXgSHC5nb29nbGUucHJvdG9idWYuRW51bU9wdGlvbnMYseQDIAEoCFIRZ29wcm90b0VudW1QcmVmaXg6UgoVZ29wcm90b19lbnVtX3N0cmluZ2VyEhwuZ29vZ2xlLnByb3RvYnVmLkVudW1PcHRpb25zGMXkAyABKAhSE2dvcHJvdG9FbnVtU3RyaW5nZXI6QwoNZW51bV9zdHJpbmdlchIcLmdvb2dsZS5wcm90b2J1Zi5FbnVtT3B0aW9ucxjG5AMgASgIUgxlbnVtU3RyaW5nZXI6RwoPZW51bV9jdXN0b21uYW1lEhwuZ29vZ2xlLnByb3RvYnVmLkVudW1PcHRpb25zGMfkAyABKAlSDmVudW1DdXN0b21uYW1lOjoKCGVudW1kZWNsEhwuZ29vZ2xlLnByb3RvYnVmLkVudW1PcHRpb25zGMjkAyABKAhSCGVudW1kZWNsOlYKFGVudW12YWx1ZV9jdXN0b21uYW1lEiEuZ29vZ2xlLnByb3RvYnVmLkVudW1WYWx1ZU9wdGlvbnMY0YMEIAEoCVITZW51bXZhbHVlQ3VzdG9tbmFtZTpOChNnb3Byb3RvX2dldHRlcnNfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJnsAyABKAhSEWdvcHJvdG9HZXR0ZXJzQWxsOlUKF2dvcHJvdG9fZW51bV9wcmVmaXhfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJrsAyABKAhSFGdvcHJvdG9FbnVtUHJlZml4QWxsOlAKFGdvcHJvdG9fc3RyaW5nZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJvsAyABKAhSEmdvcHJvdG9TdHJpbmdlckFsbDpKChF2ZXJib3NlX2VxdWFsX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxic7AMgASgIUg92ZXJib3NlRXF1YWxBbGw6OQoIZmFjZV9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYnewDIAEoCFIHZmFjZUFsbDpBCgxnb3N0cmluZ19hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYnuwDIAEoCFILZ29zdHJpbmdBbGw6QQoMcG9wdWxhdGVfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGJ/sAyABKAhSC3BvcHVsYXRlQWxsOkEKDHN0cmluZ2VyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxig7AMgASgIUgtzdHJpbmdlckFsbDo/Cgtvbmx5b25lX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxih7AMgASgIUgpvbmx5b25lQWxsOjsKCWVxdWFsX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxil7AMgASgIUghlcXVhbEFsbDpHCg9kZXNjcmlwdGlvbl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYpuwDIAEoCFIOZGVzY3JpcHRpb25BbGw6PwoLdGVzdGdlbl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYp+wDIAEoCFIKdGVzdGdlbkFsbDpBCgxiZW5jaGdlbl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYqOwDIAEoCFILYmVuY2hnZW5BbGw6QwoNbWFyc2hhbGVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxip7AMgASgIUgxtYXJzaGFsZXJBbGw6RwoPdW5tYXJzaGFsZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGKrsAyABKAhSDnVubWFyc2hhbGVyQWxsOlAKFHN0YWJsZV9tYXJzaGFsZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGKvsAyABKAhSEnN0YWJsZU1hcnNoYWxlckFsbDo7CglzaXplcl9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYrOwDIAEoCFIIc2l6ZXJBbGw6WQoZZ29wcm90b19lbnVtX3N0cmluZ2VyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxit7AMgASgIUhZnb3Byb3RvRW51bVN0cmluZ2VyQWxsOkoKEWVudW1fc3RyaW5nZXJfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGK7sAyABKAhSD2VudW1TdHJpbmdlckFsbDpQChR1bnNhZmVfbWFyc2hhbGVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxiv7AMgASgIUhJ1bnNhZmVNYXJzaGFsZXJBbGw6VAoWdW5zYWZlX3VubWFyc2hhbGVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxiw7AMgASgIUhR1bnNhZmVVbm1hcnNoYWxlckFsbDpbChpnb3Byb3RvX2V4dGVuc2lvbnNfbWFwX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxix7AMgASgIUhdnb3Byb3RvRXh0ZW5zaW9uc01hcEFsbDpYChhnb3Byb3RvX3VucmVjb2duaXplZF9hbGwSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYsuwDIAEoCFIWZ29wcm90b1VucmVjb2duaXplZEFsbDpJChBnb2dvcHJvdG9faW1wb3J0EhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGLPsAyABKAhSD2dvZ29wcm90b0ltcG9ydDpFCg5wcm90b3NpemVyX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi07AMgASgIUg1wcm90b3NpemVyQWxsOj8KC2NvbXBhcmVfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGLXsAyABKAhSCmNvbXBhcmVBbGw6QQoMdHlwZWRlY2xfYWxsEhwuZ29vZ2xlLnByb3RvYnVmLkZpbGVPcHRpb25zGLbsAyABKAhSC3R5cGVkZWNsQWxsOkEKDGVudW1kZWNsX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi37AMgASgIUgtlbnVtZGVjbEFsbDpRChRnb3Byb3RvX3JlZ2lzdHJhdGlvbhIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi47AMgASgIUhNnb3Byb3RvUmVnaXN0cmF0aW9uOkcKD21lc3NhZ2VuYW1lX2FsbBIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxi57AMgASgIUg5tZXNzYWdlbmFtZUFsbDpKCg9nb3Byb3RvX2dldHRlcnMSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYgfQDIAEoCFIOZ29wcm90b0dldHRlcnM6TAoQZ29wcm90b19zdHJpbmdlchIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiD9AMgASgIUg9nb3Byb3RvU3RyaW5nZXI6RgoNdmVyYm9zZV9lcXVhbBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiE9AMgASgIUgx2ZXJib3NlRXF1YWw6NQoEZmFjZRIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiF9AMgASgIUgRmYWNlOj0KCGdvc3RyaW5nEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGIb0AyABKAhSCGdvc3RyaW5nOj0KCHBvcHVsYXRlEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGIf0AyABKAhSCHBvcHVsYXRlOj0KCHN0cmluZ2VyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGMCLBCABKAhSCHN0cmluZ2VyOjsKB29ubHlvbmUSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYifQDIAEoCFIHb25seW9uZTo3CgVlcXVhbBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiN9AMgASgIUgVlcXVhbDpDCgtkZXNjcmlwdGlvbhIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiO9AMgASgIUgtkZXNjcmlwdGlvbjo7Cgd0ZXN0Z2VuEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGI/0AyABKAhSB3Rlc3RnZW46PQoIYmVuY2hnZW4SHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYkPQDIAEoCFIIYmVuY2hnZW46PwoJbWFyc2hhbGVyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJH0AyABKAhSCW1hcnNoYWxlcjpDCgt1bm1hcnNoYWxlchIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiS9AMgASgIUgt1bm1hcnNoYWxlcjpMChBzdGFibGVfbWFyc2hhbGVyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJP0AyABKAhSD3N0YWJsZU1hcnNoYWxlcjo3CgVzaXplchIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiU9AMgASgIUgVzaXplcjpMChB1bnNhZmVfbWFyc2hhbGVyEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJf0AyABKAhSD3Vuc2FmZU1hcnNoYWxlcjpQChJ1bnNhZmVfdW5tYXJzaGFsZXISHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYmPQDIAEoCFIRdW5zYWZlVW5tYXJzaGFsZXI6VwoWZ29wcm90b19leHRlbnNpb25zX21hcBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxiZ9AMgASgIUhRnb3Byb3RvRXh0ZW5zaW9uc01hcDpUChRnb3Byb3RvX3VucmVjb2duaXplZBIfLmdvb2dsZS5wcm90b2J1Zi5NZXNzYWdlT3B0aW9ucxia9AMgASgIUhNnb3Byb3RvVW5yZWNvZ25pemVkOkEKCnByb3Rvc2l6ZXISHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYnPQDIAEoCFIKcHJvdG9zaXplcjo7Cgdjb21wYXJlEh8uZ29vZ2xlLnByb3RvYnVmLk1lc3NhZ2VPcHRpb25zGJ30AyABKAhSB2NvbXBhcmU6PQoIdHlwZWRlY2wSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYnvQDIAEoCFIIdHlwZWRlY2w6QwoLbWVzc2FnZW5hbWUSHy5nb29nbGUucHJvdG9idWYuTWVzc2FnZU9wdGlvbnMYofQDIAEoCFILbWVzc2FnZW5hbWU6OwoIbnVsbGFibGUSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGOn7AyABKAhSCG51bGxhYmxlOjUKBWVtYmVkEh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9ucxjq+wMgASgIUgVlbWJlZDo/CgpjdXN0b210eXBlEh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9ucxjr+wMgASgJUgpjdXN0b210eXBlOj8KCmN1c3RvbW5hbWUSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGOz7AyABKAlSCmN1c3RvbW5hbWU6OQoHanNvbnRhZxIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY7fsDIAEoCVIHanNvbnRhZzo7Cghtb3JldGFncxIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY7vsDIAEoCVIIbW9yZXRhZ3M6OwoIY2FzdHR5cGUSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGO/7AyABKAlSCGNhc3R0eXBlOjkKB2Nhc3RrZXkSHS5nb29nbGUucHJvdG9idWYuRmllbGRPcHRpb25zGPD7AyABKAlSB2Nhc3RrZXk6PQoJY2FzdHZhbHVlEh0uZ29vZ2xlLnByb3RvYnVmLkZpZWxkT3B0aW9ucxjx+wMgASgJUgljYXN0dmFsdWU6OQoHc3RkdGltZRIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY8vsDIAEoCFIHc3RkdGltZTpBCgtzdGRkdXJhdGlvbhIdLmdvb2dsZS5wcm90b2J1Zi5GaWVsZE9wdGlvbnMY8/sDIAEoCFILc3RkZHVyYXRpb25CRQoTY29tLmdvb2dsZS5wcm90b2J1ZkIKR29Hb1Byb3Rvc1oiZ2l0aHViLmNvbS9nb2dvL3Byb3RvYnVmL2dvZ29wcm90b0qaNQoHEgUcAIcBAQr8CgoBDBIDHAASMvEKIFByb3RvY29sIEJ1ZmZlcnMgZm9yIEdvIHdpdGggR2FkZ2V0cwoKIENvcHlyaWdodCAoYykgMjAxMywgVGhlIEdvR28gQXV0aG9ycy4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KIGh0dHA6Ly9naXRodWIuY29tL2dvZ28vcHJvdG9idWYKCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUKIG1ldDoKCiAgICAgKiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodAogbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgogICAgICogUmVkaXN0cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZQogY29weXJpZ2h0IG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lcgogaW4gdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogZGlzdHJpYnV0aW9uLgoKIFRISVMgU09GVFdBUkUgSVMgUFJPVklERUQgQlkgVEhFIENPUFlSSUdIVCBIT0xERVJTIEFORCBDT05UUklCVVRPUlMKICJBUyBJUyIgQU5EIEFOWSBFWFBSRVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UCiBMSU1JVEVEIFRPLCBUSEUgSU1QTElFRCBXQVJSQU5USUVTIE9GIE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVTUyBGT1IKIEEgUEFSVElDVUxBUiBQVVJQT1NFIEFSRSBESVNDTEFJTUVELiBJTiBOTyBFVkVOVCBTSEFMTCBUSEUgQ09QWVJJR0hUCiBPV05FUiBPUiBDT05UUklCVVRPUlMgQkUgTElBQkxFIEZPUiBBTlkgRElSRUNULCBJTkRJUkVDVCwgSU5DSURFTlRBTCwKIFNQRUNJQUwsIEVYRU1QTEFSWSwgT1IgQ09OU0VRVUVOVElBTCBEQU1BR0VTIChJTkNMVURJTkcsIEJVVCBOT1QKIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLAogREFUQSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBUSU9OKSBIT1dFVkVSIENBVVNFRCBBTkQgT04gQU5ZCiBUSEVPUlkgT0YgTElBQklMSVRZLCBXSEVUSEVSIElOIENPTlRSQUNULCBTVFJJQ1QgTElBQklMSVRZLCBPUiBUT1JUCiAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UKIE9GIFRISVMgU09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkgT0YgU1VDSCBEQU1BR0UuCgoICgECEgMdCBEKCQoCAwASAx8HKQoICgEIEgMhACwKCwoECOcHABIDIQAsCgwKBQjnBwACEgMhBxMKDQoGCOcHAAIAEgMhBxMKDgoHCOcHAAIAARIDIQcTCgwKBQjnBwAHEgMhFisKCAoBCBIDIgArCgsKBAjnBwESAyIAKwoMCgUI5wcBAhIDIgcbCg0KBgjnBwECABIDIgcbCg4KBwjnBwECAAESAyIHGwoMCgUI5wcBBxIDIh4qCggKAQgSAyMAOQoLCgQI5wcCEgMjADkKDAoFCOcHAgISAyMHEQoNCgYI5wcCAgASAyMHEQoOCgcI5wcCAgABEgMjBxEKDAoFCOcHAgcSAyMUOAoJCgEHEgQlACsBCgkKAgcAEgMmCDIKCgoDBwACEgMlByIKCgoDBwAEEgMmCBAKCgoDBwAFEgMmERUKCgoDBwABEgMmFikKCgoDBwADEgMmLDEKCQoCBwESAycINAoKCgMHAQISAyUHIgoKCgMHAQQSAycIEAoKCgMHAQUSAycRFQoKCgMHAQESAycWKwoKCgMHAQMSAycuMwoJCgIHAhIDKAgsCgoKAwcCAhIDJQciCgoKAwcCBBIDKAgQCgoKAwcCBRIDKBEVCgoKAwcCARIDKBYjCgoKAwcCAxIDKCYrCgkKAgcDEgMpCDAKCgoDBwMCEgMlByIKCgoDBwMEEgMpCBAKCgoDBwMFEgMpERcKCgoDBwMBEgMpGCcKCgoDBwMDEgMpKi8KCQoCBwQSAyoIJwoKCgMHBAISAyUHIgoKCgMHBAQSAyoIEAoKCgMHBAUSAyoRFQoKCgMHBAESAyoWHgoKCgMHBAMSAyohJgoJCgEHEgQtAC8BCgkKAgcFEgMuCDUKCgoDBwUCEgMtBycKCgoDBwUEEgMuCBAKCgoDBwUFEgMuERcKCgoDBwUBEgMuGCwKCgoDBwUDEgMuLzQKCQoBBxIEMQBWAQoJCgIHBhIDMggyCgoKAwcGAhIDMQciCgoKAwcGBBIDMggQCgoKAwcGBRIDMhEVCgoKAwcGARIDMhYpCgoKAwcGAxIDMiwxCgkKAgcHEgMzCDYKCgoDBwcCEgMxByIKCgoDBwcEEgMzCBAKCgoDBwcFEgMzERUKCgoDBwcBEgMzFi0KCgoDBwcDEgMzMDUKCQoCBwgSAzQIMwoKCgMHCAISAzEHIgoKCgMHCAQSAzQIEAoKCgMHCAUSAzQRFQoKCgMHCAESAzQWKgoKCgMHCAMSAzQtMgoJCgIHCRIDNQgwCgoKAwcJAhIDMQciCgoKAwcJBBIDNQgQCgoKAwcJBRIDNREVCgoKAwcJARIDNRYnCgoKAwcJAxIDNSovCgkKAgcKEgM2CCcKCgoDBwoCEgMxByIKCgoDBwoEEgM2CBAKCgoDBwoFEgM2ERUKCgoDBwoBEgM2Fh4KCgoDBwoDEgM2ISYKCQoCBwsSAzcIKwoKCgMHCwISAzEHIgoKCgMHCwQSAzcIEAoKCgMHCwUSAzcRFQoKCgMHCwESAzcWIgoKCgMHCwMSAzclKgoJCgIHDBIDOAgrCgoKAwcMAhIDMQciCgoKAwcMBBIDOAgQCgoKAwcMBRIDOBEVCgoKAwcMARIDOBYiCgoKAwcMAxIDOCUqCgkKAgcNEgM5CCsKCgoDBw0CEgMxByIKCgoDBw0EEgM5CBAKCgoDBw0FEgM5ERUKCgoDBw0BEgM5FiIKCgoDBw0DEgM5JSoKCQoCBw4SAzoIKgoKCgMHDgISAzEHIgoKCgMHDgQSAzoIEAoKCgMHDgUSAzoRFQoKCgMHDgESAzoWIQoKCgMHDgMSAzokKQoJCgIHDxIDPAgoCgoKAwcPAhIDMQciCgoKAwcPBBIDPAgQCgoKAwcPBRIDPBEVCgoKAwcPARIDPBYfCgoKAwcPAxIDPCInCgkKAgcQEgM9CC4KCgoDBxACEgMxByIKCgoDBxAEEgM9CBAKCgoDBxAFEgM9ERUKCgoDBxABEgM9FiUKCgoDBxADEgM9KC0KCQoCBxESAz4IKgoKCgMHEQISAzEHIgoKCgMHEQQSAz4IEAoKCgMHEQUSAz4RFQoKCgMHEQESAz4WIQoKCgMHEQMSAz4kKQoJCgIHEhIDPwgrCgoKAwcSAhIDMQciCgoKAwcSBBIDPwgQCgoKAwcSBRIDPxEVCgoKAwcSARIDPxYiCgoKAwcSAxIDPyUqCgkKAgcTEgNACCwKCgoDBxMCEgMxByIKCgoDBxMEEgNACBAKCgoDBxMFEgNAERUKCgoDBxMBEgNAFiMKCgoDBxMDEgNAJisKCQoCBxQSA0EILgoKCgMHFAISAzEHIgoKCgMHFAQSA0EIEAoKCgMHFAUSA0ERFQoKCgMHFAESA0EWJQoKCgMHFAMSA0EoLQoJCgIHFRIDQggzCgoKAwcVAhIDMQciCgoKAwcVBBIDQggQCgoKAwcVBRIDQhEVCgoKAwcVARIDQhYqCgoKAwcVAxIDQi0yCgkKAgcWEgNECCgKCgoDBxYCEgMxByIKCgoDBxYEEgNECBAKCgoDBxYFEgNEERUKCgoDBxYBEgNEFh8KCgoDBxYDEgNEIicKCQoCBxcSA0YIOAoKCgMHFwISAzEHIgoKCgMHFwQSA0YIEAoKCgMHFwUSA0YRFQoKCgMHFwESA0YWLwoKCgMHFwMSA0YyNwoJCgIHGBIDRwgwCgoKAwcYAhIDMQciCgoKAwcYBBIDRwgQCgoKAwcYBRIDRxEVCgoKAwcYARIDRxYnCgoKAwcYAxIDRyovCgkKAgcZEgNJCDMKCgoDBxkCEgMxByIKCgoDBxkEEgNJCBAKCgoDBxkFEgNJERUKCgoDBxkBEgNJFioKCgoDBxkDEgNJLTIKCQoCBxoSA0oINQoKCgMHGgISAzEHIgoKCgMHGgQSA0oIEAoKCgMHGgUSA0oRFQoKCgMHGgESA0oWLAoKCgMHGgMSA0ovNAoJCgIHGxIDTAg5CgoKAwcbAhIDMQciCgoKAwcbBBIDTAgQCgoKAwcbBRIDTBEVCgoKAwcbARIDTBYwCgoKAwcbAxIDTDM4CgkKAgccEgNNCDcKCgoDBxwCEgMxByIKCgoDBxwEEgNNCBAKCgoDBxwFEgNNERUKCgoDBxwBEgNNFi4KCgoDBxwDEgNNMTYKCQoCBx0SA04ILwoKCgMHHQISAzEHIgoKCgMHHQQSA04IEAoKCgMHHQUSA04RFQoKCgMHHQESA04WJgoKCgMHHQMSA04pLgoJCgIHHhIDTwgtCgoKAwceAhIDMQciCgoKAwceBBIDTwgQCgoKAwceBRIDTxEVCgoKAwceARIDTxYkCgoKAwceAxIDTycsCgkKAgcfEgNQCCoKCgoDBx8CEgMxByIKCgoDBx8EEgNQCBAKCgoDBx8FEgNQERUKCgoDBx8BEgNQFiEKCgoDBx8DEgNQJCkKCQoCByASA1EEJwoKCgMHIAISAzEHIgoKCgMHIAQSA1EEDAoKCgMHIAUSA1ENEQoKCgMHIAESA1ESHgoKCgMHIAMSA1EhJgoJCgIHIRIDUgQnCgoKAwchAhIDMQciCgoKAwchBBIDUgQMCgoKAwchBRIDUg0RCgoKAwchARIDUhIeCgoKAwchAxIDUiEmCgkKAgciEgNUCDMKCgoDByICEgMxByIKCgoDByIEEgNUCBAKCgoDByIFEgNUERUKCgoDByIBEgNUFioKCgoDByIDEgNULTIKCQoCByMSA1UILgoKCgMHIwISAzEHIgoKCgMHIwQSA1UIEAoKCgMHIwUSA1URFQoKCgMHIwESA1UWJQoKCgMHIwMSA1UoLQoJCgEHEgRYAHgBCgkKAgckEgNZCC4KCgoDByQCEgNYByUKCgoDByQEEgNZCBAKCgoDByQFEgNZERUKCgoDByQBEgNZFiUKCgoDByQDEgNZKC0KCQoCByUSA1oILwoKCgMHJQISA1gHJQoKCgMHJQQSA1oIEAoKCgMHJQUSA1oRFQoKCgMHJQESA1oWJgoKCgMHJQMSA1opLgoJCgIHJhIDWwgsCgoKAwcmAhIDWAclCgoKAwcmBBIDWwgQCgoKAwcmBRIDWxEVCgoKAwcmARIDWxYjCgoKAwcmAxIDWyYrCgkKAgcnEgNcCCMKCgoDBycCEgNYByUKCgoDBycEEgNcCBAKCgoDBycFEgNcERUKCgoDBycBEgNcFhoKCgoDBycDEgNcHSIKCQoCBygSA10IJwoKCgMHKAISA1gHJQoKCgMHKAQSA10IEAoKCgMHKAUSA10RFQoKCgMHKAESA10WHgoKCgMHKAMSA10hJgoJCgIHKRIDXggnCgoKAwcpAhIDWAclCgoKAwcpBBIDXggQCgoKAwcpBRIDXhEVCgoKAwcpARIDXhYeCgoKAwcpAxIDXiEmCgkKAgcqEgNfCCcKCgoDByoCEgNYByUKCgoDByoEEgNfCBAKCgoDByoFEgNfERUKCgoDByoBEgNfFh4KCgoDByoDEgNfISYKCQoCBysSA2AIJgoKCgMHKwISA1gHJQoKCgMHKwQSA2AIEAoKCgMHKwUSA2ARFQoKCgMHKwESA2AWHQoKCgMHKwMSA2AgJQoJCgIHLBIDYggkCgoKAwcsAhIDWAclCgoKAwcsBBIDYggQCgoKAwcsBRIDYhEVCgoKAwcsARIDYhYbCgoKAwcsAxIDYh4jCgkKAgctEgNjCCoKCgoDBy0CEgNYByUKCgoDBy0EEgNjCBAKCgoDBy0FEgNjERUKCgoDBy0BEgNjFiEKCgoDBy0DEgNjJCkKCQoCBy4SA2QIJgoKCgMHLgISA1gHJQoKCgMHLgQSA2QIEAoKCgMHLgUSA2QRFQoKCgMHLgESA2QWHQoKCgMHLgMSA2QgJQoJCgIHLxIDZQgnCgoKAwcvAhIDWAclCgoKAwcvBBIDZQgQCgoKAwcvBRIDZREVCgoKAwcvARIDZRYeCgoKAwcvAxIDZSEmCgkKAgcwEgNmCCgKCgoDBzACEgNYByUKCgoDBzAEEgNmCBAKCgoDBzAFEgNmERUKCgoDBzABEgNmFh8KCgoDBzADEgNmIicKCQoCBzESA2cIKgoKCgMHMQISA1gHJQoKCgMHMQQSA2cIEAoKCgMHMQUSA2cRFQoKCgMHMQESA2cWIQoKCgMHMQMSA2ckKQoJCgIHMhIDaAgvCgoKAwcyAhIDWAclCgoKAwcyBBIDaAgQCgoKAwcyBRIDaBEVCgoKAwcyARIDaBYmCgoKAwcyAxIDaCkuCgkKAgczEgNqCCQKCgoDBzMCEgNYByUKCgoDBzMEEgNqCBAKCgoDBzMFEgNqERUKCgoDBzMBEgNqFhsKCgoDBzMDEgNqHiMKCQoCBzQSA2wILwoKCgMHNAISA1gHJQoKCgMHNAQSA2wIEAoKCgMHNAUSA2wRFQoKCgMHNAESA2wWJgoKCgMHNAMSA2wpLgoJCgIHNRIDbQgxCgoKAwc1AhIDWAclCgoKAwc1BBIDbQgQCgoKAwc1BRIDbREVCgoKAwc1ARIDbRYoCgoKAwc1AxIDbSswCgkKAgc2EgNvCDUKCgoDBzYCEgNYByUKCgoDBzYEEgNvCBAKCgoDBzYFEgNvERUKCgoDBzYBEgNvFiwKCgoDBzYDEgNvLzQKCQoCBzcSA3AIMwoKCgMHNwISA1gHJQoKCgMHNwQSA3AIEAoKCgMHNwUSA3ARFQoKCgMHNwESA3AWKgoKCgMHNwMSA3AtMgoJCgIHOBIDcggpCgoKAwc4AhIDWAclCgoKAwc4BBIDcggQCgoKAwc4BRIDchEVCgoKAwc4ARIDchYgCgoKAwc4AxIDciMoCgkKAgc5EgNzCCYKCgoDBzkCEgNYByUKCgoDBzkEEgNzCBAKCgoDBzkFEgNzERUKCgoDBzkBEgNzFh0KCgoDBzkDEgNzICUKCQoCBzoSA3UIJwoKCgMHOgISA1gHJQoKCgMHOgQSA3UIEAoKCgMHOgUSA3URFQoKCgMHOgESA3UWHgoKCgMHOgMSA3UhJgoJCgIHOxIDdwgqCgoKAwc7AhIDWAclCgoKAwc7BBIDdwgQCgoKAwc7BRIDdxEVCgoKAwc7ARIDdxYhCgoKAwc7AxIDdyQpCgoKAQcSBXoAhwEBCgkKAgc8EgN7CCcKCgoDBzwCEgN6ByMKCgoDBzwEEgN7CBAKCgoDBzwFEgN7ERUKCgoDBzwBEgN7Fh4KCgoDBzwDEgN7ISYKCQoCBz0SA3wIJAoKCgMHPQISA3oHIwoKCgMHPQQSA3wIEAoKCgMHPQUSA3wRFQoKCgMHPQESA3wWGwoKCgMHPQMSA3weIwoJCgIHPhIDfQgrCgoKAwc+AhIDegcjCgoKAwc+BBIDfQgQCgoKAwc+BRIDfREXCgoKAwc+ARIDfRgiCgoKAwc+AxIDfSUqCgkKAgc/EgN+CCsKCgoDBz8CEgN6ByMKCgoDBz8EEgN+CBAKCgoDBz8FEgN+ERcKCgoDBz8BEgN+GCIKCgoDBz8DEgN+JSoKCQoCB0ASA38IKAoKCgMHQAISA3oHIwoKCgMHQAQSA38IEAoKCgMHQAUSA38RFwoKCgMHQAESA38YHwoKCgMHQAMSA38iJwoKCgIHQRIEgAEIKQoKCgMHQQISA3oHIwoLCgMHQQQSBIABCBAKCwoDB0EFEgSAAREXCgsKAwdBARIEgAEYIAoLCgMHQQMSBIABIygKCgoCB0ISBIEBCCkKCgoDB0ICEgN6ByMKCwoDB0IEEgSBAQgQCgsKAwdCBRIEgQERFwoLCgMHQgESBIEBGCAKCwoDB0IDEgSBASMoCgoKAgdDEgSCAQgoCgoKAwdDAhIDegcjCgsKAwdDBBIEggEIEAoLCgMHQwUSBIIBERcKCwoDB0MBEgSCARgfCgsKAwdDAxIEggEiJwoKCgIHRBIEgwEIKgoKCgMHRAISA3oHIwoLCgMHRAQSBIMBCBAKCwoDB0QFEgSDAREXCgsKAwdEARIEgwEYIQoLCgMHRAMSBIMBJCkKCgoCB0USBIUBCCYKCgoDB0UCEgN6ByMKCwoDB0UEEgSFAQgQCgsKAwdFBRIEhQERFQoLCgMHRQESBIUBFh0KCwoDB0UDEgSFASAlCgoKAgdGEgSGAQgqCgoKAwdGAhIDegcjCgsKAwdGBBIEhgEIEAoLCgMHRgUSBIYBERUKCwoDB0YBEgSGARYhCgsKAwdGAxIEhgEkKQqMFwosbWl4ZXIvYWRhcHRlci9tb2RlbC92MWJldGExL2V4dGVuc2lvbnMucHJvdG8SIWlzdGlvLm1peGVyLmFkYXB0ZXIubW9kZWwudjFiZXRhMRogZ29vZ2xlL3Byb3RvYnVmL2Rlc2NyaXB0b3IucHJvdG8quAEKD1RlbXBsYXRlVmFyaWV0eRIaChZURU1QTEFURV9WQVJJRVRZX0NIRUNLEAASGwoXVEVNUExBVEVfVkFSSUVUWV9SRVBPUlQQARIaChZURU1QTEFURV9WQVJJRVRZX1FVT1RBEAISKAokVEVNUExBVEVfVkFSSUVUWV9BVFRSSUJVVEVfR0VORVJBVE9SEAMSJgoiVEVNUExBVEVfVkFSSUVUWV9DSEVDS19XSVRIX09VVFBVVBAEOn4KEHRlbXBsYXRlX3ZhcmlldHkSHC5nb29nbGUucHJvdG9idWYuRmlsZU9wdGlvbnMYr8q8IiABKA4yMi5pc3Rpby5taXhlci5hZGFwdGVyLm1vZGVsLnYxYmV0YTEuVGVtcGxhdGVWYXJpZXR5Ug90ZW1wbGF0ZVZhcmlldHk6RAoNdGVtcGxhdGVfbmFtZRIcLmdvb2dsZS5wcm90b2J1Zi5GaWxlT3B0aW9ucxjQy7wiIAEoCVIMdGVtcGxhdGVOYW1lQipaKGlzdGlvLmlvL2FwaS9taXhlci9hZGFwdGVyL21vZGVsL3YxYmV0YTFK4RIKBhIEDgAyAQq/BAoBDBIDDgASMrQEIENvcHlyaWdodCAyMDE4IElzdGlvIEF1dGhvcnMKCiBMaWNlbnNlZCB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNpb24gMi4wICh0aGUgIkxpY2Vuc2UiKTsKIHlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2Ugd2l0aCB0aGUgTGljZW5zZS4KIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICBodHRwOi8vd3d3LmFwYWNoZS5vcmcvbGljZW5zZXMvTElDRU5TRS0yLjAKCiBVbmxlc3MgcmVxdWlyZWQgYnkgYXBwbGljYWJsZSBsYXcgb3IgYWdyZWVkIHRvIGluIHdyaXRpbmcsIHNvZnR3YXJlCiBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogV0lUSE9VVCBXQVJSQU5USUVTIE9SIENPTkRJVElPTlMgT0YgQU5ZIEtJTkQsIGVpdGhlciBleHByZXNzIG9yIGltcGxpZWQuCiBTZWUgdGhlIExpY2Vuc2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnMgYW5kCiBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4KCggKAQISAxAIKQoICgEIEgMSAD0KCwoECOcHABIDEgA9CgwKBQjnBwACEgMSBxEKDQoGCOcHAAIAEgMSBxEKDgoHCOcHAAIAARIDEgcRCgwKBQjnBwAHEgMSEjwKCQoCAwASAxQHKQp5CgIFABIEGAAoARptIFRoZSBhdmFpbGFibGUgdmFyaWV0aWVzIG9mIHRlbXBsYXRlcywgY29udHJvbGxpbmcgdGhlIHNlbWFudGljcyBvZiB3aGF0IGFuIGFkYXB0ZXIgZG9lcyB3aXRoIGVhY2ggaW5zdGFuY2UuCgoKCgMFAAESAxgFFArHAQoEBQACABIDGwQfGrkBIE1ha2VzIHRoZSB0ZW1wbGF0ZSBhcHBsaWNhYmxlIGZvciBNaXhlcidzIGNoZWNrIGNhbGxzLiBJbnN0YW5jZXMgb2Ygc3VjaCB0ZW1wbGF0ZSBhcmUgY3JlYXRlZCBkdXJpbmcKIGNoZWNrIGNhbGxzIGluIE1peGVyIGFuZCBwYXNzZWQgdG8gdGhlIGhhbmRsZXJzIGJhc2VkIG9uIHRoZSBydWxlIGNvbmZpZ3VyYXRpb25zLgoKDAoFBQACAAESAxsEGgoMCgUFAAIAAhIDGx0eCskBCgQFAAIBEgMeBCAauwEgTWFrZXMgdGhlIHRlbXBsYXRlIGFwcGxpY2FibGUgZm9yIE1peGVyJ3MgcmVwb3J0IGNhbGxzLiBJbnN0YW5jZXMgb2Ygc3VjaCB0ZW1wbGF0ZSBhcmUgY3JlYXRlZCBkdXJpbmcKIHJlcG9ydCBjYWxscyBpbiBNaXhlciBhbmQgcGFzc2VkIHRvIHRoZSBoYW5kbGVycyBiYXNlZCBvbiB0aGUgcnVsZSBjb25maWd1cmF0aW9ucy4KCgwKBQUAAgEBEgMeBBsKDAoFBQACAQISAx4eHwrNAQoEBQACAhIDIQQfGr8BIE1ha2VzIHRoZSB0ZW1wbGF0ZSBhcHBsaWNhYmxlIGZvciBNaXhlcidzIHF1b3RhIGNhbGxzLiBJbnN0YW5jZXMgb2Ygc3VjaCB0ZW1wbGF0ZSBhcmUgY3JlYXRlZCBkdXJpbmcKIHF1b3RhIGNoZWNrIGNhbGxzIGluIE1peGVyIGFuZCBwYXNzZWQgdG8gdGhlIGhhbmRsZXJzIGJhc2VkIG9uIHRoZSBydWxlIGNvbmZpZ3VyYXRpb25zLgoKDAoFBQACAgESAyEEGgoMCgUFAAICAhIDIR0eCusBCgQFAAIDEgMkBC0a3QEgTWFrZXMgdGhlIHRlbXBsYXRlIGFwcGxpY2FibGUgZm9yIE1peGVyJ3MgYXR0cmlidXRlIGdlbmVyYXRpb24gcGhhc2UuIEluc3RhbmNlcyBvZiBzdWNoIHRlbXBsYXRlIGFyZSBjcmVhdGVkIGR1cmluZwogcHJlLXByb2Nlc3NpbmcgYXR0cmlidXRlIGdlbmVyYXRpb24gcGhhc2UgYW5kIHBhc3NlZCB0byB0aGUgaGFuZGxlcnMgYmFzZWQgb24gdGhlIHJ1bGUgY29uZmlndXJhdGlvbnMuCgoMCgUFAAIDARIDJAQoCgwKBQUAAgMCEgMkKywKugEKBAUAAgQSAycEKxqsASBNYWtlcyB0aGUgdGVtcGxhdGUgYXBwbGljYWJsZSBmb3IgTWl4ZXIncyBjaGVjayBjYWxscy4gSW5zdGFuY2VzIG9mIHN1Y2ggdGVtcGxhdGUgYXJlIGNyZWF0ZWQgZHVyaW5nCiBjaGVjayBjYWxscyBpbiBNaXhlciBhbmQgcGFzc2VkIHRvIHRoZSBoYW5kbGVycyB0aGF0IHByb2R1Y2UgdmFsdWVzLgoKDAoFBQACBAESAycEJgoMCgUFAAIEAhIDJykqCjEKAQcSBCsAMgEaJiBGaWxlIGxldmVsIG9wdGlvbnMgZm9yIHRoZSB0ZW1wbGF0ZS4KCjYKAgcAEgMtBDAaKyBSZXF1aXJlZDogb3B0aW9uIGZvciB0aGUgVGVtcGxhdGVWYXJpZXR5LgoKCgoDBwACEgMrByIKCwoDBwAEEgQtBCskCgoKAwcABhIDLQQTCgoKAwcAARIDLRQkCgoKAwcAAxIDLScvCqQBCgIHARIDMQQkGpgBIE9wdGlvbmFsOiBvcHRpb24gZm9yIHRoZSB0ZW1wbGF0ZSBuYW1lLgogSWYgbm90IHNwZWNpZmllZCwgdGhlIGxhc3Qgc2VnbWVudCBvZiB0aGUgdGVtcGxhdGUgcHJvdG8ncyBwYWNrYWdlIG5hbWUgaXMgdXNlZCB0bwogZGVyaXZlIHRoZSB0ZW1wbGF0ZSBuYW1lLgoKCgoDBwECEgMrByIKCwoDBwEEEgQxBC0wCgoKAwcBBRIDMQQKCgoKAwcBARIDMQsYCgoKAwcBAxIDMRsjYgZwcm90bzMK3CwKGWdvb2dsZS9wcm90b2J1Zi9hbnkucHJvdG8SD2dvb2dsZS5wcm90b2J1ZiI2CgNBbnkSGQoIdHlwZV91cmwYASABKAlSB3R5cGVVcmwSFAoFdmFsdWUYAiABKAxSBXZhbHVlQm8KE2NvbS5nb29nbGUucHJvdG9idWZCCEFueVByb3RvUAFaJWdpdGh1Yi5jb20vZ29sYW5nL3Byb3RvYnVmL3B0eXBlcy9hbnmiAgNHUEKqAh5Hb29nbGUuUHJvdG9idWYuV2VsbEtub3duVHlwZXNK/CoKBxIFHgCUAQEKzAwKAQwSAx4AEjLBDCBQcm90b2NvbCBCdWZmZXJzIC0gR29vZ2xlJ3MgZGF0YSBpbnRlcmNoYW5nZSBmb3JtYXQKIENvcHlyaWdodCAyMDA4IEdvb2dsZSBJbmMuICBBbGwgcmlnaHRzIHJlc2VydmVkLgogaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vcHJvdG9jb2wtYnVmZmVycy8KCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUKIG1ldDoKCiAgICAgKiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodAogbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgogICAgICogUmVkaXN0cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZQogY29weXJpZ2h0IG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lcgogaW4gdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogZGlzdHJpYnV0aW9uLgogICAgICogTmVpdGhlciB0aGUgbmFtZSBvZiBHb29nbGUgSW5jLiBub3IgdGhlIG5hbWVzIG9mIGl0cwogY29udHJpYnV0b3JzIG1heSBiZSB1c2VkIHRvIGVuZG9yc2Ugb3IgcHJvbW90ZSBwcm9kdWN0cyBkZXJpdmVkIGZyb20KIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgogVEhJUyBTT0ZUV0FSRSBJUyBQUk9WSURFRCBCWSBUSEUgQ09QWVJJR0hUIEhPTERFUlMgQU5EIENPTlRSSUJVVE9SUwogIkFTIElTIiBBTkQgQU5ZIEVYUFJFU1MgT1IgSU1QTElFRCBXQVJSQU5USUVTLCBJTkNMVURJTkcsIEJVVCBOT1QKIExJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgogQSBQQVJUSUNVTEFSIFBVUlBPU0UgQVJFIERJU0NMQUlNRUQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBDT1BZUklHSFQKIE9XTkVSIE9SIENPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLAogU1BFQ0lBTCwgRVhFTVBMQVJZLCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMgKElOQ0xVRElORywgQlVUIE5PVAogTElNSVRFRCBUTywgUFJPQ1VSRU1FTlQgT0YgU1VCU1RJVFVURSBHT09EUyBPUiBTRVJWSUNFUzsgTE9TUyBPRiBVU0UsCiBEQVRBLCBPUiBQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkKIFRIRU9SWSBPRiBMSUFCSUxJVFksIFdIRVRIRVIgSU4gQ09OVFJBQ1QsIFNUUklDVCBMSUFCSUxJVFksIE9SIFRPUlQKIChJTkNMVURJTkcgTkVHTElHRU5DRSBPUiBPVEhFUldJU0UpIEFSSVNJTkcgSU4gQU5ZIFdBWSBPVVQgT0YgVEhFIFVTRQogT0YgVEhJUyBTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4KCggKAQISAyAIFwoICgEIEgMiADsKCwoECOcHABIDIgA7CgwKBQjnBwACEgMiBxcKDQoGCOcHAAIAEgMiBxcKDgoHCOcHAAIAARIDIgcXCgwKBQjnBwAHEgMiGjoKCAoBCBIDIwA8CgsKBAjnBwESAyMAPAoMCgUI5wcBAhIDIwcRCg0KBgjnBwECABIDIwcRCg4KBwjnBwECAAESAyMHEQoMCgUI5wcBBxIDIxQ7CggKAQgSAyQALAoLCgQI5wcCEgMkACwKDAoFCOcHAgISAyQHEwoNCgYI5wcCAgASAyQHEwoOCgcI5wcCAgABEgMkBxMKDAoFCOcHAgcSAyQWKwoICgEIEgMlACkKCwoECOcHAxIDJQApCgwKBQjnBwMCEgMlBxsKDQoGCOcHAwIAEgMlBxsKDgoHCOcHAwIAARIDJQcbCgwKBQjnBwMHEgMlHigKCAoBCBIDJgAiCgsKBAjnBwQSAyYAIgoMCgUI5wcEAhIDJgcaCg0KBgjnBwQCABIDJgcaCg4KBwjnBwQCAAESAyYHGgoMCgUI5wcEAxIDJh0hCggKAQgSAycAIQoLCgQI5wcFEgMnACEKDAoFCOcHBQISAycHGAoNCgYI5wcFAgASAycHGAoOCgcI5wcFAgABEgMnBxgKDAoFCOcHBQcSAycbIArkEAoCBAASBXkAlAEBGtYQIGBBbnlgIGNvbnRhaW5zIGFuIGFyYml0cmFyeSBzZXJpYWxpemVkIHByb3RvY29sIGJ1ZmZlciBtZXNzYWdlIGFsb25nIHdpdGggYQogVVJMIHRoYXQgZGVzY3JpYmVzIHRoZSB0eXBlIG9mIHRoZSBzZXJpYWxpemVkIG1lc3NhZ2UuCgogUHJvdG9idWYgbGlicmFyeSBwcm92aWRlcyBzdXBwb3J0IHRvIHBhY2svdW5wYWNrIEFueSB2YWx1ZXMgaW4gdGhlIGZvcm0KIG9mIHV0aWxpdHkgZnVuY3Rpb25zIG9yIGFkZGl0aW9uYWwgZ2VuZXJhdGVkIG1ldGhvZHMgb2YgdGhlIEFueSB0eXBlLgoKIEV4YW1wbGUgMTogUGFjayBhbmQgdW5wYWNrIGEgbWVzc2FnZSBpbiBDKysuCgogICAgIEZvbyBmb28gPSAuLi47CiAgICAgQW55IGFueTsKICAgICBhbnkuUGFja0Zyb20oZm9vKTsKICAgICAuLi4KICAgICBpZiAoYW55LlVucGFja1RvKCZmb28pKSB7CiAgICAgICAuLi4KICAgICB9CgogRXhhbXBsZSAyOiBQYWNrIGFuZCB1bnBhY2sgYSBtZXNzYWdlIGluIEphdmEuCgogICAgIEZvbyBmb28gPSAuLi47CiAgICAgQW55IGFueSA9IEFueS5wYWNrKGZvbyk7CiAgICAgLi4uCiAgICAgaWYgKGFueS5pcyhGb28uY2xhc3MpKSB7CiAgICAgICBmb28gPSBhbnkudW5wYWNrKEZvby5jbGFzcyk7CiAgICAgfQoKICBFeGFtcGxlIDM6IFBhY2sgYW5kIHVucGFjayBhIG1lc3NhZ2UgaW4gUHl0aG9uLgoKICAgICBmb28gPSBGb28oLi4uKQogICAgIGFueSA9IEFueSgpCiAgICAgYW55LlBhY2soZm9vKQogICAgIC4uLgogICAgIGlmIGFueS5JcyhGb28uREVTQ1JJUFRPUik6CiAgICAgICBhbnkuVW5wYWNrKGZvbykKICAgICAgIC4uLgoKICBFeGFtcGxlIDQ6IFBhY2sgYW5kIHVucGFjayBhIG1lc3NhZ2UgaW4gR28KCiAgICAgIGZvbyA6PSAmcGIuRm9vey4uLn0KICAgICAgYW55LCBlcnIgOj0gcHR5cGVzLk1hcnNoYWxBbnkoZm9vKQogICAgICAuLi4KICAgICAgZm9vIDo9ICZwYi5Gb297fQogICAgICBpZiBlcnIgOj0gcHR5cGVzLlVubWFyc2hhbEFueShhbnksIGZvbyk7IGVyciAhPSBuaWwgewogICAgICAgIC4uLgogICAgICB9CgogVGhlIHBhY2sgbWV0aG9kcyBwcm92aWRlZCBieSBwcm90b2J1ZiBsaWJyYXJ5IHdpbGwgYnkgZGVmYXVsdCB1c2UKICd0eXBlLmdvb2dsZWFwaXMuY29tL2Z1bGwudHlwZS5uYW1lJyBhcyB0aGUgdHlwZSBVUkwgYW5kIHRoZSB1bnBhY2sKIG1ldGhvZHMgb25seSB1c2UgdGhlIGZ1bGx5IHF1YWxpZmllZCB0eXBlIG5hbWUgYWZ0ZXIgdGhlIGxhc3QgJy8nCiBpbiB0aGUgdHlwZSBVUkwsIGZvciBleGFtcGxlICJmb28uYmFyLmNvbS94L3kueiIgd2lsbCB5aWVsZCB0eXBlCiBuYW1lICJ5LnoiLgoKCiBKU09OCiA9PT09CiBUaGUgSlNPTiByZXByZXNlbnRhdGlvbiBvZiBhbiBgQW55YCB2YWx1ZSB1c2VzIHRoZSByZWd1bGFyCiByZXByZXNlbnRhdGlvbiBvZiB0aGUgZGVzZXJpYWxpemVkLCBlbWJlZGRlZCBtZXNzYWdlLCB3aXRoIGFuCiBhZGRpdGlvbmFsIGZpZWxkIGBAdHlwZWAgd2hpY2ggY29udGFpbnMgdGhlIHR5cGUgVVJMLiBFeGFtcGxlOgoKICAgICBwYWNrYWdlIGdvb2dsZS5wcm9maWxlOwogICAgIG1lc3NhZ2UgUGVyc29uIHsKICAgICAgIHN0cmluZyBmaXJzdF9uYW1lID0gMTsKICAgICAgIHN0cmluZyBsYXN0X25hbWUgPSAyOwogICAgIH0KCiAgICAgewogICAgICAgIkB0eXBlIjogInR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLnByb2ZpbGUuUGVyc29uIiwKICAgICAgICJmaXJzdE5hbWUiOiA8c3RyaW5nPiwKICAgICAgICJsYXN0TmFtZSI6IDxzdHJpbmc+CiAgICAgfQoKIElmIHRoZSBlbWJlZGRlZCBtZXNzYWdlIHR5cGUgaXMgd2VsbC1rbm93biBhbmQgaGFzIGEgY3VzdG9tIEpTT04KIHJlcHJlc2VudGF0aW9uLCB0aGF0IHJlcHJlc2VudGF0aW9uIHdpbGwgYmUgZW1iZWRkZWQgYWRkaW5nIGEgZmllbGQKIGB2YWx1ZWAgd2hpY2ggaG9sZHMgdGhlIGN1c3RvbSBKU09OIGluIGFkZGl0aW9uIHRvIHRoZSBgQHR5cGVgCiBmaWVsZC4gRXhhbXBsZSAoZm9yIG1lc3NhZ2UgW2dvb2dsZS5wcm90b2J1Zi5EdXJhdGlvbl1bXSk6CgogICAgIHsKICAgICAgICJAdHlwZSI6ICJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5wcm90b2J1Zi5EdXJhdGlvbiIsCiAgICAgICAidmFsdWUiOiAiMS4yMTJzIgogICAgIH0KCgoKCgMEAAESA3kICwrkBwoEBAACABIEkAECFhrVByBBIFVSTC9yZXNvdXJjZSBuYW1lIHdob3NlIGNvbnRlbnQgZGVzY3JpYmVzIHRoZSB0eXBlIG9mIHRoZQogc2VyaWFsaXplZCBwcm90b2NvbCBidWZmZXIgbWVzc2FnZS4KCiBGb3IgVVJMcyB3aGljaCB1c2UgdGhlIHNjaGVtZSBgaHR0cGAsIGBodHRwc2AsIG9yIG5vIHNjaGVtZSwgdGhlCiBmb2xsb3dpbmcgcmVzdHJpY3Rpb25zIGFuZCBpbnRlcnByZXRhdGlvbnMgYXBwbHk6CgogKiBJZiBubyBzY2hlbWUgaXMgcHJvdmlkZWQsIGBodHRwc2AgaXMgYXNzdW1lZC4KICogVGhlIGxhc3Qgc2VnbWVudCBvZiB0aGUgVVJMJ3MgcGF0aCBtdXN0IHJlcHJlc2VudCB0aGUgZnVsbHkKICAgcXVhbGlmaWVkIG5hbWUgb2YgdGhlIHR5cGUgKGFzIGluIGBwYXRoL2dvb2dsZS5wcm90b2J1Zi5EdXJhdGlvbmApLgogICBUaGUgbmFtZSBzaG91bGQgYmUgaW4gYSBjYW5vbmljYWwgZm9ybSAoZS5nLiwgbGVhZGluZyAiLiIgaXMKICAgbm90IGFjY2VwdGVkKS4KICogQW4gSFRUUCBHRVQgb24gdGhlIFVSTCBtdXN0IHlpZWxkIGEgW2dvb2dsZS5wcm90b2J1Zi5UeXBlXVtdCiAgIHZhbHVlIGluIGJpbmFyeSBmb3JtYXQsIG9yIHByb2R1Y2UgYW4gZXJyb3IuCiAqIEFwcGxpY2F0aW9ucyBhcmUgYWxsb3dlZCB0byBjYWNoZSBsb29rdXAgcmVzdWx0cyBiYXNlZCBvbiB0aGUKICAgVVJMLCBvciBoYXZlIHRoZW0gcHJlY29tcGlsZWQgaW50byBhIGJpbmFyeSB0byBhdm9pZCBhbnkKICAgbG9va3VwLiBUaGVyZWZvcmUsIGJpbmFyeSBjb21wYXRpYmlsaXR5IG5lZWRzIHRvIGJlIHByZXNlcnZlZAogICBvbiBjaGFuZ2VzIHRvIHR5cGVzLiAoVXNlIHZlcnNpb25lZCB0eXBlIG5hbWVzIHRvIG1hbmFnZQogICBicmVha2luZyBjaGFuZ2VzLikKCiBTY2hlbWVzIG90aGVyIHRoYW4gYGh0dHBgLCBgaHR0cHNgIChvciB0aGUgZW1wdHkgc2NoZW1lKSBtaWdodCBiZQogdXNlZCB3aXRoIGltcGxlbWVudGF0aW9uIHNwZWNpZmljIHNlbWFudGljcy4KCgoOCgUEAAIABBIFkAECeQ0KDQoFBAACAAUSBJABAggKDQoFBAACAAESBJABCREKDQoFBAACAAMSBJABFBUKVwoEBAACARIEkwECEhpJIE11c3QgYmUgYSB2YWxpZCBzZXJpYWxpemVkIHByb3RvY29sIGJ1ZmZlciBvZiB0aGUgYWJvdmUgc3BlY2lmaWVkIHR5cGUuCgoPCgUEAAIBBBIGkwECkAEWCg0KBQQAAgEFEgSTAQIHCg0KBQQAAgEBEgSTAQgNCg0KBQQAAgEDEgSTARARYgZwcm90bzMKmikKHmdvb2dsZS9wcm90b2J1Zi9kdXJhdGlvbi5wcm90bxIPZ29vZ2xlLnByb3RvYnVmIjoKCER1cmF0aW9uEhgKB3NlY29uZHMYASABKANSB3NlY29uZHMSFAoFbmFub3MYAiABKAVSBW5hbm9zQnwKE2NvbS5nb29nbGUucHJvdG9idWZCDUR1cmF0aW9uUHJvdG9QAVoqZ2l0aHViLmNvbS9nb2xhbmcvcHJvdG9idWYvcHR5cGVzL2R1cmF0aW9u+AEBogIDR1BCqgIeR29vZ2xlLlByb3RvYnVmLldlbGxLbm93blR5cGVzSqQnCgYSBB4AdAEKzAwKAQwSAx4AEjLBDCBQcm90b2NvbCBCdWZmZXJzIC0gR29vZ2xlJ3MgZGF0YSBpbnRlcmNoYW5nZSBmb3JtYXQKIENvcHlyaWdodCAyMDA4IEdvb2dsZSBJbmMuICBBbGwgcmlnaHRzIHJlc2VydmVkLgogaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vcHJvdG9jb2wtYnVmZmVycy8KCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUKIG1ldDoKCiAgICAgKiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodAogbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgogICAgICogUmVkaXN0cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZQogY29weXJpZ2h0IG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lcgogaW4gdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZQogZGlzdHJpYnV0aW9uLgogICAgICogTmVpdGhlciB0aGUgbmFtZSBvZiBHb29nbGUgSW5jLiBub3IgdGhlIG5hbWVzIG9mIGl0cwogY29udHJpYnV0b3JzIG1heSBiZSB1c2VkIHRvIGVuZG9yc2Ugb3IgcHJvbW90ZSBwcm9kdWN0cyBkZXJpdmVkIGZyb20KIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCgogVEhJUyBTT0ZUV0FSRSBJUyBQUk9WSURFRCBCWSBUSEUgQ09QWVJJR0hUIEhPTERFUlMgQU5EIENPTlRSSUJVVE9SUwogIkFTIElTIiBBTkQgQU5ZIEVYUFJFU1MgT1IgSU1QTElFRCBXQVJSQU5USUVTLCBJTkNMVURJTkcsIEJVVCBOT1QKIExJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUgogQSBQQVJUSUNVTEFSIFBVUlBPU0UgQVJFIERJU0NMQUlNRUQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBDT1BZUklHSFQKIE9XTkVSIE9SIENPTlRSSUJVVE9SUyBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLAogU1BFQ0lBTCwgRVhFTVBMQVJZLCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMgKElOQ0xVRElORywgQlVUIE5PVAogTElNSVRFRCBUTywgUFJPQ1VSRU1FTlQgT0YgU1VCU1RJVFVURSBHT09EUyBPUiBTRVJWSUNFUzsgTE9TUyBPRiBVU0UsCiBEQVRBLCBPUiBQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkKIFRIRU9SWSBPRiBMSUFCSUxJVFksIFdIRVRIRVIgSU4gQ09OVFJBQ1QsIFNUUklDVCBMSUFCSUxJVFksIE9SIFRPUlQKIChJTkNMVURJTkcgTkVHTElHRU5DRSBPUiBPVEhFUldJU0UpIEFSSVNJTkcgSU4gQU5ZIFdBWSBPVVQgT0YgVEhFIFVTRQogT0YgVEhJUyBTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4KCggKAQISAyAIFwoICgEIEgMiADsKCwoECOcHABIDIgA7CgwKBQjnBwACEgMiBxcKDQoGCOcHAAIAEgMiBxcKDgoHCOcHAAIAARIDIgcXCgwKBQjnBwAHEgMiGjoKCAoBCBIDIwAfCgsKBAjnBwESAyMAHwoMCgUI5wcBAhIDIwcXCg0KBgjnBwECABIDIwcXCg4KBwjnBwECAAESAyMHFwoMCgUI5wcBAxIDIxoeCggKAQgSAyQAQQoLCgQI5wcCEgMkAEEKDAoFCOcHAgISAyQHEQoNCgYI5wcCAgASAyQHEQoOCgcI5wcCAgABEgMkBxEKDAoFCOcHAgcSAyQUQAoICgEIEgMlACwKCwoECOcHAxIDJQAsCgwKBQjnBwMCEgMlBxMKDQoGCOcHAwIAEgMlBxMKDgoHCOcHAwIAARIDJQcTCgwKBQjnBwMHEgMlFisKCAoBCBIDJgAuCgsKBAjnBwQSAyYALgoMCgUI5wcEAhIDJgcbCg0KBgjnBwQCABIDJgcbCg4KBwjnBwQCAAESAyYHGwoMCgUI5wcEBxIDJh4tCggKAQgSAycAIgoLCgQI5wcFEgMnACIKDAoFCOcHBQISAycHGgoNCgYI5wcFAgASAycHGgoOCgcI5wcFAgABEgMnBxoKDAoFCOcHBQMSAycdIQoICgEIEgMoACEKCwoECOcHBhIDKAAhCgwKBQjnBwYCEgMoBxgKDQoGCOcHBgIAEgMoBxgKDgoHCOcHBgIAARIDKAcYCgwKBQjnBwYHEgMoGyAKnxAKAgQAEgRmAHQBGpIQIEEgRHVyYXRpb24gcmVwcmVzZW50cyBhIHNpZ25lZCwgZml4ZWQtbGVuZ3RoIHNwYW4gb2YgdGltZSByZXByZXNlbnRlZAogYXMgYSBjb3VudCBvZiBzZWNvbmRzIGFuZCBmcmFjdGlvbnMgb2Ygc2Vjb25kcyBhdCBuYW5vc2Vjb25kCiByZXNvbHV0aW9uLiBJdCBpcyBpbmRlcGVuZGVudCBvZiBhbnkgY2FsZW5kYXIgYW5kIGNvbmNlcHRzIGxpa2UgImRheSIKIG9yICJtb250aCIuIEl0IGlzIHJlbGF0ZWQgdG8gVGltZXN0YW1wIGluIHRoYXQgdGhlIGRpZmZlcmVuY2UgYmV0d2VlbgogdHdvIFRpbWVzdGFtcCB2YWx1ZXMgaXMgYSBEdXJhdGlvbiBhbmQgaXQgY2FuIGJlIGFkZGVkIG9yIHN1YnRyYWN0ZWQKIGZyb20gYSBUaW1lc3RhbXAuIFJhbmdlIGlzIGFwcHJveGltYXRlbHkgKy0xMCwwMDAgeWVhcnMuCgogIyBFeGFtcGxlcwoKIEV4YW1wbGUgMTogQ29tcHV0ZSBEdXJhdGlvbiBmcm9tIHR3byBUaW1lc3RhbXBzIGluIHBzZXVkbyBjb2RlLgoKICAgICBUaW1lc3RhbXAgc3RhcnQgPSAuLi47CiAgICAgVGltZXN0YW1wIGVuZCA9IC4uLjsKICAgICBEdXJhdGlvbiBkdXJhdGlvbiA9IC4uLjsKCiAgICAgZHVyYXRpb24uc2Vjb25kcyA9IGVuZC5zZWNvbmRzIC0gc3RhcnQuc2Vjb25kczsKICAgICBkdXJhdGlvbi5uYW5vcyA9IGVuZC5uYW5vcyAtIHN0YXJ0Lm5hbm9zOwoKICAgICBpZiAoZHVyYXRpb24uc2Vjb25kcyA8IDAgJiYgZHVyYXRpb24ubmFub3MgPiAwKSB7CiAgICAgICBkdXJhdGlvbi5zZWNvbmRzICs9IDE7CiAgICAgICBkdXJhdGlvbi5uYW5vcyAtPSAxMDAwMDAwMDAwOwogICAgIH0gZWxzZSBpZiAoZHVyYXRpb25zLnNlY29uZHMgPiAwICYmIGR1cmF0aW9uLm5hbm9zIDwgMCkgewogICAgICAgZHVyYXRpb24uc2Vjb25kcyAtPSAxOwogICAgICAgZHVyYXRpb24ubmFub3MgKz0gMTAwMDAwMDAwMDsKICAgICB9CgogRXhhbXBsZSAyOiBDb21wdXRlIFRpbWVzdGFtcCBmcm9tIFRpbWVzdGFtcCArIER1cmF0aW9uIGluIHBzZXVkbyBjb2RlLgoKICAgICBUaW1lc3RhbXAgc3RhcnQgPSAuLi47CiAgICAgRHVyYXRpb24gZHVyYXRpb24gPSAuLi47CiAgICAgVGltZXN0YW1wIGVuZCA9IC4uLjsKCiAgICAgZW5kLnNlY29uZHMgPSBzdGFydC5zZWNvbmRzICsgZHVyYXRpb24uc2Vjb25kczsKICAgICBlbmQubmFub3MgPSBzdGFydC5uYW5vcyArIGR1cmF0aW9uLm5hbm9zOwoKICAgICBpZiAoZW5kLm5hbm9zIDwgMCkgewogICAgICAgZW5kLnNlY29uZHMgLT0gMTsKICAgICAgIGVuZC5uYW5vcyArPSAxMDAwMDAwMDAwOwogICAgIH0gZWxzZSBpZiAoZW5kLm5hbm9zID49IDEwMDAwMDAwMDApIHsKICAgICAgIGVuZC5zZWNvbmRzICs9IDE7CiAgICAgICBlbmQubmFub3MgLT0gMTAwMDAwMDAwMDsKICAgICB9CgogRXhhbXBsZSAzOiBDb21wdXRlIER1cmF0aW9uIGZyb20gZGF0ZXRpbWUudGltZWRlbHRhIGluIFB5dGhvbi4KCiAgICAgdGQgPSBkYXRldGltZS50aW1lZGVsdGEoZGF5cz0zLCBtaW51dGVzPTEwKQogICAgIGR1cmF0aW9uID0gRHVyYXRpb24oKQogICAgIGR1cmF0aW9uLkZyb21UaW1lZGVsdGEodGQpCgogIyBKU09OIE1hcHBpbmcKCiBJbiBKU09OIGZvcm1hdCwgdGhlIER1cmF0aW9uIHR5cGUgaXMgZW5jb2RlZCBhcyBhIHN0cmluZyByYXRoZXIgdGhhbiBhbgogb2JqZWN0LCB3aGVyZSB0aGUgc3RyaW5nIGVuZHMgaW4gdGhlIHN1ZmZpeCAicyIgKGluZGljYXRpbmcgc2Vjb25kcykgYW5kCiBpcyBwcmVjZWRlZCBieSB0aGUgbnVtYmVyIG9mIHNlY29uZHMsIHdpdGggbmFub3NlY29uZHMgZXhwcmVzc2VkIGFzCiBmcmFjdGlvbmFsIHNlY29uZHMuIEZvciBleGFtcGxlLCAzIHNlY29uZHMgd2l0aCAwIG5hbm9zZWNvbmRzIHNob3VsZCBiZQogZW5jb2RlZCBpbiBKU09OIGZvcm1hdCBhcyAiM3MiLCB3aGlsZSAzIHNlY29uZHMgYW5kIDEgbmFub3NlY29uZCBzaG91bGQKIGJlIGV4cHJlc3NlZCBpbiBKU09OIGZvcm1hdCBhcyAiMy4wMDAwMDAwMDFzIiwgYW5kIDMgc2Vjb25kcyBhbmQgMQogbWljcm9zZWNvbmQgc2hvdWxkIGJlIGV4cHJlc3NlZCBpbiBKU09OIGZvcm1hdCBhcyAiMy4wMDAwMDFzIi4KCgoKCgoDBAABEgNmCBAK3AEKBAQAAgASA2sCFBrOASBTaWduZWQgc2Vjb25kcyBvZiB0aGUgc3BhbiBvZiB0aW1lLiBNdXN0IGJlIGZyb20gLTMxNSw1NzYsMDAwLDAwMAogdG8gKzMxNSw1NzYsMDAwLDAwMCBpbmNsdXNpdmUuIE5vdGU6IHRoZXNlIGJvdW5kcyBhcmUgY29tcHV0ZWQgZnJvbToKIDYwIHNlYy9taW4gKiA2MCBtaW4vaHIgKiAyNCBoci9kYXkgKiAzNjUuMjUgZGF5cy95ZWFyICogMTAwMDAgeWVhcnMKCg0KBQQAAgAEEgRrAmYSCgwKBQQAAgAFEgNrAgcKDAoFBAACAAESA2sIDwoMCgUEAAIAAxIDaxITCoMDCgQEAAIBEgNzAhIa9QIgU2lnbmVkIGZyYWN0aW9ucyBvZiBhIHNlY29uZCBhdCBuYW5vc2Vjb25kIHJlc29sdXRpb24gb2YgdGhlIHNwYW4KIG9mIHRpbWUuIER1cmF0aW9ucyBsZXNzIHRoYW4gb25lIHNlY29uZCBhcmUgcmVwcmVzZW50ZWQgd2l0aCBhIDAKIGBzZWNvbmRzYCBmaWVsZCBhbmQgYSBwb3NpdGl2ZSBvciBuZWdhdGl2ZSBgbmFub3NgIGZpZWxkLiBGb3IgZHVyYXRpb25zCiBvZiBvbmUgc2Vjb25kIG9yIG1vcmUsIGEgbm9uLXplcm8gdmFsdWUgZm9yIHRoZSBgbmFub3NgIGZpZWxkIG11c3QgYmUKIG9mIHRoZSBzYW1lIHNpZ24gYXMgdGhlIGBzZWNvbmRzYCBmaWVsZC4gTXVzdCBiZSBmcm9tIC05OTksOTk5LDk5OQogdG8gKzk5OSw5OTksOTk5IGluY2x1c2l2ZS4KCg0KBQQAAgEEEgRzAmsUCgwKBQQAAgEFEgNzAgcKDAoFBAACAQESA3MIDQoMCgUEAAIBAxIDcxARYgZwcm90bzMKqyIKF2dvb2dsZS9ycGMvc3RhdHVzLnByb3RvEgpnb29nbGUucnBjGhlnb29nbGUvcHJvdG9idWYvYW55LnByb3RvImYKBlN0YXR1cxISCgRjb2RlGAEgASgFUgRjb2RlEhgKB21lc3NhZ2UYAiABKAlSB21lc3NhZ2USLgoHZGV0YWlscxgDIAMoCzIULmdvb2dsZS5wcm90b2J1Zi5BbnlSB2RldGFpbHNCKgoOY29tLmdvb2dsZS5ycGNCC1N0YXR1c1Byb3RvUAFaA3JwY6ICA1JQQ0rMIAoGEgQOAFsBCr0ECgEMEgMOABIysgQgQ29weXJpZ2h0IDIwMTcgR29vZ2xlIEluYy4KCiBMaWNlbnNlZCB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNpb24gMi4wICh0aGUgIkxpY2Vuc2UiKTsKIHlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2Ugd2l0aCB0aGUgTGljZW5zZS4KIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICBodHRwOi8vd3d3LmFwYWNoZS5vcmcvbGljZW5zZXMvTElDRU5TRS0yLjAKCiBVbmxlc3MgcmVxdWlyZWQgYnkgYXBwbGljYWJsZSBsYXcgb3IgYWdyZWVkIHRvIGluIHdyaXRpbmcsIHNvZnR3YXJlCiBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogV0lUSE9VVCBXQVJSQU5USUVTIE9SIENPTkRJVElPTlMgT0YgQU5ZIEtJTkQsIGVpdGhlciBleHByZXNzIG9yIGltcGxpZWQuCiBTZWUgdGhlIExpY2Vuc2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnMgYW5kCiBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4KCggKAQISAxAIEgoJCgIDABIDEgciCggKAQgSAxQAGgoLCgQI5wcAEgMUABoKDAoFCOcHAAISAxQHEQoNCgYI5wcAAgASAxQHEQoOCgcI5wcAAgABEgMUBxEKDAoFCOcHAAcSAxQUGQoICgEIEgMVACIKCwoECOcHARIDFQAiCgwKBQjnBwECEgMVBxoKDQoGCOcHAQIAEgMVBxoKDgoHCOcHAQIAARIDFQcaCgwKBQjnBwEDEgMVHSEKCAoBCBIDFgAsCgsKBAjnBwISAxYALAoMCgUI5wcCAhIDFgcbCg0KBgjnBwICABIDFgcbCg4KBwjnBwICAAESAxYHGwoMCgUI5wcCBxIDFh4rCggKAQgSAxcAJwoLCgQI5wcDEgMXACcKDAoFCOcHAwISAxcHEwoNCgYI5wcDAgASAxcHEwoOCgcI5wcDAgABEgMXBxMKDAoFCOcHAwcSAxcWJgoICgEIEgMYACEKCwoECOcHBBIDGAAhCgwKBQjnBwQCEgMYBxgKDQoGCOcHBAIAEgMYBxgKDgoHCOcHBAIAARIDGAcYCgwKBQjnBwQHEgMYGyAKzRMKAgQAEgRPAFsBGsATIFRoZSBgU3RhdHVzYCB0eXBlIGRlZmluZXMgYSBsb2dpY2FsIGVycm9yIG1vZGVsIHRoYXQgaXMgc3VpdGFibGUgZm9yIGRpZmZlcmVudAogcHJvZ3JhbW1pbmcgZW52aXJvbm1lbnRzLCBpbmNsdWRpbmcgUkVTVCBBUElzIGFuZCBSUEMgQVBJcy4gSXQgaXMgdXNlZCBieQogW2dSUENdKGh0dHBzOi8vZ2l0aHViLmNvbS9ncnBjKS4gVGhlIGVycm9yIG1vZGVsIGlzIGRlc2lnbmVkIHRvIGJlOgoKIC0gU2ltcGxlIHRvIHVzZSBhbmQgdW5kZXJzdGFuZCBmb3IgbW9zdCB1c2VycwogLSBGbGV4aWJsZSBlbm91Z2ggdG8gbWVldCB1bmV4cGVjdGVkIG5lZWRzCgogIyBPdmVydmlldwoKIFRoZSBgU3RhdHVzYCBtZXNzYWdlIGNvbnRhaW5zIHRocmVlIHBpZWNlcyBvZiBkYXRhOiBlcnJvciBjb2RlLCBlcnJvciBtZXNzYWdlLAogYW5kIGVycm9yIGRldGFpbHMuIFRoZSBlcnJvciBjb2RlIHNob3VsZCBiZSBhbiBlbnVtIHZhbHVlIG9mCiBbZ29vZ2xlLnJwYy5Db2RlXVtnb29nbGUucnBjLkNvZGVdLCBidXQgaXQgbWF5IGFjY2VwdCBhZGRpdGlvbmFsIGVycm9yIGNvZGVzIGlmIG5lZWRlZC4gIFRoZQogZXJyb3IgbWVzc2FnZSBzaG91bGQgYmUgYSBkZXZlbG9wZXItZmFjaW5nIEVuZ2xpc2ggbWVzc2FnZSB0aGF0IGhlbHBzCiBkZXZlbG9wZXJzICp1bmRlcnN0YW5kKiBhbmQgKnJlc29sdmUqIHRoZSBlcnJvci4gSWYgYSBsb2NhbGl6ZWQgdXNlci1mYWNpbmcKIGVycm9yIG1lc3NhZ2UgaXMgbmVlZGVkLCBwdXQgdGhlIGxvY2FsaXplZCBtZXNzYWdlIGluIHRoZSBlcnJvciBkZXRhaWxzIG9yCiBsb2NhbGl6ZSBpdCBpbiB0aGUgY2xpZW50LiBUaGUgb3B0aW9uYWwgZXJyb3IgZGV0YWlscyBtYXkgY29udGFpbiBhcmJpdHJhcnkKIGluZm9ybWF0aW9uIGFib3V0IHRoZSBlcnJvci4gVGhlcmUgaXMgYSBwcmVkZWZpbmVkIHNldCBvZiBlcnJvciBkZXRhaWwgdHlwZXMKIGluIHRoZSBwYWNrYWdlIGBnb29nbGUucnBjYCB0aGF0IGNhbiBiZSB1c2VkIGZvciBjb21tb24gZXJyb3IgY29uZGl0aW9ucy4KCiAjIExhbmd1YWdlIG1hcHBpbmcKCiBUaGUgYFN0YXR1c2AgbWVzc2FnZSBpcyB0aGUgbG9naWNhbCByZXByZXNlbnRhdGlvbiBvZiB0aGUgZXJyb3IgbW9kZWwsIGJ1dCBpdAogaXMgbm90IG5lY2Vzc2FyaWx5IHRoZSBhY3R1YWwgd2lyZSBmb3JtYXQuIFdoZW4gdGhlIGBTdGF0dXNgIG1lc3NhZ2UgaXMKIGV4cG9zZWQgaW4gZGlmZmVyZW50IGNsaWVudCBsaWJyYXJpZXMgYW5kIGRpZmZlcmVudCB3aXJlIHByb3RvY29scywgaXQgY2FuIGJlCiBtYXBwZWQgZGlmZmVyZW50bHkuIEZvciBleGFtcGxlLCBpdCB3aWxsIGxpa2VseSBiZSBtYXBwZWQgdG8gc29tZSBleGNlcHRpb25zCiBpbiBKYXZhLCBidXQgbW9yZSBsaWtlbHkgbWFwcGVkIHRvIHNvbWUgZXJyb3IgY29kZXMgaW4gQy4KCiAjIE90aGVyIHVzZXMKCiBUaGUgZXJyb3IgbW9kZWwgYW5kIHRoZSBgU3RhdHVzYCBtZXNzYWdlIGNhbiBiZSB1c2VkIGluIGEgdmFyaWV0eSBvZgogZW52aXJvbm1lbnRzLCBlaXRoZXIgd2l0aCBvciB3aXRob3V0IEFQSXMsIHRvIHByb3ZpZGUgYQogY29uc2lzdGVudCBkZXZlbG9wZXIgZXhwZXJpZW5jZSBhY3Jvc3MgZGlmZmVyZW50IGVudmlyb25tZW50cy4KCiBFeGFtcGxlIHVzZXMgb2YgdGhpcyBlcnJvciBtb2RlbCBpbmNsdWRlOgoKIC0gUGFydGlhbCBlcnJvcnMuIElmIGEgc2VydmljZSBuZWVkcyB0byByZXR1cm4gcGFydGlhbCBlcnJvcnMgdG8gdGhlIGNsaWVudCwKICAgICBpdCBtYXkgZW1iZWQgdGhlIGBTdGF0dXNgIGluIHRoZSBub3JtYWwgcmVzcG9uc2UgdG8gaW5kaWNhdGUgdGhlIHBhcnRpYWwKICAgICBlcnJvcnMuCgogLSBXb3JrZmxvdyBlcnJvcnMuIEEgdHlwaWNhbCB3b3JrZmxvdyBoYXMgbXVsdGlwbGUgc3RlcHMuIEVhY2ggc3RlcCBtYXkKICAgICBoYXZlIGEgYFN0YXR1c2AgbWVzc2FnZSBmb3IgZXJyb3IgcmVwb3J0aW5nLgoKIC0gQmF0Y2ggb3BlcmF0aW9ucy4gSWYgYSBjbGllbnQgdXNlcyBiYXRjaCByZXF1ZXN0IGFuZCBiYXRjaCByZXNwb25zZSwgdGhlCiAgICAgYFN0YXR1c2AgbWVzc2FnZSBzaG91bGQgYmUgdXNlZCBkaXJlY3RseSBpbnNpZGUgYmF0Y2ggcmVzcG9uc2UsIG9uZSBmb3IKICAgICBlYWNoIGVycm9yIHN1Yi1yZXNwb25zZS4KCiAtIEFzeW5jaHJvbm91cyBvcGVyYXRpb25zLiBJZiBhbiBBUEkgY2FsbCBlbWJlZHMgYXN5bmNocm9ub3VzIG9wZXJhdGlvbgogICAgIHJlc3VsdHMgaW4gaXRzIHJlc3BvbnNlLCB0aGUgc3RhdHVzIG9mIHRob3NlIG9wZXJhdGlvbnMgc2hvdWxkIGJlCiAgICAgcmVwcmVzZW50ZWQgZGlyZWN0bHkgdXNpbmcgdGhlIGBTdGF0dXNgIG1lc3NhZ2UuCgogLSBMb2dnaW5nLiBJZiBzb21lIEFQSSBlcnJvcnMgYXJlIHN0b3JlZCBpbiBsb2dzLCB0aGUgbWVzc2FnZSBgU3RhdHVzYCBjb3VsZAogICAgIGJlIHVzZWQgZGlyZWN0bHkgYWZ0ZXIgYW55IHN0cmlwcGluZyBuZWVkZWQgZm9yIHNlY3VyaXR5L3ByaXZhY3kgcmVhc29ucy4KCgoKAwQAARIDTwgOCmQKBAQAAgASA1ECERpXIFRoZSBzdGF0dXMgY29kZSwgd2hpY2ggc2hvdWxkIGJlIGFuIGVudW0gdmFsdWUgb2YgW2dvb2dsZS5ycGMuQ29kZV1bZ29vZ2xlLnJwYy5Db2RlXS4KCg0KBQQAAgAEEgRRAk8QCgwKBQQAAgAFEgNRAgcKDAoFBAACAAESA1EIDAoMCgUEAAIAAxIDUQ8QCusBCgQEAAIBEgNWAhUa3QEgQSBkZXZlbG9wZXItZmFjaW5nIGVycm9yIG1lc3NhZ2UsIHdoaWNoIHNob3VsZCBiZSBpbiBFbmdsaXNoLiBBbnkKIHVzZXItZmFjaW5nIGVycm9yIG1lc3NhZ2Ugc2hvdWxkIGJlIGxvY2FsaXplZCBhbmQgc2VudCBpbiB0aGUKIFtnb29nbGUucnBjLlN0YXR1cy5kZXRhaWxzXVtnb29nbGUucnBjLlN0YXR1cy5kZXRhaWxzXSBmaWVsZCwgb3IgbG9jYWxpemVkIGJ5IHRoZSBjbGllbnQuCgoNCgUEAAIBBBIEVgJREQoMCgUEAAIBBRIDVgIICgwKBQQAAgEBEgNWCRAKDAoFBAACAQMSA1YTFAp5CgQEAAICEgNaAisabCBBIGxpc3Qgb2YgbWVzc2FnZXMgdGhhdCBjYXJyeSB0aGUgZXJyb3IgZGV0YWlscy4gIFRoZXJlIGlzIGEgY29tbW9uIHNldCBvZgogbWVzc2FnZSB0eXBlcyBmb3IgQVBJcyB0byB1c2UuCgoMCgUEAAICBBIDWgIKCgwKBQQAAgIGEgNaCx4KDAoFBAACAgESA1ofJgoMCgUEAAICAxIDWikqYgZwcm90bzMKvBEKJ21peGVyL2FkYXB0ZXIvbW9kZWwvdjFiZXRhMS9jaGVjay5wcm90bxIhaXN0aW8ubWl4ZXIuYWRhcHRlci5tb2RlbC52MWJldGExGhRnb2dvcHJvdG8vZ29nby5wcm90bxoeZ29vZ2xlL3Byb3RvYnVmL2R1cmF0aW9uLnByb3RvGhdnb29nbGUvcnBjL3N0YXR1cy5wcm90byKzAQoLQ2hlY2tSZXN1bHQSMAoGc3RhdHVzGAEgASgLMhIuZ29vZ2xlLnJwYy5TdGF0dXNCBMjeHwBSBnN0YXR1cxJKCg52YWxpZF9kdXJhdGlvbhgCIAEoCzIZLmdvb2dsZS5wcm90b2J1Zi5EdXJhdGlvbkIIyN4fAJjfHwFSDXZhbGlkRHVyYXRpb24SJgoPdmFsaWRfdXNlX2NvdW50GAMgASgFUg12YWxpZFVzZUNvdW50QjZaKGlzdGlvLmlvL2FwaS9taXhlci9hZGFwdGVyL21vZGVsL3YxYmV0YTHI4R4AqOIeAPDhHgBKqA4KBhIEDgAlAQq/BAoBDBIDDgASMrQEIENvcHlyaWdodCAyMDE4IElzdGlvIEF1dGhvcnMKCiBMaWNlbnNlZCB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNpb24gMi4wICh0aGUgIkxpY2Vuc2UiKTsKIHlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2Ugd2l0aCB0aGUgTGljZW5zZS4KIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICBodHRwOi8vd3d3LmFwYWNoZS5vcmcvbGljZW5zZXMvTElDRU5TRS0yLjAKCiBVbmxlc3MgcmVxdWlyZWQgYnkgYXBwbGljYWJsZSBsYXcgb3IgYWdyZWVkIHRvIGluIHdyaXRpbmcsIHNvZnR3YXJlCiBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogV0lUSE9VVCBXQVJSQU5USUVTIE9SIENPTkRJVElPTlMgT0YgQU5ZIEtJTkQsIGVpdGhlciBleHByZXNzIG9yIGltcGxpZWQuCiBTZWUgdGhlIExpY2Vuc2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnMgYW5kCiBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4KCggKAQISAxAIKQoICgEIEgMSAD0KCwoECOcHABIDEgA9CgwKBQjnBwACEgMSBxEKDQoGCOcHAAIAEgMSBxEKDgoHCOcHAAIAARIDEgcRCgwKBQjnBwAHEgMSEjwKCQoCAwASAxQHHQoJCgIDARIDFQcnCgkKAgMCEgMWByAKCAoBCBIDGAAvCgsKBAjnBwESAxgALwoMCgUI5wcBAhIDGAcmCg0KBgjnBwECABIDGAcmCg4KBwjnBwECAAESAxgIJQoMCgUI5wcBAxIDGCkuCggKAQgSAxkAJQoLCgQI5wcCEgMZACUKDAoFCOcHAgISAxkHHAoNCgYI5wcCAgASAxkHHAoOCgcI5wcCAgABEgMZCBsKDAoFCOcHAgMSAxkfJAoICgEIEgMaACgKCwoECOcHAxIDGgAoCgwKBQjnBwMCEgMaBx8KDQoGCOcHAwIAEgMaBx8KDgoHCOcHAwIAARIDGggeCgwKBQjnBwMDEgMaIicKOwoCBAASBB0AJQEaLyBFeHByZXNzZXMgdGhlIHJlc3VsdCBvZiBhIHByZWNvbmRpdGlvbiBjaGVjay4KCgoKAwQAARIDHQgTCqABCgQEAAIAEgMgAj4akgEgQSBzdGF0dXMgY29kZSBvZiBPSyBpbmRpY2F0ZXMgcHJlY29uZGl0aW9ucyB3ZXJlIHNhdGlzZmllZC4gQW55IG90aGVyIGNvZGUgaW5kaWNhdGVzIHByZWNvbmRpdGlvbnMgd2VyZSBub3QKIHNhdGlzZmllZCBhbmQgZGV0YWlscyBkZXNjcmliZSB3aHkuCgoNCgUEAAIABBIEIAIdFQoMCgUEAAIABhIDIAITCgwKBQQAAgABEgMgFBoKDAoFBAACAAMSAyAdHgoMCgUEAAIACBIDIB89Cg8KCAQAAgAI5wcAEgMgIDwKEAoJBAACAAjnBwACEgMgIDQKEQoKBAACAAjnBwACABIDICA0ChIKCwQAAgAI5wcAAgABEgMgITMKEAoJBAACAAjnBwADEgMgNzwKUAoEBAACARIDIgJtGkMgVGhlIGFtb3VudCBvZiB0aW1lIGZvciB3aGljaCB0aGlzIHJlc3VsdCBjYW4gYmUgY29uc2lkZXJlZCB2YWxpZC4KCg0KBQQAAgEEEgQiAiA+CgwKBQQAAgEGEgMiAhoKDAoFBAACAQESAyIbKQoMCgUEAAIBAxIDIiwtCgwKBQQAAgEIEgMiLmwKDwoIBAACAQjnBwASAyIvSwoQCgkEAAIBCOcHAAISAyIvQwoRCgoEAAIBCOcHAAIAEgMiL0MKEgoLBAACAQjnBwACAAESAyIwQgoQCgkEAAIBCOcHAAMSAyJGSwoPCggEAAIBCOcHARIDIk1rChAKCQQAAgEI5wcBAhIDIk1kChEKCgQAAgEI5wcBAgASAyJNZAoSCgsEAAIBCOcHAQIAARIDIk5jChAKCQQAAgEI5wcBAxIDImdrClAKBAQAAgISAyQCHBpDIFRoZSBudW1iZXIgb2YgdXNlcyBmb3Igd2hpY2ggdGhpcyByZXN1bHQgY2FuIGJlIGNvbnNpZGVyZWQgdmFsaWQuCgoNCgUEAAICBBIEJAIibQoMCgUEAAICBRIDJAIHCgwKBQQAAgIBEgMkCBcKDAoFBAACAgMSAyQaG2IGcHJvdG8zCtUjCithdXRoemFkYXB0b3IvdGVtcGxhdGVfaGFuZGxlcl9zZXJ2aWNlLnByb3RvEgxhdXRoemFkYXB0b3IaFGdvZ29wcm90by9nb2dvLnByb3RvGixtaXhlci9hZGFwdGVyL21vZGVsL3YxYmV0YTEvZXh0ZW5zaW9ucy5wcm90bxoZZ29vZ2xlL3Byb3RvYnVmL2FueS5wcm90bxonbWl4ZXIvYWRhcHRlci9tb2RlbC92MWJldGExL2NoZWNrLnByb3RvIqoBChlIYW5kbGVBdXRoemFkYXB0b3JSZXF1ZXN0EjUKCGluc3RhbmNlGAEgASgLMhkuYXV0aHphZGFwdG9yLkluc3RhbmNlTXNnUghpbnN0YW5jZRI7Cg5hZGFwdGVyX2NvbmZpZxgCIAEoCzIULmdvb2dsZS5wcm90b2J1Zi5BbnlSDWFkYXB0ZXJDb25maWcSGQoIZGVkdXBfaWQYAyABKAlSB2RlZHVwSWQilQEKGkhhbmRsZUF1dGh6YWRhcHRvclJlc3BvbnNlEkYKBnJlc3VsdBgBIAEoCzIuLmlzdGlvLm1peGVyLmFkYXB0ZXIubW9kZWwudjFiZXRhMS5DaGVja1Jlc3VsdFIGcmVzdWx0Ei8KBm91dHB1dBgCIAEoCzIXLmF1dGh6YWRhcHRvci5PdXRwdXRNc2dSBm91dHB1dCIhCglPdXRwdXRNc2cSFAoFZW1haWwYASABKAlSBWVtYWlsIkoKC0luc3RhbmNlTXNnEhUKBG5hbWUYr8q8IiABKAlSBG5hbWUSEAoDa2V5GAEgASgJUgNrZXkSEgoEcGF0aBgCIAEoCVIEcGF0aCIGCgRUeXBlIjUKDUluc3RhbmNlUGFyYW0SEAoDa2V5GAEgASgJUgNrZXkSEgoEcGF0aBgCIAEoCVIEcGF0aDKEAQoZSGFuZGxlQXV0aHphZGFwdG9yU2VydmljZRJnChJIYW5kbGVBdXRoemFkYXB0b3ISJy5hdXRoemFkYXB0b3IuSGFuZGxlQXV0aHphZGFwdG9yUmVxdWVzdBooLmF1dGh6YWRhcHRvci5IYW5kbGVBdXRoemFkYXB0b3JSZXNwb25zZUIo+NLkkwIEgt3kkwIMYXV0aHphZGFwdG9yyOEeAKjiHgDw4R4A2OIeAUrjHAoGEgQQAGoBCvIECgEMEgMQABIytAQgQ29weXJpZ2h0IDIwMTcgSXN0aW8gQXV0aG9ycwoKIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogeW91IG1heSBub3QgdXNlIHRoaXMgZmlsZSBleGNlcHQgaW4gY29tcGxpYW5jZSB3aXRoIHRoZSBMaWNlbnNlLgogWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0CgogICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvciBhZ3JlZWQgdG8gaW4gd3JpdGluZywgc29mdHdhcmUKIGRpc3RyaWJ1dGVkIHVuZGVyIHRoZSBMaWNlbnNlIGlzIGRpc3RyaWJ1dGVkIG9uIGFuICJBUyBJUyIgQkFTSVMsCiBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZyBwZXJtaXNzaW9ucyBhbmQKIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgoyMSBUSElTIEZJTEUgSVMgQVVUT01BVElDQUxMWSBHRU5FUkFURUQgQlkgTUlYR0VOLgoKCAoBAhIDFAgUCgkKAgMAEgMXBx0KCQoCAwESAxgHNQoJCgIDAhIDGQciCgkKAgMDEgMaBzAKCAoBCBIDHQBhCgsKBAjnBwASAx0AYQoMCgUI5wcAAhIDHQc7Cg0KBgjnBwACABIDHQc7Cg4KBwjnBwACAAESAx0IOgoMCgUI5wcAAxIDHT5gCggKAQgSAx4ASgoLCgQI5wcBEgMeAEoKDAoFCOcHAQISAx4HOAoNCgYI5wcBAgASAx4HOAoOCgcI5wcBAgABEgMeCDcKDAoFCOcHAQcSAx47SQoICgEIEgMgAC8KCwoECOcHAhIDIAAvCgwKBQjnBwICEgMgByYKDQoGCOcHAgIAEgMgByYKDgoHCOcHAgIAARIDIAglCgwKBQjnBwIDEgMgKS4KCAoBCBIDIQAlCgsKBAjnBwMSAyEAJQoMCgUI5wcDAhIDIQccCg0KBgjnBwMCABIDIQccCg4KBwjnBwMCAAESAyEIGwoMCgUI5wcDAxIDIR8kCggKAQgSAyIAKAoLCgQI5wcEEgMiACgKDAoFCOcHBAISAyIHHwoNCgYI5wcEAgASAyIHHwoOCgcI5wcEAgABEgMiCB4KDAoFCOcHBAMSAyIiJwoICgEIEgMjAC8KCwoECOcHBRIDIwAvCgwKBQjnBwUCEgMjBycKDQoGCOcHBQIAEgMjBycKDgoHCOcHBQIAARIDIwgmCgwKBQjnBwUDEgMjKi4KfgoCBgASBCYAKgEaciBIYW5kbGVBdXRoemFkYXB0b3JTZXJ2aWNlIGlzIGltcGxlbWVudGVkIGJ5IGJhY2tlbmRzIHRoYXQgd2FudHMgdG8gaGFuZGxlIHJlcXVlc3QtdGltZSAnYXV0aHphZGFwdG9yJyBpbnN0YW5jZXMuCgoKCgMGAAESAyYIIQp4CgQGAAIAEgMoBFsaayBIYW5kbGVBdXRoemFkYXB0b3IgaXMgY2FsbGVkIGJ5IE1peGVyIGF0IHJlcXVlc3QtdGltZSB0byBkZWxpdmVyICdhdXRoemFkYXB0b3InIGluc3RhbmNlcyB0byB0aGUgYmFja2VuZC4KCgwKBQYAAgABEgMoCBoKDAoFBgACAAISAygbNAoMCgUGAAIAAxIDKD9ZCjwKAgQAEgQtADwBGjAgUmVxdWVzdCBtZXNzYWdlIGZvciBIYW5kbGVBdXRoemFkYXB0b3IgbWV0aG9kLgoKCgoDBAABEgMtCCEKJwoEBAACABIDMAQdGhogJ2F1dGh6YWRhcHRvcicgaW5zdGFuY2UuCgoNCgUEAAIABBIEMAQtIwoMCgUEAAIABhIDMAQPCgwKBQQAAgABEgMwEBgKDAoFBAACAAMSAzAbHAq5BAoEBAACARIDOAQrGqsEIEFkYXB0ZXIgc3BlY2lmaWMgaGFuZGxlciBjb25maWd1cmF0aW9uLgoKIE5vdGU6IEJhY2tlbmRzIGNhbiBhbHNvIGltcGxlbWVudCBbSW5mcmFzdHJ1Y3R1cmVCYWNrZW5kXVtodHRwczovL2lzdGlvLmlvL2RvY3MvcmVmZXJlbmNlL2NvbmZpZy9taXhlci9pc3Rpby5taXhlci5hZGFwdGVyLm1vZGVsLnYxYmV0YTEuaHRtbCNJbmZyYXN0cnVjdHVyZUJhY2tlbmRdCiBzZXJ2aWNlIGFuZCB0aGVyZWZvcmUgb3B0IHRvIHJlY2VpdmUgaGFuZGxlciBjb25maWd1cmF0aW9uIGR1cmluZyBzZXNzaW9uIGNyZWF0aW9uIHRocm91Z2ggW0luZnJhc3RydWN0dXJlQmFja2VuZC5DcmVhdGVTZXNzaW9uXVtUT0RPOiBMaW5rIHRvIHRoaXMgZnJhZ21lbnRdCiBjYWxsLiBJbiB0aGF0IGNhc2UsIGFkYXB0ZXJfY29uZmlnIHdpbGwgaGF2ZSB0eXBlX3VybCBhcyAnZ29vZ2xlLnByb3RvYnVmLkFueS50eXBlX3VybCcgYW5kIHdvdWxkIGNvbnRhaW4gc3RyaW5nCiB2YWx1ZSBvZiBzZXNzaW9uX2lkIChyZXR1cm5lZCBmcm9tIEluZnJhc3RydWN0dXJlQmFja2VuZC5DcmVhdGVTZXNzaW9uKS4KCg0KBQQAAgEEEgQ4BDAdCgwKBQQAAgEGEgM4BBcKDAoFBAACAQESAzgYJgoMCgUEAAIBAxIDOCkqCjoKBAQAAgISAzsEGBotIElkIHRvIGRlZHVwZSBpZGVudGljYWwgcmVxdWVzdHMgZnJvbSBNaXhlci4KCg0KBQQAAgIEEgQ7BDgrCgwKBQQAAgIFEgM7BAoKDAoFBAACAgESAzsLEwoMCgUEAAICAxIDOxYXCgoKAgQBEgQ+AEEBCgoKAwQBARIDPggiCgsKBAQBAgASAz8EPQoNCgUEAQIABBIEPwQ+JAoMCgUEAQIABhIDPwQxCgwKBQQBAgABEgM/MjgKDAoFBAECAAMSAz87PAoLCgQEAQIBEgNABBkKDQoFBAECAQQSBEAEPz0KDAoFBAECAQYSA0AEDQoMCgUEAQIBARIDQA4UCgwKBQQBAgEDEgNAFxgKQgoCBAISBEQASQEaNiBDb250YWlucyBvdXRwdXQgcGF5bG9hZCBmb3IgJ2F1dGh6YWRhcHRvcicgdGVtcGxhdGUuCgoKCgMEAgESA0QIEQoLCgQEAgIAEgNHBBUKDQoFBAICAAQSBEcERBMKDAoFBAICAAUSA0cECgoMCgUEAgIAARIDRwsQCgwKBQQCAgADEgNHExQKugEKAgQDEgRNAFgBGq0BIENvbnRhaW5zIGluc3RhbmNlIHBheWxvYWQgZm9yICdhdXRoemFkYXB0b3InIHRlbXBsYXRlLiBUaGlzIGlzIHBhc3NlZCB0byBpbmZyYXN0cnVjdHVyZSBiYWNrZW5kcyBkdXJpbmcgcmVxdWVzdC10aW1lCiB0aHJvdWdoIEhhbmRsZUF1dGh6YWRhcHRvclNlcnZpY2UuSGFuZGxlQXV0aHphZGFwdG9yLgoKCgoDBAMBEgNNCBMKQgoEBAMCABIDUAQbGjUgTmFtZSBvZiB0aGUgaW5zdGFuY2UgYXMgc3BlY2lmaWVkIGluIGNvbmZpZ3VyYXRpb24uCgoNCgUEAwIABBIEUARNFQoMCgUEAwIABRIDUAQKCgwKBQQDAgABEgNQCw8KDAoFBAMCAAMSA1ASGgoLCgQEAwIBEgNTBBMKDQoFBAMCAQQSBFMEUBsKDAoFBAMCAQUSA1MECgoMCgUEAwIBARIDUwsOCgwKBQQDAgEDEgNTERIKCwoEBAMCAhIDVgQUCg0KBQQDAgIEEgRWBFMTCgwKBQQDAgIFEgNWBAoKDAoFBAMCAgESA1YLDwoMCgUEAwICAxIDVhITCvYBCgIEBBIEXABeARrpASBDb250YWlucyBpbmZlcnJlZCB0eXBlIGluZm9ybWF0aW9uIGFib3V0IHNwZWNpZmljIGluc3RhbmNlIG9mICdhdXRoemFkYXB0b3InIHRlbXBsYXRlLiBUaGlzIGlzIHBhc3NlZCB0bwogaW5mcmFzdHJ1Y3R1cmUgYmFja2VuZHMgZHVyaW5nIGNvbmZpZ3VyYXRpb24tdGltZSB0aHJvdWdoIFtJbmZyYXN0cnVjdHVyZUJhY2tlbmQuQ3JlYXRlU2Vzc2lvbl1bVE9ETzogTGluayB0byB0aGlzIGZyYWdtZW50XS4KCgoKAwQEARIDXAgMClMKAgQFEgRiAGoBGkcgUmVwcmVzZW50cyBpbnN0YW5jZSBjb25maWd1cmF0aW9uIHNjaGVtYSBmb3IgJ2F1dGh6YWRhcHRvcicgdGVtcGxhdGUuCgoKCgMEBQESA2IIFQoLCgQEBQIAEgNlBBMKDQoFBAUCAAQSBGUEYhcKDAoFBAUCAAUSA2UECgoMCgUEBQIAARIDZQsOCgwKBQQFAgADEgNlERIKCwoEBAUCARIDaAQUCg0KBQQFAgEEEgRoBGUTCgwKBQQFAgEFEgNoBAoKDAoFBAUCAQESA2gLDwoMCgUEBQIBAxIDaBITYgZwcm90bzM=" +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/application.yaml new file mode 100644 index 0000000000..a1aefc55a4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/application.yaml @@ -0,0 +1,38 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: aws-istio-authz-adaptor +spec: + selector: + matchLabels: + app.kubernetes.io/name: aws-istio-authz-adaptor + app.kubernetes.io/instance: aws-istio-authz-adaptor-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: aws-istio-authz-adaptor + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: apps + kind: Service + - group: apps + kind: Deployment + descriptor: + type: aws-istio-authz-adaptor + version: v0.1 + description: Authorization adpator to append header for AWS application load balancer + maintainers: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + owners: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + keywords: + - aws + - istio + - mixer + - adaptor + links: + - description: About + url: https://github.com/istio/istio/tree/master/mixer/adapter + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..2d18a3b74c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/aws-istio-authz-adaptor/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: aws-istio-authz-adaptor + app.kubernetes.io/name: aws-istio-authz-adaptor +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..7e93fdbbcb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: fluentd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fluentd +subjects: + - kind: ServiceAccount + name: fluentd + namespace: kube-system \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role.yaml new file mode 100644 index 0000000000..a78f0061c0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/cluster-role.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: fluentd +rules: + - apiGroups: [""] + resources: + - namespaces + - pods + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/configmap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/configmap.yaml new file mode 100644 index 0000000000..789555bbc5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/configmap.yaml @@ -0,0 +1,312 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: fluentd-config + labels: + k8s-app: fluentd-cloudwatch +data: + fluent.conf: | + @include containers.conf + @include systemd.conf + @include host.conf + + + @type null + + containers.conf: | + + @type tail + @id in_tail_container_logs + @label @containers + path /var/log/containers/*.log + exclude_path ["/var/log/containers/cloudwatch-agent*", "/var/log/containers/fluentd*"] + pos_file /var/log/fluentd-containers.log.pos + tag * + read_from_head true + + @type json + time_format %Y-%m-%dT%H:%M:%S.%NZ + + + + + @type tail + @id in_tail_cwagent_logs + @label @cwagentlogs + path /var/log/containers/cloudwatch-agent* + pos_file /var/log/cloudwatch-agent.log.pos + tag * + read_from_head true + + @type json + time_format %Y-%m-%dT%H:%M:%S.%NZ + + + + + @type tail + @id in_tail_fluentd_logs + @label @fluentdlogs + path /var/log/containers/fluentd* + pos_file /var/log/fluentd.log.pos + tag * + read_from_head true + + @type json + time_format %Y-%m-%dT%H:%M:%S.%NZ + + + + + + + + + + + systemd.conf: | + + @type systemd + @id in_systemd_kubelet + @label @systemd + filters [{ "_SYSTEMD_UNIT": "kubelet.service" }] + + field_map {"MESSAGE": "message", "_HOSTNAME": "hostname", "_SYSTEMD_UNIT": "systemd_unit"} + field_map_strict true + + path /var/log/journal + + @type local + persistent true + path /var/log/fluentd-journald-kubelet-pos.json + + read_from_head true + tag kubelet.service + + + + @type systemd + @id in_systemd_kubeproxy + @label @systemd + filters [{ "_SYSTEMD_UNIT": "kubeproxy.service" }] + + field_map {"MESSAGE": "message", "_HOSTNAME": "hostname", "_SYSTEMD_UNIT": "systemd_unit"} + field_map_strict true + + path /var/log/journal + + @type local + persistent true + path /var/log/fluentd-journald-kubeproxy-pos.json + + read_from_head true + tag kubeproxy.service + + + + @type systemd + @id in_systemd_docker + @label @systemd + filters [{ "_SYSTEMD_UNIT": "docker.service" }] + + field_map {"MESSAGE": "message", "_HOSTNAME": "hostname", "_SYSTEMD_UNIT": "systemd_unit"} + field_map_strict true + + path /var/log/journal + + @type local + persistent true + path /var/log/fluentd-journald-docker-pos.json + + read_from_head true + tag docker.service + + + + host.conf: | + + @type tail + @id in_tail_dmesg + @label @hostlogs + path /var/log/dmesg + pos_file /var/log/dmesg.log.pos + tag host.dmesg + read_from_head true + + @type syslog + + + + + @type tail + @id in_tail_secure + @label @hostlogs + path /var/log/secure + pos_file /var/log/secure.log.pos + tag host.secure + read_from_head true + + @type syslog + + + + + @type tail + @id in_tail_messages + @label @hostlogs + path /var/log/messages + pos_file /var/log/messages.log.pos + tag host.messages + read_from_head true + + @type syslog + + + + \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/daemonset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/daemonset.yaml new file mode 100644 index 0000000000..f9fb934ca6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/daemonset.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-cloudwatch + labels: + k8s-app: fluentd-cloudwatch +spec: + template: + metadata: + labels: + k8s-app: fluentd-cloudwatch + spec: + serviceAccountName: fluentd + terminationGracePeriodSeconds: 30 + # Because the image's entrypoint requires to write on /fluentd/etc but we mount configmap there which is read-only, + # this initContainers workaround or other is needed. + # See https://github.com/fluent/fluentd-kubernetes-daemonset/issues/90 + initContainers: + - name: copy-fluentd-config + image: busybox + command: ['sh', '-c', 'cp /config-volume/..data/* /fluentd/etc'] + volumeMounts: + - name: config-volume + mountPath: /config-volume + - name: fluentdconf + mountPath: /fluentd/etc + - name: update-log-driver + image: busybox + command: ['sh','-c',''] + containers: + - name: fluentd-cloudwatch + image: fluent/fluentd-kubernetes-daemonset + env: + - name: REGION + value: $(REGION) + - name: CLUSTER_NAME + value: $(CLUSTER_NAME) + - name: CI_VERSION + value: "k8s/1.0.1" + resources: + limits: + memory: 400Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: config-volume + mountPath: /config-volume + - name: fluentdconf + mountPath: /fluentd/etc + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: runlogjournal + mountPath: /run/log/journal + readOnly: true + - name: dmesg + mountPath: /var/log/dmesg + readOnly: true + volumes: + - name: config-volume + configMap: + name: fluentd-config + - name: fluentdconf + emptyDir: {} + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: runlogjournal + hostPath: + path: /run/log/journal + - name: dmesg + hostPath: + path: /var/log/dmesg \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/kustomization.yaml new file mode 100644 index 0000000000..1458245627 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/kustomization.yaml @@ -0,0 +1,35 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: +- cluster-role.yaml +- cluster-role-binding.yaml +- configmap.yaml +- daemonset.yaml +- service-account.yaml +commonLabels: + kustomize.component: fluentd-cloud-watch +generatorOptions: + disableNameSuffixHash: true +images: +- name: fluent/fluentd-kubernetes-daemonset + newName: fluent/fluentd-kubernetes-daemonset + newTag: v1.7.3-debian-cloudwatch-1.0 +configMapGenerator: +- name: fluentd-cloud-watch-parameters + env: params.env +vars: +- name: CLUSTER_NAME + objref: + kind: ConfigMap + name: fluentd-cloud-watch-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterName +- name: REGION + objref: + kind: ConfigMap + name: fluentd-cloud-watch-parameters + apiVersion: v1 + fieldref: + fieldpath: data.region diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/params.env new file mode 100644 index 0000000000..69e32542ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/params.env @@ -0,0 +1,2 @@ +region=us-west-2 +clusterName= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/service-account.yaml new file mode 100644 index 0000000000..be72480294 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fluentd \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/application.yaml new file mode 100644 index 0000000000..6c82b6dbdd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/application.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: aws-fluentd-cloud-watch +spec: + selector: + matchLabels: + app.kubernetes.io/name: aws-fluentd-cloud-watch + app.kubernetes.io/instance: aws-fluentd-cloud-watch-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: aws-fluentd-cloud-watch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: apps + kind: DaemonSet + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + descriptor: + type: aws-fluentd-cloud-watch + version: v1.7.3-debian-cloudwatch-1.0 + description: A Fluentd DaemonSet which collects logs from Kubenertes and ship to CloudWatch. + maintainers: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + owners: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + keywords: + - aws + - logs + - kubeflow + links: + - description: About + url: https://github.com/fluent/fluentd-kubernetes-daemonset + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..9ccbdaf09c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/fluentd-cloud-watch/overlays/application/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: aws-fluentd-cloud-watch + app.kubernetes.io/name: aws-fluentd-cloud-watch +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/README.md new file mode 100644 index 0000000000..3d75416539 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/README.md @@ -0,0 +1,2 @@ +This directory contains some additional configuration files that are used by kfctl when +deploying on AWS. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_config.yaml new file mode 100644 index 0000000000..cde7120087 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_config.yaml @@ -0,0 +1,44 @@ +# For details, Please check eksctl documentation or API specs. +# https://github.com/weaveworks/eksctl/blob/master/pkg/apis/eksctl.io/v1alpha4/types.go + +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + # AWS_CLUSTER_NAME and AWS_REGION will override `name` and `region` here. + name: your_cluster_name + region: your_cluster_region + version: '1.14' +# If your region has multiple availability zones, you can specify 3 of them. +# cluster AZs must be set explicitly for single AZ nodegroup example to work +#availabilityZones: ["us-west-2b", "us-west-2c", "us-west-2d"] + +# NodeGroup holds all configuration attributes that are specific to a nodegroup +# You can have several node group in your cluster. +nodeGroups: + - name: cpu-nodegroup + instanceType: m5.xlarge + desiredCapacity: 2 + minSize: 0 + maxSize: 3 + volumeSize: 30 + + # Example of GPU node group +# - name: gpu-nodegroup +# instanceType: p3.2xlarge +# ami: auto +# availabilityZones: ["us-west-2b"] # GPU cluster can use single availability zone to improve network performance +# desiredCapacity: 0 +# minSize: 0 +# maxSize: 4 +# volumeSize: 50 # Node Root Disk +# ssh: +# allow: true +# sshPublicKeyPath: '~/.ssh/id_rsa.pub' +# labels: +# k8s.amazonaws.com/accelerator: 'nvidia-tesla-k80' # Customize Labels +# tags: +# k8s.io/cluster-autoscaler/enabled: 'true' +# iam: +# withAddonPolicies: +# autoScaler: true +# \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_features.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_features.yaml new file mode 100644 index 0000000000..9b7def0d53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/cluster_features.yaml @@ -0,0 +1,17 @@ +# private_access enable private access for your Amazon EKS cluster's Kubernetes API server endpoint +# and completely disable public access so that it's not accessible from the internet. +# More info: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html +private_access: false +endpoint_public_access: true +endpoint_private_access: false +# control_plane_logging provides audit and diagnostic logs directly from the EKS control plane +# to CloudWatch Logs in your account. More info: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html +control_plane_logging: false +control_plane_logging_components: + - api + - audit + - authenticator + - controllerManager + - scheduler +# worker_node_group_logging provides audit and diagnostic logs from worker node groups to CloudWatch Logs in your account. +worker_node_group_logging: false \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_alb_ingress_policy.json b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_alb_ingress_policy.json new file mode 100644 index 0000000000..cd2916c3d3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_alb_ingress_policy.json @@ -0,0 +1,118 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "acm:GetCertificate" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DeleteSecurityGroup", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:SetWebACL" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "iam:GetServerCertificate", + "iam:ListServerCertificates" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "waf-regional:GetWebACLForResource", + "waf-regional:GetWebACL", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "tag:GetResources", + "tag:TagResources" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "waf:GetWebACL" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_cloudwatch_policy.json b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_cloudwatch_policy.json new file mode 100644 index 0000000000..34ceb8edda --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_cloudwatch_policy.json @@ -0,0 +1,16 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_csi_fsx_policy.json b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_csi_fsx_policy.json new file mode 100644 index 0000000000..d17d113462 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_csi_fsx_policy.json @@ -0,0 +1,31 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*" + }, + { + "Effect": "Allow", + "Action": [ + "fsx:*" + ], + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ec2:CreateNetworkInterface", + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_profile_controller_policy.json b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_profile_controller_policy.json new file mode 100644 index 0000000000..61ff2df9fb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/infra_configs/iam_profile_controller_policy.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:UpdateAssumeRolePolicy" + ], + "Resource": "*" + } + ] +} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/ingress.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/ingress.yaml new file mode 100644 index 0000000000..18e4fa9649 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/ingress.yaml @@ -0,0 +1,16 @@ +apiVersion: extensions/v1beta1 # networking.k8s.io/v1beta1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: $(loadBalancerScheme) + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' + name: istio-ingress +spec: + rules: + - http: + paths: + - backend: + serviceName: istio-ingressgateway + servicePort: 80 + path: /* diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/istio-policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/istio-policy.yaml new file mode 100644 index 0000000000..84348970c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/istio-policy.yaml @@ -0,0 +1,20 @@ +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + name: istio-jwt + namespace: istio-system +spec: + targets: + - name: istio-ingressgateway + ports: + - number: 80 + origins: + - jwt: + issuer: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxx" + jwksUri: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxx/.well-known/jwks.json" + jwtHeaders: + - "x-amzn-oidc-accesstoken" + triggerRules: + - excludedPaths: + - exact: /health_check + principalBinding: USE_ORIGIN \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/kustomization.yaml new file mode 100644 index 0000000000..14381457aa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ingress.yaml +commonLabels: + kustomize.component: istio-ingress +configMapGenerator: +- name: istio-ingress-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: loadBalancerScheme + objref: + kind: ConfigMap + name: istio-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.loadBalancerScheme +configurations: +- params.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.env new file mode 100644 index 0000000000..18ce5979b7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.env @@ -0,0 +1 @@ +loadBalancerScheme=internet-facing \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.yaml new file mode 100644 index 0000000000..326339f280 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations + kind: Ingress \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/ingress.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/ingress.yaml new file mode 100644 index 0000000000..51957f7597 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/ingress.yaml @@ -0,0 +1,9 @@ +apiVersion: extensions/v1beta1 # networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: istio-ingress + annotations: + alb.ingress.kubernetes.io/auth-type: cognito + alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn":"$(CognitoUserPoolArn)","UserPoolClientId":"$(CognitoAppClientId)", "UserPoolDomain":"$(CognitoUserPoolDomain)"}' + alb.ingress.kubernetes.io/certificate-arn: $(certArn) + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/kustomization.yaml new file mode 100644 index 0000000000..b1d6778972 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/kustomization.yaml @@ -0,0 +1,39 @@ +bases: +- ../../base +patchesStrategicMerge: +- ingress.yaml +configMapGenerator: +- name: istio-ingress-cognito-parameters + env: params.env +vars: +- name: CognitoUserPoolArn + objref: + kind: ConfigMap + name: istio-ingress-cognito-parameters + apiVersion: v1 + fieldref: + fieldpath: data.CognitoUserPoolArn +- name: CognitoAppClientId + objref: + kind: ConfigMap + name: istio-ingress-cognito-parameters + apiVersion: v1 + fieldref: + fieldpath: data.CognitoAppClientId +- name: CognitoUserPoolDomain + objref: + kind: ConfigMap + name: istio-ingress-cognito-parameters + apiVersion: v1 + fieldref: + fieldpath: data.CognitoUserPoolDomain +- name: certArn + objref: + kind: ConfigMap + name: istio-ingress-cognito-parameters + apiVersion: v1 + fieldref: + fieldpath: data.certArn +namespace: istio-system +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.env new file mode 100644 index 0000000000..df4b01f1eb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.env @@ -0,0 +1,4 @@ +CognitoUserPoolArn= +CognitoAppClientId= +CognitoUserPoolDomain= +certArn= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.yaml new file mode 100644 index 0000000000..326339f280 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/cognito/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations + kind: Ingress \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/ingress.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/ingress.yaml new file mode 100644 index 0000000000..43869440bb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/ingress.yaml @@ -0,0 +1,10 @@ +apiVersion: extensions/v1beta1 # networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: istio-ingress + annotations: + alb.ingress.kubernetes.io/auth-type: oidc + alb.ingress.kubernetes.io/auth-idp-oidc: '{"Issuer":"$(oidcIssuer)","AuthorizationEndpoint":"$(oidcAuthorizationEndpoint)","TokenEndpoint":"$(oidcTokenEndpoint)","UserInfoEndpoint":"$(oidcUserInfoEndpoint)","SecretName":"$(oidcSecretName)"}' + alb.ingress.kubernetes.io/certificate-arn: $(certArn) + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' + alb.ingress.kubernetes.io/auth-scope: 'email openid profile' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/kustomization.yaml new file mode 100644 index 0000000000..d2fa3f8bc8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/kustomization.yaml @@ -0,0 +1,57 @@ +bases: +- ../../base +patchesStrategicMerge: +- ingress.yaml +#- oidc-secret.yaml +secretGenerator: +- name: istio-oidc-secret + env: secrets.env +configMapGenerator: +- name: istio-ingress-oidc-parameters + env: params.env +vars: +- name: oidcIssuer + objref: + kind: ConfigMap + name: istio-ingress-oidc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidcIssuer +- name: oidcAuthorizationEndpoint + objref: + kind: ConfigMap + name: istio-ingress-oidc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidcAuthorizationEndpoint +- name: oidcTokenEndpoint + objref: + kind: ConfigMap + name: istio-ingress-oidc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidcTokenEndpoint +- name: oidcUserInfoEndpoint + objref: + kind: ConfigMap + name: istio-ingress-oidc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidcUserInfoEndpoint +- name: oidcSecretName + objref: + kind: ConfigMap + name: istio-ingress-oidc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidcSecretName +- name: certArn + objref: + kind: ConfigMap + name: istio-ingress-oidc-parameters + apiVersion: v1 + fieldref: + fieldpath: data.certArn +namespace: istio-system +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/oidc-secret.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/oidc-secret.yaml new file mode 100644 index 0000000000..1054a47556 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/oidc-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: istio-oidc-secret + namespace: istio-system +data: + clientId: $(oidc_client_id) + clientSecret: $(oidc_client_secret) \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.env new file mode 100644 index 0000000000..c9412669f9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.env @@ -0,0 +1,6 @@ +oidcIssuer= +oidcAuthorizationEndpoint= +oidcTokenEndpoint= +oidcUserInfoEndpoint= +oidcSecretName=istio-oidc-secret +certArn= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.yaml new file mode 100644 index 0000000000..326339f280 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations + kind: Ingress \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/secrets.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/secrets.env new file mode 100644 index 0000000000..cd9369a917 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/oidc/secrets.env @@ -0,0 +1,2 @@ +clientId= +clientSecret= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/ingress.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/ingress.yaml new file mode 100755 index 0000000000..705a545eca --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/ingress.yaml @@ -0,0 +1,9 @@ +apiVersion: extensions/v1beta1 # networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: istio-ingress + annotations: + alb.ingress.kubernetes.io/certificate-arn: $(certArn) + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' + alb.ingress.kubernetes.io/inbound-cidrs: $(inboundCidrs) + external-dns.alpha.kubernetes.io/hostname: $(hostname) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/kustomization.yaml new file mode 100755 index 0000000000..4207581eb1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/kustomization.yaml @@ -0,0 +1,35 @@ +bases: +- ../../base +patchesStrategicMerge: +- ingress.yaml +configMapGenerator: +- name: istio-ingress-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: certArn + objref: + kind: ConfigMap + name: istio-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.certArn +- name: hostname + objref: + kind: ConfigMap + name: istio-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.hostname +- name: inboundCidrs + objref: + kind: ConfigMap + name: istio-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.inboundCidrs +namespace: istio-system +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.env new file mode 100755 index 0000000000..e722256ad3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.env @@ -0,0 +1,3 @@ +certArn= +hostname= +inboundCidrs= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.yaml new file mode 100755 index 0000000000..326339f280 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/istio-ingress/overlays/secure/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations + kind: Ingress \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/daemonset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/daemonset.yaml new file mode 100644 index 0000000000..59b2afeac3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/daemonset.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: nvidia-device-plugin-daemonset +spec: + updateStrategy: + type: RollingUpdate + template: + metadata: + # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler + # reserves resources for critical add-on pods so that they can be rescheduled after + # a failure. This annotation works in tandem with the toleration below. + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + tolerations: + # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. + # This, along with the annotation above marks this pod as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + - key: nvidia.com/gpu + operator: Exists + effect: NoSchedule + containers: + - image: nvidia/k8s-device-plugin:1.0.0-beta4 + name: nvidia-device-plugin-ctr + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + volumeMounts: + - name: device-plugin + mountPath: /var/lib/kubelet/device-plugins + volumes: + - name: device-plugin + hostPath: + path: /var/lib/kubelet/device-plugins diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/kustomization.yaml new file mode 100644 index 0000000000..6d018e293e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: +- daemonset.yaml +commonLabels: + kustomize.component: nvidia-device-plugin +images: +- name: nvidia/k8s-device-plugin + newName: nvidia/k8s-device-plugin + newTag: 1.0.0-beta4 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/application.yaml new file mode 100644 index 0000000000..b261aa4fbf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/application.yaml @@ -0,0 +1,37 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: aws-nvidia-device-plugin +spec: + selector: + matchLabels: + app.kubernetes.io/name: aws-nvidia-device-plugin + app.kubernetes.io/instance: nvidia-device-plugin-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: aws-nvidia-device-plugin + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: DaemonSet + descriptor: + type: nvidia-device-plugin + version: v1.0.0-beta + description: Nvidia Device Plugin for GPU nodes + maintainers: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + owners: + - name: Jiaxin Shan + email: shjiaxin@amazon.com + keywords: + - aws + - nvidia + - kubeflow + links: + - description: About + url: https://github.com/kubernetes/kops/tree/master/hooks/nvidia-device-plugin + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..9a21f7d6d2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/aws/nvidia-device-plugin/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: aws-nvidia-device-plugin + app.kubernetes.io/name: aws-nvidia-device-plugin +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/OWNERS new file mode 100644 index 0000000000..81fd2fecb1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/OWNERS @@ -0,0 +1,4 @@ +approvers: + - kkasravi + - krishnadurai + - yanniszark diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/crd.yaml new file mode 100644 index 0000000000..1947aa8952 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/crd.yaml @@ -0,0 +1,5308 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: challenges.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME + server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" + are defined. Supported values are (case-insensitive): + ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or + ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ""tsigSecretSecretRef"" is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ""tsigKeyName"" is defined, this field is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertificateRequest is a type to represent a Certificate Signing + Request + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateRequestSpec defines the desired state of CertificateRequest + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + format: byte + type: string + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + type: object + status: + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + format: byte + type: string + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + format: byte + type: string + conditions: + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + to be valid. + properties: + commonName: + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. + items: + type: string + type: array + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + enum: + - rsa + - ecdsa + type: string + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + enum: + - pkcs1 + - pkcs8 + type: string + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + organization: + description: Organization is the organization to be used on the Certificate + items: + type: string + type: array + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + items: + type: string + type: array + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + items: + description: CertificateCondition contains condition information for + an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + lastFailureTime: + format: date-time + type: string + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/kustomization.yaml new file mode 100644 index 0000000000..6e120e7b63 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/kustomization.yaml new file mode 100644 index 0000000000..29e2ec3b49 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: +- role-binding.yaml +- role.yaml +commonLabels: + kustomize.component: cert-manager +configMapGenerator: +- name: cert-manager-kube-params-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: certManagerNamespace + objref: + kind: ConfigMap + name: cert-manager-kube-params-parameters + apiVersion: v1 + fieldref: + fieldpath: data.certManagerNamespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.env new file mode 100644 index 0000000000..29adda1287 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.env @@ -0,0 +1 @@ +certManagerNamespace=cert-manager diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.yaml new file mode 100644 index 0000000000..52278c2a20 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: subjects/namespace + kind: RoleBinding diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role-binding.yaml new file mode 100644 index 0000000000..8cdb6d4669 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role-binding.yaml @@ -0,0 +1,58 @@ +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-cainjector:leaderelection + labels: + app: cainjector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-cainjector:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-cainjector + namespace: $(certManagerNamespace) + +--- + +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager:leaderelection + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: $(certManagerNamespace) + +--- + +# apiserver gets the ability to read authentication. This allows it to +# read the specific configmap that has the requestheader-* entries to +# api agg +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-webhook:webhook-authentication-reader + labels: + app: webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: $(certManagerNamespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role.yaml new file mode 100644 index 0000000000..2d26c9f8e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager-kube-system-resources/base/role.yaml @@ -0,0 +1,28 @@ +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager-cainjector:leaderelection + labels: + app: cainjector +rules: + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager:leaderelection + labels: + app: cert-manager +rules: + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/api-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/api-service.yaml new file mode 100644 index 0000000000..c31c83e77e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/api-service.yaml @@ -0,0 +1,16 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.webhook.cert-manager.io + labels: + app: webhook + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls" +spec: + group: webhook.cert-manager.io + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: cert-manager-webhook + namespace: $(namespace) + version: v1beta1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..d2b850fd29 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role-binding.yaml @@ -0,0 +1,135 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-issuers +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-clusterissuers +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-certificates +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-orders +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-challenges +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-ingress-shim +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook:auth-delegator + labels: + app: webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-cainjector + labels: + app: cainjector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-cainjector +subjects: +- name: cert-manager-cainjector + namespace: $(namespace) + kind: ServiceAccount diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role.yaml new file mode 100644 index 0000000000..0f9f24dcfb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/cluster-role.yaml @@ -0,0 +1,265 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-cainjector + labels: + app: cainjector +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] + +--- + +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["extensions", "networking.k8s.io/v1"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- + +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io/v1"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io/v1"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-webhook:webhook-requester + labels: + app: webhook +rules: +- apiGroups: + - admission.cert-manager.io + resources: + - certificates + - certificaterequests + - issuers + - clusterissuers + verbs: + - create + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-view + labels: + app: cert-manager + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-edit + labels: + app: cert-manager + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/deployment.yaml new file mode 100644 index 0000000000..b0debd7d13 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/deployment.yaml @@ -0,0 +1,124 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-cainjector + labels: + app: cainjector +spec: + replicas: 1 + selector: + matchLabels: + app: cainjector + template: + metadata: + labels: + app: cainjector + annotations: + spec: + serviceAccountName: cert-manager-cainjector + containers: + - name: cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager + labels: + app: cert-manager +spec: + replicas: 1 + selector: + matchLabels: + app: cert-manager + template: + metadata: + labels: + app: cert-manager + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: cert-manager + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v0.11.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --webhook-namespace=$(POD_NAMESPACE) + - --webhook-ca-secret=cert-manager-webhook-ca + - --webhook-serving-secret=cert-manager-webhook-tls + - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.$(namespace),cert-manager-webhook.$(namespace).svc + ports: + - containerPort: 9402 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 10m + memory: 32Mi + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-webhook + labels: + app: webhook +spec: + replicas: 1 + selector: + matchLabels: + app: webhook + template: + metadata: + labels: + app: webhook + annotations: + spec: + serviceAccountName: cert-manager-webhook + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-webhook:v0.11.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=6443 + - --tls-cert-file=/certs/tls.crt + - --tls-private-key-file=/certs/tls.key + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} + + volumeMounts: + - name: certs + mountPath: /certs + volumes: + - name: certs + secret: + secretName: cert-manager-webhook-tls diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/kustomization.yaml new file mode 100644 index 0000000000..ea709c910f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/kustomization.yaml @@ -0,0 +1,40 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager +resources: +- namespace.yaml +- api-service.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- mutating-webhook-configuration.yaml +- service-account.yaml +- service.yaml +- validating-webhook-configuration.yaml +commonLabels: + kustomize.component: cert-manager +images: +- name: quay.io/jetstack/cert-manager-controller + newName: quay.io/jetstack/cert-manager-controller + newTag: v0.11.0 +- name: quay.io/jetstack/cert-manager-webhook + newName: quay.io/jetstack/cert-manager-webhook + newTag: v0.11.0 +- name: quay.io/jetstack/cert-manager-cainjector + newName: quay.io/jetstack/cert-manager-cainjector + newTag: v0.11.0 +configMapGenerator: +- name: cert-manager-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: namespace + objref: + kind: ConfigMap + name: cert-manager-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/mutating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/mutating-webhook-configuration.yaml new file mode 100644 index 0000000000..8c73c1c090 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/mutating-webhook-configuration.yaml @@ -0,0 +1,32 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + annotations: + cert-manager.io/inject-apiserver-ca: "true" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - certificates + - issuers + - clusterissuers + - orders + - challenges + - certificaterequests + failurePolicy: Fail + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/webhook.cert-manager.io/v1beta1/mutations + caBundle: "" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/namespace.yaml new file mode 100644 index 0000000000..4a7da48228 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: $(namespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.env new file mode 100644 index 0000000000..b29ab79f46 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.env @@ -0,0 +1 @@ +namespace=cert-manager diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.yaml new file mode 100644 index 0000000000..6a761d98dd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: subjects/namespace + kind: ClusterRoleBinding +- path: spec/template/spec/containers/args + kind: Deployment +- path: metadata/name + kind: Namespace +- path: spec/service/namespace + kind: APIService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service-account.yaml new file mode 100644 index 0000000000..57e21b6a1b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service-account.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager + labels: + app: cert-manager + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-webhook + labels: + app: webhook diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service.yaml new file mode 100644 index 0000000000..2334a8fd8f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: cert-manager + labels: + app: cert-manager +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + targetPort: 9402 + selector: + app: cert-manager + +--- +apiVersion: v1 +kind: Service +metadata: + name: cert-manager-webhook + labels: + app: webhook +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 6443 + selector: + app: webhook diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/validating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/validating-webhook-configuration.yaml new file mode 100644 index 0000000000..ddd48cd77c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/base/validating-webhook-configuration.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + annotations: + cert-manager.io/inject-apiserver-ca: "true" +webhooks: + - name: webhook.certmanager.k8s.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - certificates + - issuers + - clusterissuers + - certificaterequests + failurePolicy: Fail + sideEffects: None + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/webhook.cert-manager.io/v1beta1/validations + caBundle: "" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/kubeflow-issuer/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/kubeflow-issuer/kustomization.yaml new file mode 100644 index 0000000000..9b54ba9482 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/kubeflow-issuer/kustomization.yaml @@ -0,0 +1,6 @@ +# Define the self-signed issuer for Kubeflow +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager +resources: +- ../overlays/self-signed/cluster-issuer.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/application.yaml new file mode 100644 index 0000000000..6c91879f10 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/application.yaml @@ -0,0 +1,34 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: cert-manager +spec: + selector: + matchLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: cert-manager + app.kubernetes.io/part-of: kubeflow + componentKinds: + - group: rbac + kind: ClusterRole + - group: rbac + kind: ClusterRoleBinding + - group: core + kind: Namespace + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + type: "" + version: "v0.10.0" + description: "Automatically provision and manage TLS certificates in Kubernetes https://jetstack.io." + keywords: + - cert-manager + links: + - description: About + url: "https://github.com/jetstack/cert-manager" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..8e83d18946 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/name: cert-manager +configurations: +- params.yaml +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/params.yaml new file mode 100644 index 0000000000..af6f60a16c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/application/params.yaml @@ -0,0 +1,11 @@ +varReference: +- path: metadata/name + kind: Application +- path: spec/selector/matchLabels/app.kubernetes.io\/instance + kind: Application +- path: spec/template/metadata/labels/app.kubernetes.io\/instance + kind: Deployment +- path: spec/selector/matchLabels/app.kubernetes.io\/instance + kind: Deployment +- path: spec/selector/app.kubernetes.io\/instance + kind: Service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/cluster-issuer.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/cluster-issuer.yaml new file mode 100644 index 0000000000..2b985722c2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/cluster-issuer.yaml @@ -0,0 +1,11 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + email: $(acmeEmail) + http01: {} + privateKeySecretRef: + name: letsencrypt-prod-secret + server: $(acmeUrl) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/kustomization.yaml new file mode 100644 index 0000000000..30106ca4d9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +namespace: cert-manager +resources: +- cluster-issuer.yaml +commonLabels: + kustomize.component: cert-manager +configMapGenerator: +- name: cert-manager-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: acmeEmail + objref: + kind: ConfigMap + name: cert-manager-parameters + apiVersion: v1 + fieldref: + fieldpath: data.acmeEmail +- name: acmeUrl + objref: + kind: ConfigMap + name: cert-manager-parameters + apiVersion: v1 + fieldref: + fieldpath: data.acmeUrl +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.env new file mode 100644 index 0000000000..6307dcdb10 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.env @@ -0,0 +1,2 @@ +acmeEmail= +acmeUrl=https://acme-v02.api.letsencrypt.org/directory diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.yaml new file mode 100644 index 0000000000..e671a3eddf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/letsencrypt/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/acme/email + kind: ClusterIssuer +- path: spec/acme/server + kind: ClusterIssuer diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/cluster-issuer.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/cluster-issuer.yaml new file mode 100644 index 0000000000..eaf9703000 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/cluster-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: kubeflow-self-signing-issuer +spec: + selfSigned: {} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/kustomization.yaml new file mode 100644 index 0000000000..578111cd21 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/overlays/self-signed/kustomization.yaml @@ -0,0 +1,11 @@ +# TODO(https://github.com/kubeflow/manifests/issues/1052) clean up +# the manifests after the refactor is done. We should move +# cluster-issuer into the kubeflow-issuer package. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- cluster-issuer.yaml +commonLabels: + kustomize.component: cert-manager diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/v3/kustomization.yaml new file mode 100644 index 0000000000..977f3a3e21 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/cert-manager/cert-manager/v3/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/name: cert-manager +kind: Kustomization +namespace: cert-manager +resources: +- ../overlays/application/application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-deployment.yaml new file mode 100644 index 0000000000..d422f365f7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: basic-auth +spec: + selector: + matchLabels: + app: basic-auth + replicas: 1 + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: basic-auth + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: app + args: + - --username=$(USERNAME) + - --pwhash=$(PASSWORDHASH) + command: + - /opt/kubeflow/gatekeeper + env: + - name: USERNAME + valueFrom: + secretKeyRef: + key: username + name: $(authSecretName) + - name: PASSWORDHASH + valueFrom: + secretKeyRef: + key: passwordhash + name: $(authSecretName) + image: gcr.io/kubeflow-images-public/gatekeeper:v0.5.0 + ports: + - containerPort: 8085 + workingDir: /opt/kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-service.yaml new file mode 100644 index 0000000000..acd600a325 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/gatekeeper-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: AuthService + name: basic-auth + auth_service: basic-auth.$(service-namespace):8085 + allowed_headers: + - "x-from-login" + labels: + app: basic-auth + name: basic-auth +spec: + ports: + - port: 8085 + targetPort: 8085 + selector: + app: basic-auth + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-deployment.yaml new file mode 100644 index 0000000000..f547259b68 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: basic-auth-login +spec: + selector: + matchLabels: + app: basic-auth-login + replicas: 1 + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: basic-auth-login + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: app + image: gcr.io/kubeflow-images-public/kflogin-ui:v0.5.0 + ports: + - containerPort: 5000 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-service.yaml new file mode 100644 index 0000000000..cf59ffae4d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kflogin-service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: kflogin-mapping + prefix: /kflogin + rewrite: /kflogin + timeout_ms: 300000 + service: basic-auth-login.$(service-namespace) + use_websocket: true + labels: + app: basic-auth-login + name: basic-auth-login +spec: + ports: + - port: 80 + targetPort: 5000 + selector: + app: basic-auth-login + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kustomization.yaml new file mode 100644 index 0000000000..5af5ac4690 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/kustomization.yaml @@ -0,0 +1,46 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- kflogin-deployment.yaml +- gatekeeper-deployment.yaml +- gatekeeper-service.yaml +- kflogin-service.yaml +commonLabels: + kustomize.component: basic-auth +namespace: kubeflow +images: +- name: gcr.io/kubeflow-images-public/kflogin-ui + newName: gcr.io/kubeflow-images-public/kflogin-ui + newTag: v0.5.0 +- name: gcr.io/kubeflow-images-public/gatekeeper + newName: gcr.io/kubeflow-images-public/gatekeeper + newTag: v0.5.0 +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: +- name: basic-auth-parameters + env: params.env +vars: +- name: service-namespace + objref: + kind: Service + name: basic-auth-login + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: authSecretName + objref: + kind: ConfigMap + name: basic-auth-parameters + apiVersion: v1 + fieldref: + fieldpath: data.authSecretName +- name: clusterDomain + objref: + kind: ConfigMap + name: basic-auth-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.env new file mode 100644 index 0000000000..a01fe6f0c5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.env @@ -0,0 +1,2 @@ +authSecretName=kubeflow-login +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.yaml new file mode 100644 index 0000000000..d6729bedaf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kflogin-virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kflogin-virtual-service.yaml new file mode 100644 index 0000000000..392ac791e1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kflogin-virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: basic-auth-login +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /kflogin + rewrite: + uri: /kflogin + route: + - destination: + host: basic-auth-login.$(service-namespace).svc.$(clusterDomain) + port: + number: 8085 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..47457d0154 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- kflogin-virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/basic-auth/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole-binding.yaml new file mode 100644 index 0000000000..07224e8dcb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: centraldashboard + name: centraldashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole.yaml new file mode 100644 index 0000000000..aa251d2902 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/clusterrole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: centraldashboard + name: centraldashboard +rules: +- apiGroups: + - "" + resources: + - events + - namespaces + - nodes + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment.yaml new file mode 100644 index 0000000000..78d768f926 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: centraldashboard + name: centraldashboard +spec: + replicas: 1 + selector: + matchLabels: + app: centraldashboard + template: + metadata: + labels: + app: centraldashboard + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: gcr.io/kubeflow-images-public/centraldashboard + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 30 + periodSeconds: 30 + name: centraldashboard + ports: + - containerPort: 8082 + protocol: TCP + serviceAccountName: centraldashboard diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment_patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment_patch.yaml new file mode 100644 index 0000000000..591c63418f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/deployment_patch.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: centraldashboard +spec: + template: + spec: + containers: + - name: centraldashboard + env: + - name: USERID_HEADER + value: $(userid-header) + - name: USERID_PREFIX + value: $(userid-prefix) + - name: PROFILES_KFAM_SERVICE_HOST + value: profiles-kfam.kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/kustomization.yaml new file mode 100644 index 0000000000..2a33c6728d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/kustomization.yaml @@ -0,0 +1,57 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- clusterrole-binding.yaml +- clusterrole.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +patchesStrategicMerge: +- deployment_patch.yaml +namespace: kubeflow +commonLabels: + kustomize.component: centraldashboard +images: +- name: gcr.io/kubeflow-images-public/centraldashboard + newName: gcr.io/kubeflow-images-public/centraldashboard + newTag: vmaster-gf39279c0 +configMapGenerator: +- envs: + - params.env + name: parameters +generatorOptions: + disableNameSuffixHash: true +vars: +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: Service + name: centraldashboard +- fieldref: + fieldPath: data.clusterDomain + name: clusterDomain + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.userid-header + name: userid-header + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.userid-prefix + name: userid-prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.env new file mode 100644 index 0000000000..069b7010c5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.env @@ -0,0 +1,3 @@ +clusterDomain=cluster.local +userid-header= +userid-prefix= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.yaml new file mode 100644 index 0000000000..29daaa876f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/http/route/destination/host + kind: VirtualService +- path: spec/template/spec/containers/0/env/0/value + kind: Deployment +- path: spec/template/spec/containers/0/env/1/value + kind: Deployment \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role-binding.yaml new file mode 100644 index 0000000000..87ab83eaab --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: centraldashboard + name: centraldashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role.yaml new file mode 100644 index 0000000000..11ffd36f50 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: centraldashboard + name: centraldashboard +rules: +- apiGroups: + - "" + - "app.k8s.io" + resources: + - applications + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service-account.yaml new file mode 100644 index 0000000000..b5a417a6b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: centraldashboard diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service.yaml new file mode 100644 index 0000000000..363af0c7f6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: centralui-mapping + prefix: / + rewrite: / + service: centraldashboard.$(namespace) + labels: + app: centraldashboard + name: centraldashboard +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8082 + selector: + app: centraldashboard + sessionAffinity: None + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base_v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base_v3/kustomization.yaml new file mode 100644 index 0000000000..72fffb4508 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/base_v3/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../base/clusterrole-binding.yaml +- ../base/clusterrole.yaml +- ../base/deployment.yaml +- ../base/role-binding.yaml +- ../base/role.yaml +- ../base/service-account.yaml +- ../base/service.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/application.yaml new file mode 100644 index 0000000000..84d95deed6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/application.yaml @@ -0,0 +1,54 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: centraldashboard +spec: + selector: + matchLabels: + app.kubernetes.io/name: centraldashboard + app.kubernetes.io/instance: centraldashboard-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + type: centraldashboard + version: v1beta1 + description: Provides a Dashboard UI for kubeflow + maintainers: + - name: Jason Prodonovich + email: prodonjs@gmail.com + - name: Apoorv Verma + email: apverma@google.com + - name: Adhita Selvaraj + email: adhita94@gmail.com + owners: + - name: Jason Prodonovich + email: prodonjs@gmail.com + - name: Apoorv Verma + email: apverma@google.com + - name: Adhita Selvaraj + email: adhita94@gmail.com + keywords: + - centraldashboard + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/centraldashboard + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..d08f6adee8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/application/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..13e13f2853 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- virtual-service.yaml +configurations: +- params.yaml + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..f302d9d71d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: centraldashboard +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: centraldashboard.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/deployment_kf_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/deployment_kf_config.yaml new file mode 100644 index 0000000000..00d69cbeb2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/deployment_kf_config.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: centraldashboard +spec: + template: + spec: + containers: + - name: centraldashboard + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-header + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-prefix \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/kustomization.yaml new file mode 100644 index 0000000000..6998ba9b81 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/centraldashboard/overlays/stacks/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/name: centraldashboard +kind: Kustomization +namespace: kubeflow +patchesStrategicMerge: +- deployment_kf_config.yaml +resources: +- ../../base_v3 +- ../../overlays/istio +- ../../overlays/application diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..e8e7ac103d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: spartakus + name: spartakus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spartakus +subjects: +- kind: ServiceAccount + name: spartakus diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role.yaml new file mode 100644 index 0000000000..5fdcb06daf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/cluster-role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: spartakus + name: spartakus +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/deployment.yaml new file mode 100644 index 0000000000..2616342bbe --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: spartakus + name: spartakus-volunteer +spec: + replicas: 1 + template: + metadata: + labels: + app: spartakus-volunteer + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - volunteer + - --cluster-id=$(USAGE_ID) + - --database=https://stats-collector.kubeflow.org + image: gcr.io/google_containers/spartakus-amd64:v1.1.0 + name: volunteer + env: + - name: USAGE_ID + valueFrom: + configMapKeyRef: + name: spartakus-config + key: usageId + serviceAccountName: spartakus diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/kustomization.yaml new file mode 100644 index 0000000000..a0d2562efb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +commonLabels: + kustomize.component: spartakus +images: +- name: gcr.io/google_containers/spartakus-amd64 + newName: gcr.io/google_containers/spartakus-amd64 + newTag: v1.1.0 +configMapGenerator: +- name: spartakus-config + env: params.env +generatorOptions: + disableNameSuffixHash: true +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.env new file mode 100644 index 0000000000..beafca4201 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.env @@ -0,0 +1 @@ +usageId=unknown_cluster diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.yaml new file mode 100644 index 0000000000..6ff80fe2be --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/0/args/1 + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/service-account.yaml new file mode 100644 index 0000000000..9e3d193521 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/base/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: spartakus + name: spartakus diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/application.yaml new file mode 100644 index 0000000000..4cf6095c64 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/application.yaml @@ -0,0 +1,33 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: spartakus +spec: + selector: + matchLabels: + app.kubernetes.io/name: spartakus + app.kubernetes.io/instance: spartakus-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: spartakus + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + type: spartakus + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - spartakus + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..3c900d86b5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/common/spartakus/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: spartakus + app.kubernetes.io/name: spartakus +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/kustomization.yaml new file mode 100644 index 0000000000..d2e52608d8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/kustomization.yaml @@ -0,0 +1,28 @@ +# This is a kustomization package used to allow kfctl to +# bootstrap a profile for the user running kfctl. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- profile-instance.yaml +configMapGenerator: +- name: default-install-config + env: params.env +vars: +# These vars are used for substituing in the parameters from the config map +# into the Profiles custom resource. +- name: user + objref: + kind: ConfigMap + name: default-install-config + apiVersion: v1 + fieldref: + fieldpath: data.user +- name: profile-name + objref: + kind: ConfigMap + name: default-install-config + apiVersion: v1 + fieldref: + fieldpath: data.profile-name +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.env new file mode 100644 index 0000000000..2cc1eac1fe --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.env @@ -0,0 +1,2 @@ +user=anonymous +profile-name=anonymous diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.yaml new file mode 100644 index 0000000000..40501647da --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/owner/name + kind: Profile +- path: metadata/name + kind: Profile diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/profile-instance.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/profile-instance.yaml new file mode 100644 index 0000000000..3210d09195 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/default-install/base/profile-instance.yaml @@ -0,0 +1,8 @@ +apiVersion: kubeflow.org/v1beta1 +kind: Profile +metadata: + name: $(profile-name) +spec: + owner: + kind: User + name: $(user) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/OWNERS new file mode 100644 index 0000000000..c5ed26dfb6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/OWNERS @@ -0,0 +1,3 @@ +approvers: + - krishnadurai + - yanniszark diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/README.md new file mode 100644 index 0000000000..3ef8cf3f7d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/README.md @@ -0,0 +1,168 @@ +# Kubeflow Authentication and Authorization Prototype + +This implementation's target platforms are Kubernetes clusters with access to modify Kubernetes' API config file, which is generally possible with on Premise installations of Kubernetes. + +**Note**: This setup assumes Kubeflow Pipelines is setup in namespace kubeflow and Istio is already setup in the Kubernetes cluster. + +## High Level Diagram +![Authentication and Authorization in Kubeflow](/docs/dex-auth/assets/auth-istio.png) + + +## Create SSL Certificates + +This example is going to require three domains: +- dex.example.org: For the authentication server +- login.example.org: For the client application for authentication through dex (optional) +- ldap-admin.example.org: For the admin interface to create LDAP users and groups (optional) + +**Note**: Replace *example.org* with your own domain. + +With your trusted certificate signing authority, please create a certificate for the above domains. + +### Why Self Signed SSL Certs will not work + +Authentication through OIDC in Kubernetes does work with self signed certificates since the `--oidc-ca-file` parameter in the Kubernetes API server allows for adding a trusted CA for your authentication server. + +Though Istio's authentication policy parameter `jwksUri` for [End User Authentication](https://istio.io/docs/ops/security/end-user-auth/) does [not allow self signed certificates](https://github.com/istio/istio/issues/7290#issuecomment-420748056). + +Please generate certificates with a trusted authority for enabling this example or follow this [work-around](#work-around-a-way-to-use-self-signed-certificates). + +## Server Setup Instructions + +### Authentication Server Setup + +#### Setup Post Certificate Creation + +*TODO*(krishnadurai): Make this a part of kfctl + +`kubectl create namespace auth` + +*Note*: This step is not required if you disable TLS in Dex configuration + +`kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem -n auth` + +Replace `dex.example.com.tls` with your own domain. + +#### Parameterizing the setup + +##### Variables in params environment files [dex-authenticator](dex-authenticator/base/params.env), [dex-crds](dex-crds/base/params.env) and [istio](/docs/dex-auth/examples/authentication/Istio): + - dex_domain: Domain for your dex server + - issuer: Issuer URL for dex server + - static_email: User Email for staticPasswords configuration + - static_password_hash: User's password for staticPasswords configuration + - static_user_id: User id for staticPasswords configuration + - static_username: Username for for staticPasswords configuration + - ldap_host: URL for LDAP server for dex to connect to + - ldap_bind_dn: LDAP Overlay's bind distinguished name (DN) + - ldap_bind_pw: LDAP Overlay's bind password for the above account + - ldap_user_base_dn: LDAP Server's user base DN + - ldap_group_base_dn: LDAP Server's group base DN + - dex_client_id: ID for the dex client application + - oidc_redirect_uris: Redirect URIs for OIDC client callback + - dex_application_secret: Application secret for dex client + - jwks_uri: URL pointing to the hosted JWKS keys + - cluster_name: Name for your Kubernetes Cluster for dex to refer to + - dex_client_redirect_uri: Single redirect URI for OIDC client callback + - k8s_master_uri: Kubernetes API master server's URI + - dex_client_listen_addr: Listen address for dex client to login + + **Keycloak Gatekeeper variables in params [environment file](keycloak-gatekeeper/base/params.env):** + + - client_id: ID for the authentication proxy client application + - client_secret: Application secret for authentication client + - secure_cookie: Set to true for TLS based cookie + - discovery_url: Is the url for retrieve the openid configuration - normally the /auth/realm/ + - upstream_url: The upstream endpoint which we should proxy request + - redirection_url: The redirection url, essentially the site url, note: /oauth/callback is added at the end + - encryption_key: The encryption key used to encode the session state + +##### Certificate files: + +*Identity Provider (Dex) CA file:* + +This is the CA cert generated for Dex. + +``` +kubectl create configmap ca --from-file=ca.pem -n auth +``` + +*Kubernetes API Server CA file:* + +This is the CA cert for your Kubernetes cluster generated while installing Kubernetes. + +``` +kubectl create configmap k8s-ca --from-file=k8s_ca.pem -n auth +``` + +##### This kustomize configs sets up: + - A Dex server with LDAP IdP and a client application (dex-k8s-authenticator) for issuing keys for Dex. + +#### Apply Kustomize Configs + +**LDAP** + +``` +cd dex-ldap +kustomize build base | kubectl apply -f - +``` + +**Dex** + +*For staticPassword configuration:* +``` +cd dex-crds +kustomize build base | kubectl apply -f - +``` + +*For LDAP configuration:* +``` +cd dex-crds +kustomize build overlays/ldap | kubectl apply -f - +``` + +**Dex Kubernetes Authentication Client** + +``` +cd dex-authenticator +kustomize build base | kubectl apply -f - +``` + +**Keycloak Gatekeeper (Proxy) Authentication Client** + +``` +cd keycloak-gatekeeper +kustomize build base | kubectl apply -f - +``` + +### Setup Kubernetes OIDC Authentication + +The following parameters need to be set in Kubernetes API Server configuration file usually found in: `/etc/kubernetes/manifests/kube-apiserver.yaml`. + +- --oidc-issuer-url=https://dex.example.org:32000 +- --oidc-client-id=ldapdexapp +- --oidc-ca-file=/etc/ssl/certs/openid-ca.pem +- --oidc-username-claim=email +- --oidc-groups-claim=groups + +`oidc-ca-file` needs to have the path to the file containing the certificate authority for the dex server's domain: dex.example.com. + +Refer [official documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server) for meanings of these parameters. + +When you have added these flags, Kubernetes should restart kube-apiserver pod. If not, run this command: `sudo systemctl restart kubelet` in your Kubernetes API Server master node. You can check flags in the pod description: + +`kubectl describe pod kube-apiserver -n kube-system` + + +## Work-around: A way to use Self-Signed Certificates + +* Execute `examples/gencert.sh` on your terminal and it should create a folder `ssl` containing all required self signed certificates. + +* Copy the JWKS keys from `https://dex.example.com/keys` and host these keys in a public repository as a file. This public repository should have a verified a https SSL certificate (for e.g. github). + +* Copy the file url from the public repository in the `jwks_uri` parameter for [Istio Authentication Policy](/docs/dex-auth/examples/authentication/Istio/params.env) config: + +``` +jwks_uri="https://raw.githubusercontent.com/example-organisation/jwks/master/auth-jwks.json" +``` + +* Note that this is just a work around and JWKS keys are rotated by the Authentication Server. These JWKS keys will become invalid after the rotation period and you will have to re-upload the new keys back to your public repository. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/config-map.yaml new file mode 100644 index 0000000000..2db2ba79c7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/config-map.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex-authenticator-cm + labels: + app: dex-authenticator +data: + config.yaml: |- + clusters: + # Specify 1 or more clusters + - name: $(cluster_name) + + # Descriptions used in the WebUI + short_description: "Dex Cluster" + description: "Dex Server for Kubeflow" + + # Redirect Url pointing to dex-k8s-authenticator callback for this cluster + # This should be configured in Dex as part of the staticClients + # redirectURIs option + redirect_uri: $(client_redirect_uri) + + # Client Secret - should match value in Dex + client_secret: $(application_secret) + + # Client ID - should match value in Dex + client_id: $(client_id) + + # Dex Issuer - Must be resolvable + issuer: $(issuer) + + # Url to k8s API endpoint - used in WebUI instructions for generating + # kubeconfig + k8s_master_uri: $(k8s_master_uri) + + # don't use username for context + static_context_name: false + + # CA for your k8s cluster - used in WebUI instructions for generating + # kubeconfig + # Both k8s_ca_uri and k8s_ca_pem are optional - you typically specifiy + # one or the other if required + # + # Provides a link to the CA from a hosted site + # k8s_ca_uri: http://url-to-your-ca.crt + # + # Provides abililty to specify CA inline + # k8s_ca_pem: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + k8s_ca_pem_file: /app/k8s_ca.pem + + # Specify multiple extra root CA files to be loaded + # trusted_root_ca: + # -| + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + trusted_root_ca_file: /app/idp_ca.pem + + # Specify path to tls_cert and tls_key - if enabled, set liten to use https + # tls_cert: /path/to/dex-client.crt + # tls_key: /path/to/dex-client.key + + # CA for your IDP - used in WebUI instructions for generating + # kubeconfig + # Both idp_ca_uri and idp_ca_pem are optional - you typically specifiy + # one or the other if required + # + # Provides a link to the CA from a hosted site + # idp_ca_uri: http://url-to-your-ca.crt + # + # Provides abililty to specify CA inline + # idp_ca_pem: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + idp_ca_pem_file: /app/idp_ca.pem + + # Which address to listen on (set to https if tls configured) + listen: $(client_listen_addr) + + # A path-prefix from which to serve requests and assets + web_path_prefix: / + + # Optional kubectl version which provides a download link to the the binary + kubectl_version: v1.11.2 + + # Optional Url to display a logo image + # logo_uri: http:// + + # Enable more debug + debug: false diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/deployment.yaml new file mode 100644 index 0000000000..4a609b0010 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dex-authenticator + labels: + app: dex-authenticator + env: dev +spec: + replicas: 1 + selector: + matchLabels: + app: dex-authenticator + template: + metadata: + labels: + app: dex-authenticator + spec: + containers: + - name: dex-k8s-authenticator + image: "mintel/dex-k8s-authenticator:1.2.0" + imagePullPolicy: Always + args: [ "--config", "config.yaml" ] + ports: + - name: http + containerPort: 5555 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: http + readinessProbe: + httpGet: + path: /healthz + port: http + volumeMounts: + - name: config + subPath: config.yaml + mountPath: /app/config.yaml + - name: idp-ca + subPath: ca.pem + mountPath: /app/idp_ca.pem + - name: k8s-ca + subPath: k8s_ca.pem + mountPath: /app/k8s_ca.pem + resources: + {} + + volumes: + - name: config + configMap: + name: dex-authenticator-cm + - name: idp-ca + configMap: + name: ca + - name: k8s-ca + configMap: + name: k8s-ca diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/kustomization.yaml new file mode 100644 index 0000000000..9e4cf9200e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/kustomization.yaml @@ -0,0 +1,67 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth +resources: +- namespace.yaml +- config-map.yaml +- deployment.yaml +- service.yaml +configMapGenerator: +- name: dex-authn-parameters + env: params.env +vars: +- name: issuer + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.issuer +- name: client_id + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id +- name: application_secret + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.application_secret +- name: cluster_name + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.cluster_name +- name: k8s_master_uri + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.k8s_master_uri +- name: client_redirect_uri + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_redirect_uri +- name: client_listen_addr + objref: + kind: ConfigMap + name: dex-authn-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_listen_addr +configurations: +- params.yaml +images: +- name: mintel/dex-k8s-authenticator + newName: mintel/dex-k8s-authenticator + newTag: 1.2.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/namespace.yaml new file mode 100644 index 0000000000..6b34cabc07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.env new file mode 100644 index 0000000000..5f3ae06a7c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.env @@ -0,0 +1,9 @@ +# Dex Server Parameters (some params are shared with client) +# Set issuer to https if tls is enabled +issuer=http://dex.example.com:32000 +client_id=ldapdexapp +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok +cluster_name=onprem-cluster +client_redirect_uri=http://login.example.org:5555/callback/onprem-cluster +k8s_master_uri=https://k8s.example.com:443 +client_listen_addr=http://127.0.0.1:5555 # Set to HTTPS if TLS is configured diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.yaml new file mode 100644 index 0000000000..5d9e2ad52a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: data/config.yaml + kind: ConfigMap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/service.yaml new file mode 100644 index 0000000000..34781da78b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-authenticator/base/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: dex-authenticator + labels: + app: dex-authenticator +spec: + type: NodePort + ports: + - port: 5555 + targetPort: 5555 + nodePort: 32002 + protocol: TCP + name: http + selector: + app: dex-authenticator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/config-map.yaml new file mode 100644 index 0000000000..bffd3cd930 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/config-map.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex +data: + config.yaml: | + issuer: $(issuer) + storage: + type: kubernetes + config: + inCluster: true + web: + http: 0.0.0.0:5556 + logger: + level: "debug" + format: text + oauth2: + skipApprovalScreen: true + enablePasswordDB: true + staticPasswords: + - email: $(static_email) + hash: $(static_password_hash) + username: $(static_username) + userID: $(static_user_id) + staticClients: + - id: $(client_id) + redirectURIs: $(oidc_redirect_uris) + name: 'Dex Login Application' + secret: $(application_secret) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/crds.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/crds.yaml new file mode 100644 index 0000000000..cd18744a85 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/crds.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: authcodes.dex.coreos.com +spec: + group: dex.coreos.com + names: + kind: AuthCode + listKind: AuthCodeList + plural: authcodes + singular: authcode + scope: Namespaced + version: v1 +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: dex +rules: +- apiGroups: ["dex.coreos.com"] # API group created by dex + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions. +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: dex +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dex +subjects: +- kind: ServiceAccount + name: dex # Service account assigned to the dex pod. + namespace: auth # The namespace dex is running in. +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dex + namespace: auth diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/deployment.yaml new file mode 100644 index 0000000000..4664925133 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: dex + name: dex +spec: + replicas: 1 + selector: + matchLabels: + app: dex + template: + metadata: + labels: + app: dex + spec: + serviceAccountName: dex + containers: + - image: quay.io/dexidp/dex:v2.22.0 + name: dex + command: ["dex", "serve", "/etc/dex/cfg/config.yaml"] + ports: + - name: http + containerPort: 5556 + volumeMounts: + - name: config + mountPath: /etc/dex/cfg + volumes: + - name: config + configMap: + name: dex + items: + - key: config.yaml + path: config.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/kustomization.yaml new file mode 100644 index 0000000000..01cc19e36f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/kustomization.yaml @@ -0,0 +1,84 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth +resources: +- namespace.yaml +- config-map.yaml +- crds.yaml +- deployment.yaml +- service.yaml +configMapGenerator: +- name: dex-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: dex_domain + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.dex_domain +- name: issuer + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.issuer +- name: static_email + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_email +- name: static_password_hash + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_password_hash +- name: static_username + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_username +- name: static_user_id + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_user_id +- name: client_id + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id +- name: oidc_redirect_uris + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_redirect_uris +- name: application_secret + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.application_secret +configurations: +- params.yaml +images: +- name: quay.io/dexidp/dex + newName: quay.io/dexidp/dex + newTag: v2.22.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/namespace.yaml new file mode 100644 index 0000000000..6b34cabc07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.env new file mode 100644 index 0000000000..0365ffa519 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.env @@ -0,0 +1,11 @@ +# Dex Server Parameters (some params are shared with client) +dex_domain=dex.example.com +# Set issuer to https if tls is enabled +issuer=http://dex.example.com:32000 +static_email=admin@example.com +static_password_hash=$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W +static_username=admin +static_user_id=08a8684b-db88-4b73-90a9-3cd1661f5466 +client_id=ldapdexapp +oidc_redirect_uris=['http://login.example.org:5555/callback/onprem-cluster'] +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.yaml new file mode 100644 index 0000000000..af2393a65d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/volumes/secret/secretName + kind: Deployment +- path: data/config.yaml + kind: ConfigMap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/service.yaml new file mode 100644 index 0000000000..7f0088208f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/base/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: dex +spec: + type: NodePort + ports: + - name: dex + port: 5556 + protocol: TCP + targetPort: 5556 + nodePort: 32000 + selector: + app: dex diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..b94f52f8aa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml + +configMapGenerator: +- name: dex-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: namespace + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.env new file mode 100644 index 0000000000..ac2dc00963 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.env @@ -0,0 +1 @@ +namespace=auth \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..c84d890884 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/istio/virtual-service.yaml @@ -0,0 +1,22 @@ +# This config is gated on kiali upgrade to 0.21 from 0.16 in istio 1.1.6: +# https://github.com/kiali/kiali/issues/1154 +# https://github.com/istio/istio/issues/11131 + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: dex +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /dex/ + route: + - destination: + host: dex.$(namespace).svc.cluster.local + port: + number: 5556 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/config-map.yaml new file mode 100644 index 0000000000..3df2035382 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/config-map.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex +data: + config.yaml: | + issuer: $(issuer) + storage: + type: kubernetes + config: + inCluster: true + web: + https: 0.0.0.0:5556 + tlsCert: /etc/dex/tls/tls.crt + tlsKey: /etc/dex/tls/tls.key + # For HTTP configuration remove tls configs and add + #http: 0.0.0.0:5556 + logger: + level: "debug" + format: text + connectors: + - type: ldap + # Required field for connector id. + id: ldap + # Required field for connector name. + name: LDAP + config: + # Host and optional port of the LDAP server in the form "host:port". + # If the port is not supplied, it will be guessed based on "insecureNoSSL", + # and "startTLS" flags. 389 for insecure or StartTLS connections, 636 + # otherwise. + host: $(ldap_host) + # Following field is required if the LDAP host is not using TLS (port 389). + # Because this option inherently leaks passwords to anyone on the same network + # as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE. + # + insecureNoSSL: true + # If a custom certificate isn't provide, this option can be used to turn on + # TLS certificate checks. As noted, it is insecure and shouldn't be used outside + # of explorative phases. + # + insecureSkipVerify: true + # When connecting to the server, connect using the ldap:// protocol then issue + # a StartTLS command. If unspecified, connections will use the ldaps:// protocol + # + # startTLS: true + # Path to a trusted root certificate file. Default: use the host's root CA. + #rootCA: /etc/dex/ldap.ca + # A raw certificate file can also be provided inline. + #rootCAData: + # The DN and password for an application service account. The connector uses + # these credentials to search for users and groups. Not required if the LDAP + # server provides access for anonymous auth. + # Please note that if the bind password contains a '$', it has to be saved in an + # environment variable which should be given as the value to 'bindPW'. + bindDN: $(ldap_bind_dn) + bindPW: $(ldap_bind_pw) + # User search maps a username and password entered by a user to a LDAP entry. + userSearch: + # BaseDN to start the search from. It will translate to the query + # "(&(objectClass=person)(uid=))". + baseDN: $(ldap_user_base_dn) + # Optional filter to apply when searching the directory. + filter: "(objectClass=posixAccount)" + # username attribute used for comparing user entries. This will be translated + # and combine with the other filter as "(=)". + username: mail + # The following three fields are direct mappings of attributes on the user entry. + # String representation of the user. + idAttr: uid + # Required. Attribute to map to Email. + emailAttr: mail + # Maps to display name of users. No default value. + nameAttr: uid + + # Group search queries for groups given a user entry. + groupSearch: + # BaseDN to start the search from. It will translate to the query + # "(&(objectClass=group)(member=))". + baseDN: $(ldap_group_base_dn) + # Optional filter to apply when searching the directory. + filter: "(objectClass=posixGroup)" + # Following two fields are used to match a user to a group. It adds an additional + # requirement to the filter that an attribute in the group must match the user's + # attribute value. + userAttr: gidNumber + groupAttr: gidNumber + # Represents group name. + nameAttr: cn + oauth2: + skipApprovalScreen: true + staticClients: + - id: $(client_id) + redirectURIs: $(oidc_redirect_uris) + name: 'Dex Login Application' + secret: $(application_secret) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/deployment.yaml new file mode 100644 index 0000000000..251be1d058 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: dex + name: dex +spec: + template: + spec: + serviceAccountName: dex + containers: + - name: dex + volumeMounts: + - name: tls + mountPath: /etc/dex/tls + volumes: + - name: tls + secret: + secretName: $(dex_domain).tls diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/kustomization.yaml new file mode 100644 index 0000000000..e1aec92a3f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/kustomization.yaml @@ -0,0 +1,54 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth +bases: +- ../../base + +patchesStrategicMerge: +- config-map.yaml +- deployment.yaml + +configMapGenerator: +- name: dex-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: ldap_host + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_host +- name: ldap_bind_dn + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_bind_dn +- name: ldap_bind_pw + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_bind_pw +- name: ldap_user_base_dn + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_user_base_dn +- name: ldap_group_base_dn + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_group_base_dn +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.env new file mode 100644 index 0000000000..626cb14395 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.env @@ -0,0 +1,11 @@ +# Dex Server Parameters (some params are shared with client) +dex_domain=dex.example.com +issuer=https://dex.example.com:32000 +ldap_host=ldap.auth.svc.cluster.local:389 +ldap_bind_dn=cn=admin,dc=example,dc=org +ldap_bind_pw=admin +ldap_user_base_dn=ou=People,dc=example,dc=org +ldap_group_base_dn=ou=Groups,dc=example,dc=org +client_id=ldapdexapp +oidc_redirect_uris=['http://login.example.org:5555/callback/onprem-cluster'] +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.yaml new file mode 100644 index 0000000000..5d9e2ad52a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-crds/overlays/ldap/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: data/config.yaml + kind: ConfigMap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/deployment.yaml new file mode 100644 index 0000000000..5bbe551d9a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ldap + labels: + app: ldap +spec: + replicas: 1 + selector: + matchLabels: + app: ldap + template: + metadata: + labels: + app: ldap + spec: + containers: + - name: openldap + image: osixia/openldap + ports: + - containerPort: 389 + - containerPort: 636 + - name: phpldapadmin + image: osixia/phpldapadmin + ports: + - containerPort: 80 + env: + - name: PHPLDAPADMIN_HTTPS + value: "false" + - name: PHPLDAPADMIN_LDAP_HOSTS + value: localhost diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/kustomization.yaml new file mode 100644 index 0000000000..1ec6646215 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth + +resources: +- namespace.yaml +- deployment.yaml +- service.yaml +images: +- name: osixia/openldap + newName: osixia/openldap + newTag: latest +- name: osixia/phpldapadmin + newName: osixia/phpldapadmin + newTag: latest diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/namespace.yaml new file mode 100644 index 0000000000..6b34cabc07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/service.yaml new file mode 100644 index 0000000000..201e21c2be --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/dex-ldap/base/service.yaml @@ -0,0 +1,31 @@ +--- + +apiVersion: v1 +kind: Service +metadata: + name: ldap +spec: + ports: + - name: ldap + port: 389 + targetPort: 389 + - name: ldap-ssl + port: 636 + targetPort: 636 + selector: + app: ldap + +--- + +apiVersion: v1 +kind: Service +metadata: + name: ldap-admin +spec: + type: NodePort + ports: + - port: 80 + targetPort: 80 + nodePort: 32006 + selector: + app: ldap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/config-map.yaml new file mode 100644 index 0000000000..aa9dd3a418 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/config-map.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: keycloak-gatekeeper-page-templates +data: + forbidden-page: | + + + + + Forbidden + + + + +
(°◇°)
+
+
+

Access forbidden

+

You do not have sufficient privileges to access this resource.

+
+
+ + + + login-page: | + + + + + Redirecting to SSO login page... + + + + + +
¯\_(ツ)_/¯
+
+
+

Access token expired

+

You will be automatically redirected to your SSO provider's Sign In page for this app.

+

If not, click here to sign in.

+
+
+ + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/deployment.yaml new file mode 100644 index 0000000000..618534a311 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/deployment.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak-gatekeeper +spec: + replicas: 1 + revisionHistoryLimit: 0 + selector: + matchLabels: + app: keycloak-gatekeeper + template: + metadata: + labels: + app: keycloak-gatekeeper + annotations: + checksum/config: 485074e1c0607eca69f97a813313e55bce27515a65f57b11036c8dd074ea3a30 + spec: + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: main + image: keycloak/keycloak-gatekeeper:5.0.0 + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 3000 + protocol: TCP + args: + - --listen=:3000 + - --client-id=$(client_id) + - --client-secret=$(client_secret) + - --secure-cookie=$(secure_cookie) + - --discovery-url=$(discovery_url) + - --upstream-url=$(upstream_url) + - --redirection-url=$(redirection_url) + - --scopes=groups + - --sign-in-page=/opt/templates/sign_in.html.tmpl + - --forbidden-page=/opt/templates/forbidden.html.tmpl + - --enable-refresh-tokens=true + - --http-only-cookie=true + - --preserve-host=true + - --enable-encrypted-token=true + - --encryption-key=$(encryption_key) + - --enable-authorization-header + - --resources=uri=/* + volumeMounts: + - name: page-templates + mountPath: /opt/templates/forbidden.html.tmpl + subPath: forbidden-page + - name: page-templates + mountPath: /opt/templates/sign_in.html.tmpl + subPath: login-page + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: page-templates + configMap: + name: keycloak-gatekeeper-page-templates diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/kustomization.yaml new file mode 100644 index 0000000000..79ae06abd4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/kustomization.yaml @@ -0,0 +1,73 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth + +resources: +- config-map.yaml +- namespace.yaml +- deployment.yaml +- service.yaml +- virtualservice.yaml + +configMapGenerator: +- name: keycloak-gatekeeper-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true + +vars: +- name: client_id + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id +- name: client_secret + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_secret +- name: secure_cookie + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.secure_cookie +- name: discovery_url + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.discovery_url +- name: upstream_url + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.upstream_url +- name: redirection_url + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.redirection_url +- name: encryption_key + objref: + kind: ConfigMap + name: keycloak-gatekeeper-parameters + apiVersion: v1 + fieldref: + fieldpath: data.encryption_key +configurations: +- params.yaml +images: +- name: keycloak/keycloak-gatekeeper + newName: keycloak/keycloak-gatekeeper + newTag: 5.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/namespace.yaml new file mode 100644 index 0000000000..6b34cabc07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.env new file mode 100644 index 0000000000..9a49b3024c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.env @@ -0,0 +1,7 @@ +client_id=ldapdexapp +client_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok +secure_cookie=false +discovery_url=http://dex.example.com:31200 +upstream_url=http://kubeflow.centraldashboard.com:31380 +redirection_url=http://keycloak-gatekeeper.example.com:31204 +encryption_key=nm6xjpPXPJFInLYo diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.yaml new file mode 100644 index 0000000000..1d61a65ec0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/args + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/service.yaml new file mode 100644 index 0000000000..05deb18384 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: keycloak-gatekeeper +spec: + type: NodePort + ports: + - port: 5554 + protocol: TCP + name: http + targetPort: http + nodePort: 32004 + selector: + app: keycloak-gatekeeper diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/virtualservice.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/virtualservice.yaml new file mode 100644 index 0000000000..f10dc8098f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/dex-auth/keycloak-gatekeeper/base/virtualservice.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: keycloak-gatekeeper +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - '*' + http: + - match: + - port: 5554 + uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: keycloak-gatekeeper.auth.svc.cluster.local + port: + number: 5554 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/KustomizeBestPractices.md b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/KustomizeBestPractices.md new file mode 100644 index 0000000000..0d757b7d2e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/KustomizeBestPractices.md @@ -0,0 +1,261 @@ + +# Kustomize Best Practices + + This doc provides best practices for writing Kubeflow kustomize packages. + + + +**Table of Contents** + +- [Layout package to support composability](#layout-package-to-support-composability) +- [Reuse patches](#reuse-patches) + - [Disable security check for file outside of directory root](#disable-security-check-for-file-outside-of-directory-root) +- [Command Line substitution](#command-line-substitution) +- [Eschew vars](#eschew-vars) + - [Internal subsitution of fields Kustomize isn't aware of](#internal-subsitution-of-fields-kustomize-isnt-aware-of) + - [Global substitution](#global-substitution) +- [Have separate packages for CR's and instances of the custom resource](#have-separate-packages-for-crs-and-instances-of-the-custom-resource) +- [CommonLabels should be immutable](#commonlabels-should-be-immutable) + - [Resource file naming](#resource-file-naming) +- [Removing common attributes across resources](#removing-common-attributes-across-resources) + + + +## Layout package to support composability + +If your application consists of loosely coupled components e.g. backend, front-end, database consider defining these as separate kustomize packages +and then using kustomize to compose these applications into different installs e.g + +``` +components/ + /app-front + /app-backend + /app-db +installs/ + /app-standalone + /app-onprem +``` + +Defining separate packages for each component makes it easier to use composition to define new configurations; e.g. using an external database as opposed +to a database running in cluster. + +## Reuse patches + +We encourage reusing patches across kustomize packages when it makes sense. For example suppose we +have an onprem and standalone version of our application but both of them want to reuse +a common patch to use an external database. We could lay the packages out like so + +``` +components/ + /patches/ + /deployment-external-db.yaml +installs/ + /app-standalone + /app-onprem +``` + +The kustomization files for app-standalone could then look like the following + +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +... +patchesStrategicMerge: +- ../../components/patches/deployment-external-db.yaml +``` + +### Disable security check for file outside of directory root + +To support the above layout we need to disable [kustomizes' security check](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/FAQ.md#security-file-foo-is-not-in-or-below-bar) by running with the `load_restrictor` flag: + +``` +kustomize build --load_restrictor none $target +``` + +## Command Line substitution + +To make it easy for users to override command line arguments use the following pattern. + +1. Use a config map generator to store the parameters +1. On Deployments/StatefulSets/etc... set environment variables based on the config map +1. Rely on Kubernetes to substitute environment variables into container arguments ([ref](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config)) + +Users can then override the parameters by defining [config map overlays](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/configGeneration.md). + +Using a [ConfigMapGenerator](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/configGeneration.md#configmap-generation-and-rolling-updates) and including a content hash is highly prefered over not including a content hash. +Using a content hash ensures that rolling updates are triggered if the config map is changed. + +**Deprecated patterns** + +* vars should no longer be used to do command line substitution see [bit.ly/kf_kustomize_v3](https://docs.google.com/document/d/1jBayuR5YvhuGcIVAgB1F_q4NrlzUryZPyI9lCdkFTcw/edit?pli=1#heading=h.ychbuvw81fj7) + +## Eschew vars + +As noted in [kubernetes-sigs/kustomize#2052](https://github.com/kubernetes-sigs/kustomize/issues/2052) vars have a lot of downsides. +For Kubeflow in particular vars have made it difficult to compose kustomize packages because they need to be unique globally ([kubeflow/manifests#1007](https://github.com/kubeflow/manifests/issues/1007)). + +Vars should be used sparingly. Below are some guidance on acceptable use cases. + + +### Internal subsitution of fields Kustomize isn't aware of + +One ok use case for vars is getting kustomize to subsitute a value into a field kustomize wouldn't normally do substitution into. +This often happens with CRDs. For example, consider the virtual service below from [jupyter-web-app](https://github.com/kubeflow/manifests/blob/master/jupyter/jupyter-web-app/overlays/istio/virtual-service.yaml). + +``` +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: jupyter-web-app +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - ... + route: + - destination: + host: jupyter-web-app-service.$(jupyter-web-app-namespace).svc.$(clusterDomain) + port: + number: 80 +``` + +We would like kustomize to substitute namespace into the destination host. We do this by + +1. Defining a [vars](https://github.com/kubeflow/manifests/blob/393ec700e7834ca69a0832ec01ea2ecd90fb5bc4/jupyter/jupyter-web-app/base/kustomization.yaml#L63) to get the value for namespace +1. Defining a [custom configuration](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/transformerconfigs/README.md#customizing-transformer-configurations) so that the vars will be substituted into the virtual service host. + +This use of vars is acceptable because the var is internal to the kustomize package and can be given a unique enough name to prevent +conflicts when the package is composed with other applications. + +### Global substitution + +One of the most problematic use cases for vars in Kubeflow today is substituting a user supplied value into multiple applications. + +Currently we only have one use case which is substituting in cluster domain into virtual services ([ref](https://docs.google.com/document/d/1jBayuR5YvhuGcIVAgB1F_q4NrlzUryZPyI9lCdkFTcw/edit#heading=h.vyq4iltpirga)). + +We would ultimately like to get rid of the use of vars in these cases but have not settled on precise solutions. Some possible options are + +1. Using [kpt setters](https://googlecontainertools.github.io/kpt/reference/cfg/create-subst/) + + * kpt is still relatively new and we don't want to mandate/require using it + * consider adding kpt setters as appropriate so users who are willing to use kpt can avoid dealing with vars + +1. Defining custom transformers + + * e.g. we could define a new transformer for virtual services as discussed in [kubeflow/manifests#1007](https://github.com/kubeflow/manifests/issues/1007#issuecomment-599257347) + + +## Have separate packages for CR's and instances of the custom resource + +If you are adding a custom resource (e.g. CertManager) and also defining instances of those resources (e.g. ClusterIssuer) these +should be done in separate kustomize packages (see [kubeflow/manifests#1121](https://github.com/kubeflow/manifests/issues/1121)). + +Having separate packages makes it easier during deployment to ensure the custom resource is deployed and ready before trying to create instances +of the CR. + +## CommonLabels should be immutable + +As noted [here](https://kubectl.docs.kubernetes.io/pages/reference/kustomize.html#commonlabels) commonLabels get applied to +selectors which are immutable. Therefore, commonLabels should be immutable across versions of a package to avoid causing +problems during upgrades. + +For more info see [kubeflow/manifests#1131](https://github.com/kubeflow/manifests/issues/1131) + +### Resource file naming + + Resources should be organized by kind, where the resource is in a file that is the lower-case hyphenized form of the Resource kind. For example: a Deployment would go in a file named deployment.yaml. A ClusterRoleBinding would go in a file called cluster-role-binding.yaml. If there are multiple resources within a kustomize target (eg more than one deployment), you may want to maintain a single resource per file and add a prefix|suffix of the resource name to the filename. For example the file name would be `-.yaml`. See below for an example. + +> example: /manifests/profiles + +``` +profiles +└── base + ├── README.md + ├── cluster-role-binding.yaml + ├── crd.yaml + ├── deployment.yaml + ├── kustomization.yaml + ├── role-binding.yaml + ├── role.yaml + ├── service-account.yaml + └── service.yaml +``` + +## Removing common attributes across resources + + There are often repeated attributes across resources: labels, namespace, or perhaps a common prefix used for each resource. You can move name prefixes into the kustomization.yaml file and then make adjustments within each resource; removing the prefix from its name. Additionaly you can move labels and their selectors into the kustomization.yaml. Yo can move the namespace into the kustomization.yaml. All of these will be added back into the resource by running `kustomize build`. + +> example: /manifests/profiles/base/kustomization.yaml. Contains namespace, nameprefix, commonLabels. + +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml +- service-account.yaml +- cluster-role-binding.yaml +- role.yaml +- role-binding.yaml +- service.yaml +- deployment.yaml +namespace: kubeflow +namePrefix: profiles- +commonLabels: + kustomize.component: profiles +images: + - name: gcr.io/kubeflow-images-public/profile-controller + newName: gcr.io/kubeflow-images-public/profile-controller + newTag: v20190228-v0.4.0-rc.1-192-g1a802656-dirty-f95773 +``` + + + The original deployment in profiles looked like: + +``` +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kustomize.component: profiles + name: profiles-deployment + namespace: kubeflow +spec: + selector: + matchLabels: + kustomize.component: profiles + template: + metadata: + labels: + kustomize.component: profiles + spec: + containers: + - command: + - /manager + image: gcr.io/kubeflow-images-public/profile-controller:v20190228-v0.4.0-rc.1-192-g1a802656-dirty-f95773 + imagePullPolicy: Always + name: manager + serviceAccountName: profiles-controller-service-account +``` + + Moving labels, namespace and the nameprefix 'profiles-' to kustomization.yaml reduces deployment.yaml to + +``` +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + command: + - /manager + image: gcr.io/kubeflow-images-public/profile-controller:v20190228-v0.4.0-rc.1-192-g1a802656-dirty-f95773 + imagePullPolicy: Always + serviceAccountName: controller-service-account +``` + + Note: A kustomize target should always 'build', so you should add what's needed to allow a `kustomize build` to succeed (and for unittests to work). Defining a namespace in kustomization.yaml is required to run `kustomize build`, even though there is a namespace override in the parent kustomization.yaml generated by kfctl under /manifests/profiles. This generated kustomization.yaml provides overrides using values from app.yaml and will appear within the manifest cache after running `kfctl generate...`. + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/TestFramework.md b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/TestFramework.md new file mode 100644 index 0000000000..81f9ddc75a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/TestFramework.md @@ -0,0 +1,11 @@ + +1. we want to version the generated golang test cases that include the resources embedded in the golang code (what the hack/gen-test-target.sh is doing) +2. the generated code is a known, passing test case that is used to compare with PR changes. +3. if the author of the PR is making changes- they should regen the test case +4. we should also do a `kustomize build | kubectl apply --validate --dry-run -f -` so kubectl can check on the indentation in the yaml, bogus values, schema checks. It will validate syntax and parameters and values. + + +5. gotest close to package (manifests) +6. golang is not brittle + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/assets/auth-istio.png b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/assets/auth-istio.png new file mode 100644 index 0000000000000000000000000000000000000000..9991735ad6e9616b41cac830cdf28f2335f51908 GIT binary patch literal 48213 zcmeFY`9IX}_dl*ZZHh`Il(noOl(j|5UbeAMVQgdUOUS5HQg((ALWp6;I>QVmOV$u# zn6XsIJ~E6kX2yIUdcIz-&+C1A-)`T}Kk%8KsBvBAoa>zXxu0{cEBe0i-J^%j9pd8R zI;wY1$CQg}4}ptox6Q%*z`x82{SoHkddj7zbJP4WX(@~Qz4=f&*1)aCJtG|IzQOfe zL`1Ik!Y;cT4<7g)6@xjS+~dprNk`A8X(`P&`8pbZpR9I{(bole z9pK_hQB=yi6xgN{@d0UDJDK}{aNA4+EU1b8)ag5Eb|}Dmeb++o-0i{YPw|(_mNc!? ze%`jUe{)U!tf(W2sM8n!6C}iCbJjkeler!-**wQ_(VHiSEmgF047LT9MjP3j#RvB6 z?MCL(+QOsTQC@6nN1}Yh%%^;e)Ni5SF+4FR5XmuR?^+lMy zmL#52A3A8%g!XD=@W{(sQ*(b6h#SC}-HRx4-bn4^RRbOepQgj~p6mw7aJo_s_zH}) z7NHbECCwiYuJ~$9DI(AuRx5o zpXjHV%G?{2>p0%^d_90<5`zJ^pf$KoMlakuK6_`NwqRT+jOD;l4J<8XjenSE-~|4H zGaKl%Xub&i`j|hKy*XgOsb=67pYyEXq&LUebZp_sDrul#g}qMg2ICq~UhEJ)2^Kr| zb`)x5u%J7&fj+hdPMWO}J-c$puU_ozU;`(97Z+E;q>G{gZ)U1or@lA=wdp`=4d=fF z_l}Em&!Y>u$x_4o*PG_Q9GOM=kMM?%KFa;tnKHL0Et|tlJB;HX{tBQQZ%+?~uXL4!Od&ubBpSO>cl{w~h zM2DoGJb|*j_{I?piGC`=25?e{DB+8UF?{V}O##Z(_iX(75@vimy1hQmY|$y zZWz6Nrs0GpTE=#4bMQpJupBwQb>`hWo_*c#!{;aOMB7isxGn_Se~)_M7vc!IjKFBW zbK5NQwOgIuvK%A5Tak;(anTM+{bA!tZp;hb zOq0CX0R>q#6{GSz-s_O3M3tLxzW%TQ*~q)_T^A@d?;+Hbax8OJcxfzVC}W(c0t zYbGaNl6~uFTg^VR!ozWWfQO2VCRbAomwHD6V>fD)c!&4Jy{n%)=wn9+)p~wO+8y7`#Zxlvy3GdGp+IZ zBh)Z^S`}3m9`aD!QOT_OEnlN&SGKAy??T!K%`*)_q3e$g#M0Y-_OIoHfDP@=!Aw*S zyBP(HkNM(KxgC-USeCl&^&(C0z+4@|eA4tWe~9U04)Sh$Tm{|yH>xo}tmAk~(ph}nIqqoE5zX;FS&CsiKro8KURyQgn z7L+KNt7Q|kJ~4u(*^{$BCj7&^5`%mA@6gvL=D<@Sv)u{iGOst3dqyo!j7OUA#&%CC z_H3};(8Uh{aawmjIb~ejB5aw)+@%@H`dP_mJW{v4fJ__^dGqHszr$t(kAT`bnC>~b z9luPjVLo`S&Mc1*l?QN1mxM_R1;sfbFor6v zCnyZFO}aImDMCPhtV2oXwXfU(8+yh>FHbNaNnpIz+kq#K9>MP3fw`);Ghg@{d6sVU zUS%px7%%lw9j0C&-1}Z9PV&@ah&sHQ3ND-uc`oOcRxd&I?NY!mvRvZ?=(9&B8ONxj zUAOq6!s+XSSo$Z_c02$e*@4>|0LM6K2VVrFBqdj0t2?5&ZtKPf7crr#_azU?UPhUq zs7%K<@bSeGBJAyno2q_@$$jn<@)U(ee*4?WcF{huYhOBIbQZqi9?cAp-_!F2EE_2~ z5pqiAq6Dslq+?;rfuW|M+HigkU*9QDY#36Z?ZK`Y@=C+k$fUp&Z9%=Xnq+Q;3SdTXM-{_WxNDbR%mh1KS~JK*yQo+Ir; z2n0ucE9|RbKX9@j#wlT4$0<%?$d^Qw%!*+1Luc!-9aJcvL)q&Sn|2cQZ@Qn7KRQT_ z*R0ms=fk#nwagq}csafCzw$_1Bh=H$+ck7KRM!!we1M_s%NFbR(e-@92kLoSmkm!H z`)D;f260D$A&&IY@5SYdwMPI+HGJ>&8E0(=PBw;fW_#Cqp|oU>y)U)1>C-m*#Q2e1 zMVfs4`ML%t$V_|m=EW-jX=SNc!(pk9%Dy1Q6OQ>#ceOo>ySLxR%_yr zW2d)Bh5Fj1i&=b{!wM^Ig{(Kq(QSOMttHle&pke^Lv*qgfj3LjN$H!osc5`zdokv4 ze$ZgP{Ke<36i87eV$!{z|1@S|_1(SlVBMqz<5G*nk%l9wVR3^17Ui7F`9iaOR~Tz? z+%tGf7ryJm^#)N<04FjoB%nX=mcS{gFjBFvK(U3EvG4Hn#&H}QGVuXjVw7Ubsb$hW`;wAFrb6M( z?-ZIW28+_ZAL-{eNvBR~mLMlhuAW!f!^QQ@bL-Bpbc(=m_Jd4R*<3ADgF84e1tsk> znT|@APLAYFC#qHlv8hjD5cOYneb6c1G|kcCSpw1mD0We{fEF@Yw~V>(7e1fD+F0q& zf4~INZ;K zcu~>>!eB4g{iN^flraXKx6!m~1LxaT>-*?(RRn8(8kEaB$1QqySbO;K!{xhEL9{9d zq>AvE@7+z7=4_7ep*5b_uiU~&8N1Ob95>%NqxvDNEjB6ZxWTW92B&rtK72_ApdU$$ z*G^X8V@2aRPRVNR+v8xar%45&IVgLMf3HG&%KFk5-tX5sd&CII^hv^YNGu02qVKaD zf{>$A#;%`yL=K{kRNSO5Ec~hSy&bh*bZY~aAZS_IIGyAJ&fr3tql+i_lk@Lw_+!DqLr5SE7Zb`<0-M1WB=onQ||f*-Y@)&(CORGqO(0 z(CLNS1>by~V%UDJV0ev+Uon_08pXp|ycv05vdJ4roWLg~dlNoyU=|j%u%2d`nRqP+ z(x(=zx6I-*DfLFOofizIA`Z|gf)r4dTD#G47b^4fKK>L|%}`xHS;>~;`sZg(j2?ht z13D!+ZfY@~Ovk}wY31B#Rt2_r8pP-1uIbRw);1#t#PNtPPKrI`{BXl+)FGBJwA7n1 zWZk?(#{=oH1z?(fwT&4wq3cg~c~dh1Ke!LSg5l=Uf0-U_&&PADXJa3ewis-M?#<%Z zlqjjs;=U)gt$J)g4o8>1uv$**c|ZD4291F}L8q!G?L{__+&La=9bMFRNplpd!{~5U7a)AffsB6Yg!6ab%UmCHzE%3GsL+U`um9A_ zhr8z!FtFmN%5pF6DttiVi{YcOYlxH3pxIhpFyw`JHLlRZ`xnyBHLQ$zu8fHc@?unN zWoH&|;m(_f{r2KV9#2Ulc1i_m+IF z@?+BMwK}<(Z<{lF4jg-u3BC>(bef;*f^DG=r*B$x_+tWC6@wEQtGgZ5hqx@O%CJbU ztR&btVc)gqn$80ekUCBq+MI!p<2e`OSH|s}G&q4=TsI6VuADW|dA|8bQA@9FX|C?g zT;z~I|A8`|qza9*_D&m0eeOj(&PsXV^7JjznKcs5EiAUGOoUVfFkUs(fd-XZQz@2r z`jFn?VGS}B$nT>Y4MQPbqS*6Xhdz&5cX(W!Vr(pv*fnFVU$frpC*MD%w1`xGs(iY3 z47Ch3Nb@+q)+^E&94zt~KrU0D%Eny6=#}%~PK%Y&j_DccBb`L!!JN8tT&LqQqdz2v|Fy+F! z;50c7qKFPNo18Uw*~N9^Z6|vBj|?3{yhEN1Axr9#jYPytw}ykth`p5;j1ng=_fJ6_ z@DCErwa;h@3D;yU*Wgu?Ha%9}F{Tc2y-c0NX{^YX{lUqf`Hm#6bV0a<@@8%+*$H2H z_*or74Fh~R0l|t}#Td9CX3AnhVj-`;yq}{DI+B!?*O(92Yb6Sof%ZeNv(++2=Xs{b zWl`Yd^{wG%htS>dni_examyER9W@_WpLgxCya05ZzNJoM)pYHGbvauVEr}!I(QV@0 zZ5a|>XvEDgGsN2Qqi(idG&i1C7;` zEWB++F_aR(TwHES)J%XGn()rIFSJG@yGvX;RyK}=6IH*B|# zPol%<@fK~QbCMPVzT+ViAx%43H-4popW(SLw@1r_;uRiJfI&4@hj@j(QbEnoWQU&HK-M?v^u~Hg0!Sa?3bm%*%7|7hW`J zO2?7@0tBrOa^j7ZtXI4&_|r4l&YLzJ9JKy87i*%2uIv}qjh`(z?wxrBx(i6rFu+0p z9D|HB|9mE3UY*T|8v6dCnK`0L7=1WC0bsgENLG@)+CAv@PSX516a1?q5qxB>e<}$6 zkCx&Y-gh1GV!Rz^doj_*wgPmdqHC;4X8K421tm=w%!hgFFb873$x8$wtngImtx|aE zo$&b@w9c}NTDx1faL;PogQ*Cp#)$~=t=qPpumevOw~vEItIUdc-e#qzT(GQ$^5b<9 z6bF+gmD*yV<@Ph*Y(no=Swb~DO2QXuQaQ%h>SV>tF1aEP(d%HW&!bCI^TTutZ4yX@ zn%T38jNOv`U1`oQ@~^}O+!>xwgLU0eD$#>InE#8a z&>_y0vC_E7uFn=*_A;x>1Gy~(@n2D=FYZLg?|#*mNM5{TLf7|RMWiov5rgc_UCB7I zT#_GTUuVztIcjr!w_Wghf5hdsy=FKe)VspN5I6CdDoLY5N`-0@$U+kydc{_f!NSag z_;_JWwXdxu<2z&qmfE1KFcbud5=TnLoaH-I3bCm^p-ZajvER6>5hjjK3z4wB3^mQ&T5BiGr4lwI34=0x<2z9SK`Y6`lEELS4fW@0XAW8@zZs zuTjl|>y<*%Q&M#_gO5YHPRTTz&dO;rOw<~4q*9(xcRoU)?fT-_-SuVW?8na>Gm$m^ zQPutL;RC!p?l{MPQk2D?3eB zSjx;$AMa59D<1FTBovXXH3)HG!!trzFONY!1eS(bm|vPgB2GzdHUKI0(vfo}^$Fcv zTpiwvK0ip5@f=Ohxo_GSos9k!*pQFvx3sn5oxb;kdc!Dfb_rylRT?ky8#<-N4AzGC>RzIKWjQlP$lD|WeIBSvYv5_IRwY?fNUx3q7Fzor5bsV)2XWDPi8$V7Z!Ks(l0 zV^!W;&NeleJ6Xr$Nm*r{L^ef@z-uTFwZo2HI9}RS6C|Y`Bz_f4Md~5NCMdjyDs`!X z@y?d*Ws2^Z>=1L#_RpZjyL=BvbsT-$(O-QFr}|vytOA8_MF81X71MWu>;aH_=fi-V z@bJI~6D-nyj3!I4O&TS?n1Ma(b4wf@u9JSOZuvEP${m+2ql+I=grddU{rqjOBFi|vCu?;YNv&o{pGI?Pgiz`NRq}pGIxjQRl`jS= zby)sF!YmtQ&pH6$lYgX|+@>k9C~dqIxShea?pqAqY_A7coh5ZHbjZOoNovX>psrjKAwVHMmr7V$37cSh00-`^PRWDp~F9)laT{ z%pK@+htVnOV$D!=?QU+^&-<^eXU0UC8|;;jOWSp}fi$J)Vf8R2f+}EmK%@%255kf}R~lS+cR9`BF(*2_uM~ zWz+PXX%c`3KW;x+JzE8aEo(-G(L%8;4q@z&dpTO_SGz0P3Kbn{SH)~_61?MpQ|xm( zaP$xa3#50#%3$4ERX?*x_}?l3Cuyr485%h6x3OJQBmFlw=bIJvy;`a2ivx1WVb`$X zBV7y!)8dml^rzeG;GGs?n)8zhyg`~O&cb3mam1o)EO}DkpG@~xtdMU?m!Bx<@|@rN z4Db^)ZDEYTv(twC0svQ^$r&XHJJI0zy4hEbr8Cc~PkTetY-Q~~c7Cc3NRG2FnB-*v z2^H=DI2T7}kpdqB*aSELiE32f9Y0Zj>MwWzuK$#074{aDctj{U<;T7Q$Ig^H0x=`7 zBR<}Qh~kVElz7~wPHGElICsoS#tRAD@Di(?Ok0Y=*c9j zWrJLrKdj8*W#!PCiH5?p*$&ajok9r85z^EG?FZ4-FaO~T;{9hiO67Osdm=+=TMvqk z3I3K0iX9vZvG94z*nzZZe&AHJT5qeE8;IcpDNmYr?b&a4`Q}7$PI&g;8H#Mu07E`9 zjJ|!N9}6XN?x)w>2{37P1EvPx@pi9(F`$t1m~6mp(Mcu*A zw4ZI=TJYn)9O$}fa!g-7vkKAOv~m=1D}d_&+0V~eFYo7GP>R-nob}Je#?nuQZ7ca< zYj>Uxxc)us9agB-ns(8jH#SWrZ$16Lwt{>iXKzvr?{9tmuT>QtZSs7F>1b~KoWJI} z0pG>7c^s^(AuLMxpIdpJN!ERmPWvA#HocLVPWzubUp<^3=2)SC(}uo>Db*SNm-@5Y zT=aeajuH*}fm(pd?8GZzsaoyN;s58X_Ryo4&Hwzq<58d4KO2E>?xemauMbdo{%aAR zh<`5vL`>a3i~OTOAA1+&@V{;Mn8M=&*o6x)&X3y~J`qouK>qHK2kiRKf-en#&3C{| z_}4RL%g)aKEW$G;{9lXw*#7q-fQ9}4S!4$@{#?vv?it&`{eO;hO!&vY{lfRfkX*;tPFxRC^;mq$#ta0=t&%wNR55_B|RHm^;2_@_4 zNv{7`iy@u>p2m9Kv)D51RQkL7Qx-2^V_TJ0gq9f@t`jXfG`jTToUy25R)WE@Y$UkF=5Fl^=*V?jD;S*hue-0x7yqh8G%UB+* zn#I@D)Tl>q&W+>g{B}{_`-@C+_%{#l`v>#^5y~9kNF)*)zA@^$>*iH)wSc)l+!48d zb-w}U20#Q*@4pmH+i{Q`yq^YsN(8n692+=&hWNq%`f39B`TzRQXwjW@c0kE3k{U+! zHH*wYc9y@?p5g4UK__j2_X~T5G;FU1%QuLOMO5siv_!zA9|w+W4{JMwue|y5ScUZ% zc9Z!%(5+J|5xlecUomdL&0295CVDrXHvm2Olpnt-D~ZBm`~jsU9v3oa4RcOxJU9|E z=zB!y%9UFGPWl3N-c_(KBT860^M9@~*jhT+cL)-=Q3pOMMZ)q-Jb7eLwGsS9RgPO6 zUDJVfHVem#l$2J-nT(G5&GRv2<5*r3_18ByumnNFcULaX5z)f^UB5o>;W^T)&0#%U zCe;9^ej_u1ES#fgek)VW*kSNK+ys8bf?TJqRh1!q=)M+J`eO2C_7z5L`Lwm7-;nBT zk&Hl)LHfANta_#ccSP#7zH}PRN1K!rT`f&mVN*f5=NA~YY->;W@7YJ{kiw}K55&I= zuXIDf2g#_2Cr0^eVL!sKQQ=_xkCM=fCX#s=v^kp;QWD!N?-aMVHU(}Vmuijs5A_XO zGVj3OiW1O`TOL>7tj+u7a*dn69?oi9{L&v@w<^GO!Ugm! z>?8(nk;SoF)=oB}x!f&nj0~0>laf?kPs&~yDE9x;LZ*0#g>J(`=}V_l&G5@x^kx3{ z3b0UiqwK4r+oqS2DU76RouL(F;>HMO0%kyk)EDOMWp8?>NqM+w% zPqbsO+mef9X7zWcq_N`E=MwH?WXPYQi^aqm-CU#zUC%RO^gqc;dyvJF>0<%5mm=fG zX%D|OK(YJTi(u}o%Kp%X$^uf<3p4Ri$_qQ*TQK#<>+k+-iX~b4m2F5MRqYsAK4kG( zu(^D8SgsZnM#b_uu-ApdARweRePcTeVK*@(w}PqvSzemHZ#10C%pfI z7VZ58WOe}z%|eo5Nx{z7d{ap_!o%`ZvLcoF-OS|WZdz3i`$(=#Q|)S-K;)yASNnv+ z*G~WtaUVlvwysxYW--{S?o)M1Tr;ACt~2^t3%xA;$Wo+E@3aDl(R1}TF>Qgt-+LHq zTUV)L8qfAD7qiM+>OCWSG3B+s$T)^qr^YCFsqwY`W4;G2r17*k1Ey)1V5E-OEdjdt z^H!}iEhC2^EZ7m{?@upk-&R&WYjX0jj4~CkE@lXTPA->dQh@-Ny#R_#S8@fqiCi;X zA<`0-68nM#01WIvzZ5g3=2qlWg1R+uc?fw1t$lOr)~Aa0P#Fd6*OHfz2>XlYt2n!2 z<7TUiC6$jid+L~jx#lWjkv%hq_d=c-8T-$#ZE`2KtVIh2JrL(;ZW?nh06o#BS%QCqBAV* z>5MJhEcUv}#r1YV+skE8`#Ee-`6LJ>NNSE}pcO`&dwvqKU#KMy-w9OZg z<)zLBUFd0Y-xlssvhR!;obBmrH*&_l6P5aMK+F7e8Ps_o8_B}WjC#4XE$du$QlXMV zr?F1$abJJiNvvWcnAoP92Lxa2?4hKWIDQMrJXGk+m+dpAhdb??)Ay+jDc)1@x(22~ ztIoFfJS@dfWI7lrV0D*>VzJDp22RN^h6n`0*1CH{aAMjNnrSFa*&cc9GK~%F@J^Gn zKi;lrbIASk(_K3tmfpQ`9#DaVVR@)H1_%AB{Z`t-%h&U5a8fSNr>I-*R9an#xnibq4-Sk z9!t15B}s4jHd?RdH>#(xbZt;!&?HCw8gTCf2H zdjnc=-K50{+VV?XBj~{i-W(o+Xcpi*zLQEQEs=Q1#-f4y1f6TBCU)cRO zTmS;`R+5nP^~+oSzqx0hf-zkDHFhEt>N5&S+ee>_h=?5cNd!k|p44aKLum^?cHmtJ zi!xsbv3Kn(Be`XE#S+VGL7c5@&9GPDe+SxK7n_<62%irCW^8A!`#JAn4At7gh|rn_Tddb3f$lCFU5lBnP-9rN zNoQ$v0WkLqbzs**`nnnyfT0ALNY97CN2}WQK!q1oSL z!a@lR<7E@=MVgvi4Xr!7h6mvSB{;RkaNk~b?aQ{0IO2iajyfuE+M((}zV1sHaI?q? z2q7*-rC{26&i#KK2Dy@oTq{1IRRD<|T(pecSMnRJl zx2224El*STBzFa$AD{R8kq--ERzus(1P_;5S5T3P-aF=}Hs3LM zul5=!7N)UhRu^y)M|QGsf=1t#=kV*?mPlmdb?wcE-HWd!skRs@&>2$;Mrh+<=D(m+ zWTj(Gq9G1;wav1i!)w(4;tYta9Gz{2FTvgqLP(Fbm6C~=o?!XcD!#bAR%4Q5q zHZYjry5KDa2^QQ*vfc)5JN$5mUzt~X3!m41JEL}G^ z^+IVF^b0yOFxrJ~n<~i?QwA|=6dJmkNeXUu=$@}KA;bzOKJ}`pu+3pB<`q3`X^@DG z9B{?Qh$LPS%)FmUwqH2719>j~6K|psdh_GDJ2{hV+E4H%T=|vF+yt%c7etmkS6~W% zo2%pDFv=eGw8Zb*VSVM>tI8F9$oHge_D@*wKJUhIah5fwjaIabF5^HVVO?s-oCA%) zVSnBh4~* z&h#glK=aw|%$mcfL;GyB7nS*rX-hqkai=jK=*@Mu8*a5qk}n0oi$e2h2lSflMU-{_M56vKHNTsxNKl9UPB3r#!ioZ zBs-J(j%S`U_&5%~8kDX;*r|_q-`Ia_yXyzG{rymcz|HE^YwO6!h`zuJHfAxJuHSHq z4Ecyy>BrWs2RhI6TMjdZ9@|15_N8lyo&9e^A zDlgpamU1VksDRidWiA=RPB5%t^<=wKu;v-9qVP>fA8^({In9;uOtew$NjshpCVJuE z^9#Rj@3xcR%*1!ze1a9r*Om8>rV6NHK-LZr4`m6Wn6mw)$R+*at}HgYq|~NQcBc%e zsQdz4q5rZq_t>0O-|JxH8-_DYGQD5@@Pl z7DK2l&hkkJ^Y@mY=T|vvA#vG)V98sSGp<*1wT)Pb?^!uf&k6)L2I%K#5i44SJiTBZE zGFLGmvUe?2-CD0$%yJ4YKDf{VHq~oS_L0C;z6;#4{u$J5DGKycF5U(P$FsdRVK7+u zTm?orWIC~8ap|{Gs+|3~4TRpeKsz9jUm)zgc^qZ}uQ42nOq|9!;#HC!=~ZZN(5sx! zCwoNA$PlE2Q^!a(-*iBSY%@XH_(eJ}mO#CKJv@l`xG<@6^(LZc_G>Pqz3rTPE!PEoLo4#n^ETKw!Uk7 zkBJ93x+^QJt^W5cx2x`KfVw=L8!gj~RKR4E>t9qDI?}amdVAR6taZ%;+t^*hPQkE; zvE3G_BVeh{oK1b0XTy(LQxBsz1pvm%x=y2iW*TYlV2(G#B4BY?_8NPAuq6jzLHuo1 zeOdyT;O@K{*w5ydO^`JE)1`KGm2l=Fnjn-aLs%a$IJ&XuHCZ3xzgfks#}t3HW>!_Y zf#Kkg8N?N6>FhdsV?IqE$_X{z?cH7u@U8nxH7ilV@Y)~gFd(LZ{tv*|s&3y>mpm&U z+RS{UnCi?+y2P~A&iA)X1=>V+;Qq~K~1>TS;wiLeo>IiqCVLI=j z%})>V&vl^pT9RvEq-uBC3~7;w_V#g5lVC=eDQW~$#{O&uERnGA;p+g!?2x~C9AKp9 zrIHjhE1>6Bj-fq6?%)Pyt}?q1?nEz8lq%LI*=q)K*mPnyTFAgsRz0jwlfIPk6~>_M z=d;q2g5~TG*h`&~vZLzPz*y%AvLXxw#Oum35!BR!` z=J0iCXjxE_*MF?J7TGp#Y|zFR4Xi<1D*<+?KlO#B{_JlfHWSJ6sFa5IvUwdLp{FQ* zx=G-k^3rYdiSv>Ksp#Q8qJ6M^KGkEBRsl@w!1mVG$YE zx_ekQ0^HcvA(Gx}BM&o#ropEg!V9HhkjiY_zfT9f#!%V1&#srOC+B@#xmdnE(gM zMv?I2k4;lMlr9Enq)E{8wOHQ*HQ~+EKk#V|C+g|l;8W`w+N@dZ^QJxf_XEUAfNHBt z%|zd~uF!s9;eU(I3qr~fvx2cY>nb&eQ{S(i1$xC!)Uef4{*eX26UUij-db>3tH;YT zk1~fAg}U7deV&_oo4BLsZ4Gog-fPVyaxl8VSo92*} z2Cbn*rk$voYiwn2*Ak2BRvv_fn?#8Xz` zA$EV_nJ>{RDar9XIYdI}`);`S-q13w+Sx@b+Qr5~@0<_ecbE^qHswc}^~pVMffut3~4Vx z(cNg^)}!Tbo`%U{em=a5FG}tUfe&~>lpLRVPCo-*R!kL;OfOUJP1nl5KwShIyi{B; zK;u-NI50u4FbT7To@+o~{ucbO3_&w={l>X&v6NikzBTYZ>aBO~G-y<6*=+Rdlju8I zx6>{0E?cS=8^md%wu@%!x@BPLp@N}sEnCJ=!#QOajt{5GC5L?JZ7H+AD!A`{xwr@8 zcq8U~FzXNVD8+w_*=R*YZZysF!0WVd|iV#i%jM;^_ z;%NF}O1~;l@O#l#oH~DvUZ9a(uEWN-_{}@ajeVWlA_RPXWo6}^ZolZ}m#JRow4Pj} z9{!d(qYBK>FEL`7S0*#2>0`L6g#wG+$R(&873#|fCY;hjC#?az(b~EpXk%$$ym)K(*EIY!Mvb2hy?dV~rlLMc zg%Enj^fYKgW?l&B(jF!05B~;Vlb>2GDU*K2tD$}xySxwvdO;SShwIurU)(5@Depw< zC-=QmY3L8pU&@pwsCm_-`)ocqidn3eejokpWO97QefgQB$;i9$+~nG+a%GGS-K1bh z#ev+_2Xs4vL3gEOT|D z(yJHLLUoW9)!KN`NgI{RO6y7%&js!hEz>KJa$aKjdk*m2Q}4A9ALVt($`L}2na@Ir zqWp{oP6a-=hx$$f3z)UNc&g*71ZcLFIv;f|7Bt*2wj`S&Zh;Zemv`(*Hx zwlvdnbB3ViJ?=ygFZf!$F%|LP1JNDd;1Hg39jeRLtQqhd7ocnA!F-7pE3OSiza|Dl zSLOq^Y2Q|!6SNx~W*>s(=CZ+qmtL^+cTY(? zrp|!;Je{nKIvgCBx31MCVHO$Y>0mG%5sr8mR9bTAi#5>3Ld?7HsuBLOPtzzDNay&gDiWfS+P60WTp->{Kkm zYGRYGfNvSWX+LiYe-sbM@YEA77r%nKZ-@2t9kE;%6FHQ;mzl7=NfLfJ(@T=z9@wVc zoLm73Pm4=#amnvW^|=%&wJYI*TeD0}@{z>~>Dwf=)q>J*Iz0>Q z3FHYB3>026IMS_;PcE7dP4}s5Muip8<1oeES@^g+bW`SFn6BcYgMW9x7TCdU3Aurg z0-hqRSIsOC8~6IGL{3DJT%0P$Wooml=m`{jL+~=mEkXsj^kEfGWBxF{hlph@Xd>mW zU)^T6%@AL%C};U^-VFb`O+Gc0eeQR-~OUwPQN|p-D}}? zfShY~13A8NhFBR{)yMYGWhjTND^>C8^nCE7o>2uRLSV$SgsI_E@khx&3Z#@$&**Pl zm9B!Br4CniP&|8i!=U`ZcExS1t#pV0|1uUI0hyFMDg%6 zsM+Zk@{dwpPa>GRO!{4yM4dP`FfPtr)=eam#uwyW&myq-0h6D#EUitnQ>B*WfQFs4%BS#9R zDlE%*dfmYv>^d4On8{>*fI>}$f@KE~noRJEk+k!;mAVcz``CQ9n06-Gse*1aw(?e< z5Cmh>V;Zdnm^Z;!POfnz8=^{ZE0BU7VKFB?#aEaD0v{t491SfoM9LF*FF~N`Sjt9ms{Lj{6+ zjS|83cY*i89GtP&NZMYUMB{7Q=<3QZ#asRSr$)~!QON-ei?QIz@TPCMw*^YU1}Vc< zz@sbXekc)jG-FE$7^&-9!DYqbQupaA8(#r20=uQ{`xD%7>Dm!NPA|2_@O}xgtc(|J z2yBVr_g2e+W%wLO*D4-XUl#oiQZN`xtd2oSKcZAHh!+Mu`*^j%ul*9iAUP%4yz4#o zOsL^EyY#h}eW=723aEOUKI>wJko;;}rp;ti9arm5o7u^KnK99~`<*7cPrG7i?(RT)K)YjsrSc17t3w}lg7xq!r@oldfC9UUwu2cY*jH2r)%?`?k}zN-%l6s{>~J3C7VQQIUNcUaZ!QsJqRED z;O~2T;It%Vv;z&-_0PeR6;wKLKvPo$sjQ7>3%L+br@tilkW=`REFA^Au zU z0M~pzdT46YHRou%NBsHgif5Eu4Bu6FQyO-xUB5J%!*%I|k=jiBT|;q##0|h+5(j~N z#@P~ad&KO(vTRa8A`*cKw6a;@-gGF4CUNngL@Kk4VweZMvh>mXTBtXnYV5bZ_>LZcKf#vs)FFK zn4pRo)r>z26LWj00@1woXe@B+M50t*XX-A10+q2Iv+_+&5WFQkGnQp@-OJ9s3Zdg_ zlXurqy2(O30KcHS+F9EhO2q zSzdFcTZw9WhGF43*{J!R%>W$u*#4vEs-byJUgOV6B%8dB{<<}k{KC$Cj}Iu6+~&MV z#JTCIY~azWxE#SZ`Fi??tz>X<8A7JLhCZW;Iyo$Oz+*~bN?%)CrmJIgv&(ZD^eee| zY4pX!v|c#bS)URGSC6V4EoN8b7PpPsSYsg~hc6Q-jY^0C955V|c8_CLwsbuk>_pq6 zYs1R?&0i76(G%KI#eoE$@~_AV9^75Z87T7PAMvk1>Y+l3c6>MI!+*!$F+PR6dk$L0 zq{J~TPg|{cH(*)vZ-Cg`dVXUnZG3f-N{o=vIXXTH-40})_gs?1lRP5~)hhvH+&M*O^5H5S9ftZDsU?ug@* zj~4UOM9o)EI?%n{eG^hs(3y!;S|Ia#-5hIt38Q08hV6%j@5)^p+7=%;gveTaLVF(} z6WZW1<${?_O$O(|_EQhvccCJAMz$WVq?VFoI=NjvKN`h3oizr-+38WR)6SXJAT+}5 z6KjOuQZTJ76L`0t@fwoxrz^{9rdxx#XCqGL?lNDkMf@*{eD|F z9tMVwLyCAWwxZo0GQyZ#AJ3+l?$XJkxbzL5L$#Q&QIl{nRBAG8#tobCqwV zw#s^WR!H~{K$Wc#FKp87$e_YfG~NN#+@t&dG4>u%O=j&DuruR~gI%y8D53j?lkU$Ka|!kmgZcrqs_l2y0H2@XNrH0a|kv zv5gL|h073M`dR%*(7SnLpje;E$YZO&!SObqr?7}0j<(;vVa#m6#$r!dW44NSmF8O7 zafRdP zBvZZS*J9?zgZ$FmvUpGG7mPtqld(2WpvFj%S6XLzU>(K)XP19!lssb|ZJqpV1}XJT zu|BACME)c`&3b?wGh);vaBnzOw25nD8~={5X3{hXnRa5RF)p(vQ;^5t8LZdxqQh$s zMsdD~Aw-XI{}RpY<`BfwY8I&P@eO(vAHOC0m^<{soV3&Wy_DJym}#1W09xV>h>Ws| z#n5iR>TIHK3Y)~HujV3ZJr~n!E?g@$!b#Y{$eT?)QTWbHqyAY_1Y5|Z_y>e$pOz}) zAtq>>Y$Q;Zp&!(3i|e+~EmiT&Rp{AV*5ADB!oo66|3YDz>(|=;TE_bz>zSwg7b}wk zdH|akK>$!HpNBb3QWzKQMJ$3vViVxWi|Kay1rp~rK9>ez4iQ^7-g=9bgN$Z7I)AMj zj|1(M6h<^N8L{9Nvu}>y3V_my&n@i*%wFhk6nyfGHrMcUUrW}G z3+T9#tb}(hH#x1D0P}%thu3{h-BTxDS3qRPjn4CTasHdmE98}!6) zZ^v6=^e0eKFdJ?@9=QiZB8$#GOYkDc$5O;plC0~5fysDV00~ey=PPedLG!<-VT#Te zfRWcTgtvgypJ3!D-V!4yD<+jC=PW6WaPPXZFV04K?olm9p2K*JN6LU)6;QGAIUCri^eX*vOQrbNAhIs<`d}je7(m$Z z?8Bj-KiGNa1R$IpkL1fie^Puu>459jiCf#Bw>6|cc@JfB5O

`@4StL`)mb&^qCN z{V?!C$I^DIY^!dzxv$eCZJ6rjwj%YP=Rf`DglYo*#MbuBZu4(HA^wb~c;Ww_Unby> z|L3LKgeS17U=Y_!G*(N3Cn?2;8A8Z4vcaYNVgm6N(_GyNC_#uzE!g;T}{^vIjmq}8g657Bt!w>2_-FhU-iH;OA+hb>gB~izY(FU$1yyxGu=-ybrpf`5 z+2HY^TUOFiQV%PfTBBh-Y0hd{T$`c*4UriDRNV10YWb6Idm;1IKtJ;!``v%A@ z1ZeJ>-s*Sk8$x{7YluXZlraFCC~RNGP77M6+y)j!J8m1e4UgxTJy{61JLPtbv@34w zcc2m|pDR^~4ML;Qj`~$w+{Llx=4s;~T*ESXv0@WQoV7Q;zjhRXB`4VfSpUn+kV{tq zK?47c(ZLr;PfuxuJ%%eE9T@S3b$Nr=%c@6rSGzad&y;aRL5<5nGnN@xT+@j`zV?Ou z)PgS$zh?XB=QF23(PFIvSmXPw&({uo++D6%15~!-(8GWcfv{_zDL#LBCQ*Ci&!5Nc zMn`N0KLq3{UrJiG<_Xi;IN;@PUIV(Wg@r}wRiteU*L$d{_-Zt`Qc;=+ryZ?dsPTQD zhEeYcag@d7?NxlW-STHQOSf-fQ?aN&Zj0I5NbRaV6)ArD$-Nt``z>kD>E8hGFBO#M zfn6dI?F|LpGh7~FKG*pI*bZgOm>T!RcNrU7m7*Wy)EvD}n0iPk~8e78Z8Z1PREsZDm&e>j47a97DCqw4k}YCCez~i9{p5CZ@tJA&DY!WEsi0AU3T^pbT$sH( zM?@fTvm1&iFmHy65e~J10sN>V3yUK_rh#m(KLk1Vd{lLU2A!Yd@gccN1o3 z1$;}miDdg-Ik@xchnwB669y>;n;mlGe^162Yi!E|{GQWa#r>}c4R^PR_+PQyN5SpO z|Bl-qUwv%Z;s^47Clw$h9({IHiCZg75Hv`45Q8S#|?j=ZL}_swvaWQ`_|Y26`?CrZ**AL zO@Fn~b2$-;>r9_Wnp^z_aRnf3uf2iOh_4I^%WsxXNB={U`5@1K|GQNTksufUsZRn@ z($bH<55NE3TWGon3^Qd9+;n-<#_UEbkogBZqFV1ge(`h-ZYBS?8o_cUIsJ24hl%`H_J|6^?2)k`CX{DI1ataUrEv|4OaF4Le9?(kzh9Hz(znJ(9An(_~5^&WbNO9)rJwfar&u9^MQ0Gt@?n< z$V#%yf~jCg=bVr7KmjjD-O=D#rfDvxM|qQrd_)-gA+(~DY zwu1bUW##mAe8}(*<^7jO6tH$fosx!kL4ARNf$jiVZtk^=jhybz5o_uqzYg4AK4BOJ z$TCM>irT^Y%U>{DtLJP7U6~LN9SFuC8riNM_hsO}Sl&H`qpe#<4Uy=N7A-yG))El7AWJzNW6j$of6j<1vCvz2j zUxgKd9<+}!cQ0Z(*^R-X?KDEKH!r&xV?mR_6}dR&RBb$ zLoja5r|K^YeF>Sq%#3O``bxS>3rD-8nc<+pl$?kPvk5%p?;%ql>)r^qyS^m`~_V4G4kQ9a;+p^xU zOI?S{_AyaY4Vl8km|^ZkG9L>&)`u$1zDGv5S0gPSMzrJ!J+hs$2NbR9Vr%PWQ73ca z5u5K|)V?(idfarMcjJ0J3;M_RVctsRxF4r#y+4uiI~5ud8sasSldzH>vnjV)H#@Cy z%uXy5G1u-G4)>f-J=o^s2v9_WHO~h&6jPsZX9<#|4eAJ_Ts+odYksbs{M{o%+`Vs{A@~_X(#`?Be#Ozv%Z}(6+q9b4^>k&=6IE&IfgT2IOEv+DFB|`2HEHC; zm+Vbce^ubno;`eRs(GPivZBAD8yd8NUt}k{^#3lc!ZSDFXfF+?y|bpjNTrS=zOp0t zN@i$jdGuK8L7vESx$ zqL_ydM1;Hl<|rEZHMbsr1>w=W*V7Uf^CnB93(PC-TpE|`OTFrmgTz=XV#gP+aV#|2 zNm-mXn~xZY<~*AV>xW*qM8hwMzlcN*McTP=25ljayJ?$q5#d41Q<_L#R(v@l_NLM9 zwc?<<8{U9u%bkqFXLu8pAnblCTh$e;(S7qos^mw%>M|%vdsuQXu-fyLw0@DUpZi0Z zUnt#}FM-#XmyiRGhveU3iuft{H$A)DX)|DnK|E4-%DV`v4>(yp;2u@}@y=n(-9B)- zF+RI~JvzT$dxymDa%j;)-UHECsCFXcRqpsn?Txo#?o=n9-JECWv}w+sKlX~8I%T>x z+W4qBQA_T!A6X!Gr>8AR9J-r!8rS(O<5Z|-LxJzYphYexcg-(#Uds$A;7Hozfn6)V zZW&m(abT`6EAr~=wHlxVPk32zv-WR^%pFu;+|}H+;uNg;yNY-zl|i!Zxt}8H=urz>6KPgs6b?{o?>bTKJgF)V#AtDn z6pj@|aY2Ih{Q%%2&2Ho6pBp<{z(jDn(% z*5k1PWj(Pa?eG%o47gF5j%Ovt((Hy>e~mQ+3F;7V6_g8pC@mdG6m%=QDGE7J#w41q z4Ostevsa3ypq)?P(;%WEx-p;izkHX%hKzg+-KTE|#D$Ig|UXtP8ffs($_##X#9 z=q%f!E`@V_3_Ea&*@DJ^NmMEqpz6mQjtZf_!ts^=o|zil+zRVio(5 zIw%KwLndt`Cz2HSX}5qQEM`9o&T3kUvZnfMUEA*&kg$2&22LID3pcfK<5nR;9jCwD zkc_49Gy{4j7MFaLy5bra2HO_63kaQ6tpqMcqVvQSt!LS@CtdE+pt<&>s>v;TcD!`+ zs;f1TI5TmvTpot*Pu&zleQnh*R_qFz&nhWt?s1a+4b5N=68xa!YD{;*;q$bPfHx!wi!-m#pf-j@agz(XTKdc?>4!jb+&=2Ze1MG)bWx(H>#dvD=+njkSzvl?Ix*@Z{-)F&WKb>|3VBJ zlKabyBzTEwD0EoA?uSjr@GXR4dX>FSh9-O2^Pcorl2=KVe&WOzXWK+j`>HyDpyTEp z1b$cyFILPDR1&JQD{t&FSM=~J=3yluRAXv0x_L3t%P-@xxnKdK*wbmvaJta*m3~H_ zNjG~L%T$N5uq%~Ir9n8*I7(OVUzurDyNh-Mq`mv-wSu4$a)t+XSg|0%Y2nOpS2ONP+txyU-pE4tAX{l z`RMmfERg`O;uF`fdvSW7JGoM&6OGDq@Lzja-+wxHpln7OA_7mGDO-3=%t3mReE?-;)NYb3&;t?Cv?mty5k?6n` znC`D7+Q`Lf&*oN?h1M!<(8@S?FT4Qn3fri{)%1V`s)r2x;DQpdSz7X;$)EJ!N>~x? zh20>M;}R6b{#v{6t&m~)-vahaB?ooi`E>^4WBA@^d4!sA(dOt7K&PC8>@2gOtrjxA zrY2^T+T0k%_ag^~pd zIoqt;Q|{>nov5+=<)7BSKmvzh+cV7w6*5J}XJDu)dE>nN&}D$n7%FYuRMf#7QBml+ zj+9r2gUJdt2jVAyK-PaP5uM!ls(|{yqAnRoH3^6o#|B$sM;Qr=j((owHHWS=PX|9 zt`&Ttk3=iPX=tlfdbXZl@-xgN_{7#e9*`{PQNEoK;1tRnwomGklrSsKvuS;W9Ptmp zJqnjk2?el@xuH~n)yw655Ngkd9_QhvlqVT)I`l?#nk*2~&pd@4bR=@;8><9eBXh!_ zbxb@Onj9W^;fzQQ6RJuY9y%}r)!`&^F`C9eTtNX#5hHZk52b9$49q^T@EaE}Cex!w z5@v`{tC|c;nXD3y14<|3$CQ1m(q4cVDqt$5A1IrYRVqVDyg+_mzeKd=U_xjTR_Z$T zzj1!0%KlP4nJZC?0j+kMc3ht!co$exZFz3P_;xKI*C#r=4ZqR&EwDm2ze8$}veV(j zc&YDuDTH^|ge94~Aq3}3vVESBaXXuxspRM~y&5&3I^qzTc@1uPG^6bz#u$}S#+C9+ zHHe!#URI_DO+-6VY8lOmT^;0LLZ_aVrQ|R^8CmP2l61dCwy;iK@>T2$-_GLs>ry~{ z^ItETif;9HJ?`CjT7SS7VLKCE*LKM_4XEc`_ROCT+Zs3yi;7RAkbJ3jP_i5S=!~St zHDt%b%+@Vp3fG`cA{1q=Q-4BL9MjS?>q;Q7f`z(jtOVZ3lOzKi(VYTHekf?NzpWva zGSt7*Zhog3P?@xvGrzT)VVi7G%UGKo{()<+sn<)EeKz5e%v(u5O!K=wlv*}|mH%Vd zx`1CX0cs{cQ$mA}sRNjkpPMZXGWms_U9_7&#XVD}RXUrbb=S;UX-`6gFN?@yOVg!A znfsg&l^5FH#Wz`UF;9nLAiHvb?6-j*EvTgp1WEsn+wvNpKrvZ~Ru- zd6z+@s{m-f&1(IQfksJgRN(J)Tp7A-0Mi@)Am>eV4W<0Gs`;MnFv%e$mF#uQ$?tr{LyiQLCHi`gh0s$!RCkX>+6sfXNfgf)RI-?|tzgR(N zQysX@?9xxULmnABzu*B)Y(ng7#fqUA=OKzn(792v1PRmM>)Bt8Pn)GCbZ4mzZ4mX% zhCyC3$r(~gBF9jALP#Fg|Mq~&$w$%?Lpa6pShom5_^1aXL8&u_JF8u!qeWyrM2HjT za82iLYoH%9PJAb%DK7dV7^22{$^};4jK;ei5^Tehz$OEdGhvO{D+{JXq346OHbKYP z@Reoh;U&@ryZQUl89tR^2w20GCc4~SrB2EQeGfSW$OFN_{Gy&^+o0UJ673&`!{4&0 z$HB1B{+7Hezn&8&4n9TarW6&&XT&F8cHcr7h}cREK9$Czze)*Rn86D_0U2z@^^#E= zm1`x?;C(hx1_TgF3PwaKPpQm{_9w26kqf#kX~TjuUb>vm3I+{EaT1wBrgk&9560bt ztS@W^3rVZ-@6+lH+G+?mP&ERby@i*VAt3vFG6xtPzr~ge>Aw%eA;jbOQK){}tx|=i z%`5d9Rx6k_pAoFwple<0G>FO-grx98}iaqdf(jwaB~@g@e7UT4(ZSqZ*Mmm z1WCA**u{8qHsQ~fgp)KW>MC=f!U>zD4`}SSD|125>C5k0)(UJqTo3Viw0vojO(79r zJFM!1;OiQV?!5&MpAKj&Gzej=>uE?1jUJ6+_*7q>$xD9ELL9Q@r$K-R4Df>XtfpxQ zi%In0^c#-=eU9D(xSHlO0i5*w+b|h{axB*K^9|2|f(;(^^4N5CxExSQS%(w3c=t-p zY8jHKvNFAp{u%%3)tSTg`Z#hrJaR}oe0A=IQ-tz7WRQLj#{>{@U>M%P=L)>KbOED- zOb4LgKjI8p425@wxY;JrsgSY*)c*dB8l9TC^bKV{fr;wFlWXnga`r~XK#}ap#U(Vv zLD&KeR%v@{a2r&6lwXK`-J)mqDO_c_o{r@F4#2V&d>lENmZ&jbb9a4l>>a;&y_H{C zbb9=#R49ePvT;7T-Ew>&T36|uaO5q>hTZ&fI4>%7*NA$cd%)%+&i+5a_Wl~*V!4=1 zu1S_U;oW5@`V>Rd2S8*8R>=(pcL7lZ%+Wsy+D_DxAEOYJJt>z$vLvff4}56EvUjTh z2ek9qG5H%V|6;E2Lzgz!Vgb4bC{ZIX&)VJGD|%vBabfoEWN?#M%Mm5{-RhQ>y8y)J znDyO>>O4RpZ-Ex})MNrcFGNfV0aj5d*Rx5p(J#|rTL5LxpDMI)KvlP}Ga77LbO2uM z^`>4&EAbQH)$tRIr=g7W=NuT-O+RWgCjl#v*AGj```;NJ;Mu>P=I50m`%F$n$}9s9 z7{_%0n8aMJfz-(DLEp?z9x`vpS!H_aK+0+6NmyxyKLZLD{wcpQl1ldVS8RIIGwp|= z4>>4b?JgfN*N*%oe)IQZSt{5stKsD}3hU&hEmGskU#OD06|Tmf*e9pU?l~V85EK-K z9X_e~?be^`2aX)xd&B9z-p8Hy&b_!Lx+Q<=^UHTTtwnE(-_tw$bbr^^XyL53;{j=V zu|^VV5;2*e`cDG>Em|FOc>fpn_!VMPA_vod^DubWdl}XUf;+!`B)i0jfD0 zy!l3@-n8U`f@&j@90ESm3*yl2mhKIydz!4W{>nJ!%=}>~3`4}T@|n-3kd^i>8ykk@ z|HACkD{R%q&;^JKoy41nMy(il5bPgf zsbbu_hGFjp{GYWJi|N;q-+(?$Zm@^dgr3tS(NG}@e_Ylur-a`j++2myP(xFzRxmTbvT0oeMNUbO4^2P9riy(AAC~Z$5heBtwUfRU|m!? z^a8oj*ZcHa$m(|`#Y141;MPhXy~;|DLNBcR2l7F~2eQ9;nMqk&va6iI53$1e1YVa& zlbxSKmMM)M5@Ek;BUnmJkLwuv9wzZYs+SVT;kmsphn#Xi69g)o+k95qaO4>D$i7PK z(ey8BoM6l6R%nq{^6Miio|UpOdF_>##4+DWE4!qCsRkF;#!EvCL|B~g3T=2(f1HbhBJE=1Yxi=9t^`Zs*;@2b^dp>Uq^;tPEkWlW#3dvvq-Cu ze}i&v#1u)Hi$voarn7v5VpF1p9im!z9yzdBLMFBOoEq_SSKw##zm zqnxd*XD^Bv0maEbhxIdV(4+4qpDwHPRx+zmZUV*n#d%gJkv(W52+9mCBi-y}eb3kp z2Zq(%^UD*N^QGy;}!{2hi4!D9mvnPt9>U(r`Jeue0}*%ru!($C>EzftJJlIz~Y3eKivL?xrF!f zBA9tt)7jMF<0Ckx3a5(onqfhCfp-N2F+VNQc08w>$Oh;2IO*r<3OjVvOredi#tydV z>xM>UcIpeF9?1|txbMd_|o5+>KnV41#Yi ziEUMks5g$S+c6>a14tnIkdL=8PSFtKi%@_*01#uwC)<2j;uV>yJ`U=4-#$1C;}vF_ zagl&)5eP4(KnV)xZE_Y|84DY)N_ZZ}7z{wH?{)NKZIj>h-zILrlk-~u`}Bf&fis@d zb~f>_QYras)8hL*Gtb4Z88}-G-i7J`{8v`OafP341$f47FEq-aYW=I`?rkztKqwRrW%Kvb>`%=09l=zYp#&|%fKuWBu)vC;raf3d+ul)70 zv~LptNs)IGx(a({g-kBzS|uQ6@>3P}9|zcdzC#>;Nm5;RdFq8zPp$tnctl%tB_oxc zrHu%aBsdnqT_+$t^}xzzjs+}il4IWtiSu3C{>x?05`8#kxmdqc0)zA#c$0f=Sz4`s z^`b;Y7J#u+C@2+Ra_;K7zRK4U{Ja{!i{HC-y7|*W_(CH@#uQu>FW^B~wq@X_7bB!9 zC_%8l4%q@rC7>}L6rkyW zOl+f^CzKgDD?FPvWb@I+{4&Lav3Htz4aqP?%GZ2-_#;lK>pZRHn8milfN#e)tA_+d zJ87$_H?Bm>AFJ-nyrj%Y^t7in@?IUE_y|vkZVVrX9D8<^}Kyu&i@uEb8 zW@8W;ofg3PmQHPgl8`g7X;ZSZGS1Y#o)9@XW(mWYp24onG&n*b4i`bm!6cq+FV3)A zW87<^II8Q^_M-pp)ZNK6?;cMPipl?NmuQwlWVYluvwb~r|mo>Be+ zy?K9$T0{s$N+~7R z(OXZ2%Se%=(zJmUE`Akw<11Yn@>-12%BPk3*a;gLB^Qv^;v#vBIYN_1w1>W;8D9tk zjIYlr%bwpr0()UNKxNI4@lj)UGOh_jV@r1S;YpIDI^2MQ&rO z;D(J^>`4stnKq9=Hlzf1Eqs7YqIy{ESSQbgXgVHzWWzyt>P^=CIp6%wNo}v&F6!JjSB0HUVw->)PKEA)A)p~+ zQ9qJyo@ysQ1=iHedpD@M?~CK!keHpS^iR$ZPRhIfO-%($7s!}T@fS)GQh&>9%Zd6`Q~B6aAre= z*PE7FkBqKduM)Hr<9KALx2qC~{7TB!)_4l?z6^=}C6QI;HShZ<#+i9|W3#s~n^Hak zhtQw1#A6peh3ER0$cV6+8ru>=zBlF-vFG$)F#MCV@fjO^q%3wO(GdNofsN%KUc$5& z-=k^Z5!S6$8|!;Iy;v`|QI>_$)EZ|^wnGt*y2Y&iR4Gq7YoZRSSJmlr_=aWd=9mdr zC79RxouAK*@I*<&BgdBlv%+*PVFu*;Z){H|f7@u5U48M`z(g9rdd+Z_1#`efuW&%U z{cX6;$D$eb*1}FOaJ?d}a;K_{p`0qM^3~!gJ;OBP0A72Y(Uaz77g%DlN!RnT=bsoM z#tBjX7?y1($FDD5Ko5WcA_@nyK+p8=yo369A2H-H0r4wY{yw0rUoI`+EVF{Gz)J;U zKD10I;O4B;Tmd6w-&XyLQxt>DBb$4_?1r0L6DD*-U55uh;j{`H+VTI$3%8?t{b}2Z zipmNFl2j}DzK2~2DY}f5cUyTG>)RCSWNYk&O`fwH8an9LZ@C2;zpfzX|qY;Hw^ zO08w>qAQ#-FrD{QfrPRZ2)kUHs#Rzuc?y_hwk>0%lxVz|=6lH;)3y^nG>cP0S60Y4 z3ETWS0T&6kU`*4@;k{rn2dZiu%LbCV@O@W2jjfSR96TJ8da{}%I*-;e*)@J zA3YFDR3st8(KpU{%lOw0W`m~5x2GG$Y;ec_xte-HyLYYCd#7LBwAq%c3hma!b1Bf+ zw26y$yCAPHAwrIWm+wU`7u`m}%V=*j2VLC3)&UTgaAIsBH?~r$9jCPitwXbNiN!U_ zotxck9IBx=^uUZg&^wcTqt=etdj5MMDW!_t?31nA7eaeUg$oP4zYTP@Vn3M3G@=b>aa8HQsI?O8IvrNo$`J2@?YwKgY>EOUu(EGE&j&Uj2n|X(MAydpOZu9O^=f3ytrNV-M2SA)CQetl&+0-I#>8v}7bzE;qcdg!MC@Eo zgW<5|6SlVQL|4K}M?7e%uG*ku|BM5uZu0|FDweqS{&Dir)~;gDKAvZ%)88P}j_;b( z`mGSI?Y3nDt>ji#?vB6ZW;+71 zH=_oQ-CEc(1nj)r!q^0XBCc>oZ1w@PrnK#F29>WB;@csemoeJ*`|`&pNV&?Trb*Pv zduaxGA@2Qq+LT)PQ*?MRB8g|l1ZOy z1{#zRvGef*10MgL;l%4bOZAWWeqj9NACPVUM`V(2{o^yn_tD+)@?F}Ce;nHk4+6vY ziqN89BCu-UBP_sC59%fW*FVm6@%;z&Ag}ZDCv!sg>p`4=G;CohLzoZrZHscZ`X6Mr=cI12OChQQ~auEPJvr+-iJw;J%D6aKfe|F;kSoQ(g=|Bp-kznuL4 zx)gue_3vT-=VL_$?UnxEd`wnZbK!V!S8QMqNp_UCf07AQu5EiN^Fdnr)ZJK4R1(GN zkKh{r`MHnb4Cs?klYscpQC`CM|M=xs*|j}R(0$!%FAv6ygi?R>AmZ0{M$}Xz;%Px` z?F#?AX};>xN9g`r-unS7r=_a7*#qFBF4HA2Hj>z^*b?-44yUTf*we<$wq zAN&$1*AhaqqSWHF{Tqlku)(8)QC83=BT)lW4lzH1TW?vd)x-LjG)av*%)lh_i_pTbKLlBoWs%%9Gs@9+%H_bdy=hS)*J|1?& zQ1eS;Gfg|XTI`?R#~(HszX{!p=Zq{M#NJOmM3GNNSZBiKY{a8^o@vLpI#^o23~NIWq%2zKI4u8irPVfQRZcZWIy{1 z-9e~*<*N8w`gg zUkPlihCif&2gmK@{IN|on!i-Dp6uHBN=weK>sh1!28hxe%1NT%mhcd78Uc~c-c0yZ zK3H^&jTnnMhG)D0lFcvxLUucf0Q__Z{quL8;A00bzf4r0mKQs+*>dvCldcb6-#yZq zXswPWNrCIA7KC? z9bQ^m(f!wNyPkG~$77h*z^0g5gW6fwsHGf>?`j*rmQUyTEdk{S=XouvO-U!Qo9~g_ zwRIxRTbkI*)^((^101xbaR{d8M`CCibDxOHVVvz+QKZo1{L(Wh_Z|fd*gjIrQQ;Ml zm37Bp{Q!3MU^Er5iPrdlCz1%=rRz8OYE=UQd<}n`aI9V99@!;)E-7=3)zA+f&qmZzwYN@{`LK?RzRr#r4d#5-rAr$_FBQ_ zdr!<0ebJRS;Sdb|>MZ)Mi&}aTXu_wxzZQ_KX*Kb5mElhuBE zXa*K2s5CqQR%U#^Ou`04B}bI(wH@~=+c~IMOExkb<}MY4TGfV(=2;$7dzaQIU3xSE~k~X>RyZCq8A7P`97fUD$NGdCi z?M|(#XwT3E_V)ZZR#$z(R=OR(^qO31px7)^srVUX9?A6uu?b$@fC(?f5qjIwMz-DJ z#l&n_AVNjjw?@WvZ!CVu;ItECUCK%7P#=qi)Y_$Atn&=7Lm8C(ToT1?nQzwK`+2~T zR5h40*Rd)4owua)wV#aZ91u-7OVOHXBplG_7MN{Mq{?UKU)rJi-ITb>w%&xQ;*fVwx2&)EQ5PT+0b;`}cER;B&+l0D(C< zU&I~Cb0o%LB2BjF1~(_D_?Dnk6UTnS*1yaO@OGHMA8Rm&4fqR)Sngi583^dY0<6QrChDHfAW zL*?WBE%NphPl5bZ>1&0n6|jJaLzWu)NfYux#_FR`5_MyrVN4VrGi$y)DJG=h8e(5J z)vyBAZJpg<{q>+_ZG%CXBBZ`8L3ow=jcUz?MlC#RCv7=K%jcm+8j$aMJPEylAIUY% zYvQyq(lM$iAWT*jD7LcEEw~@LYP}yl~5e*|!?f z!I<9^sH<96S7)w>7xb?WZPafDZl;o}Xd*7}9}XP4wRo!zaq>W_uP3C3H0od7p`W=xgCZN>K=x##vfJ4^JjA_+UvG~zIIVmk%; z383)*nGyGbo4!7)qo?$6b=-~vdbcX<9WMJjGPypweSSC?@|>=z67Cnr{k894Jgd`| z1U$n}KIFRtJL`L%OASYS1TA{ui+#?A)<}~8&T7rv*V$V~Ev9Yey9m_wzN)rRO6{jY zK+jobln|%Tzp7lGlXXZxWk7btp*s+FGmKi@0pHU~-GBZAZ@!^U8~tZu5PUl5HZY^d z$H$(`IZHAhS&bSc=FXp(s~eTl^E6Wrx}4}J$7mRB98I1`je?-)i>Z7I^X<$RKoWla z5z5XQC#L-{uu)Y{>XCnhxpMJ9eUPC&?UBi5^iAjc`N>UL<%zH)WN-+tX_5#JdPwYt zS1;k4UPLfa+ z^H(J%U42f?OXvhrBic@Cyz}(0py^2a@i--IoAW_Tu6FO&G)olyXsWyRT$eIG75kZ~ z18dn6#>i$rs0g;MtucGjp*tbdALHrso*>!dQbns){JxeTS}Q7ah*)OXwy^lMhV$FZ z=r;-Nly;BbyEiK0)(qCd5NV$l)J^q{)e>Xu3ut+vuc$5oyXfYe9cN_9kR2=~&6~)T zZ&#kT^P|a6Y$FN!AUcWOuBKRX{&|}(tV?T<;NCeH*~SPr>5_lkFqncx)1NPHuGY=@ z#XUOt94hTJpHqc~v?6Oql9JtiCw>KX9z!0kv*TMC#lE>HzDGrP@Rcg0KZa=u5I#|4AxyN-Cy^o62&(2$AKrA zo>+|**YxB8ME0LPood>?Y2%NMDAsZw83pGnkOcnQOT%)z442Q{?oliKp{6pg;yb99 z;as8$`0~*Qa?sUHO|P z{EfT-@+WH~{L_5;lfF{{C<+}Wyr!p!R{4uE?0}(b_&NLOADg76T1N&=O{#TQf7D+} z_{ui=b7&BCYsIhpruAI2$*5CYV#D-yO12IC@MW!SIC-R@J=p9XELke5^0JRF?S@8$ zd4_%V;WZ3*2&Ee{jQHfM8(H(mvUD!NZ&G;FzY6qXs)m|u|HsCgRDCgKxqCHDrALc& za=tmrF=?}#wvXn>_n-8i|XSSja!EF=)G-aXG0f z@Gp2;p|w8XPti~IK~=?vYkwsOr&h@ZI#5;!gBMP-FYrBl+o?Mu{!518yLWBMy;nefGLPb)m5$G_N9T{%$Ayfv zs-IC#H8rKvmsLN)p_vNO8j(J2v?dbgdJwcb!u7guhJ*#Ra)u)xWSg^wWOkim3IPM~ zyXbi4;=He5X?x)%IigM?e@l-mND)J%m`#X}Bh>+un~ z9YBcpzt^z=QPMY$ogZb26}0XZePNP*-?2Vup>Y$E_SR$0yT+83s#A4|v-wVA-k>#m zlQXD>tNXD$M*tko?ja(Fo|wAyXie{dK21=dGN=8lE<9Fkn}rDWOU zzT2P4Fh#;h9v;XEN^NwD=H3W=6U$aEpNLrTZpgQa2Hb|P>eo6C9=jv(a_5ht*9qhe zoBIrIsqwdX`>tgAz`CtK0ikzE&_6y3f*=r@pIfs5+xnb*UD1Qk5ji>sUd{AtZtQCCM)#j6rpT6BE;Wy;{%9VGE+`N~d z*Qev4TSSz{IY9hO1#jx#uk}1|-D2FAwK3$bWUyhs`W59>k1rRzt0f;>Lcfs)>G(A` z&(uD6eeST&=6!R?+D*>Awb>j~o=1JTz<<8W_s&M3mdzl6{^##nk5*<8Qt0>b=aLPD z-d_}A#wfmPtrn%qt%wlKt?z$}moLAehgPO|>fgT%luP~9!@8w{K9p!|l|M(AXgG@) zQi>hHO4xBqCG6H_>EWgc`TT$#79ATk@X2W#zq^j~6eHg?(3U_7g7?JQo%bf7=$gN% zil=;)ET2%@3k$d=-nVL?YZd>*!@a-*w0sW7J1+u}xdXU&y?m>07qd|n{*;yL=SwP^ z@9&o3TQ9`7QYPBW4F5)~DHl`TU2^Q$6Di|uO2&~x`nBcjt|6Pfd>!13%7?B06 zWZ5x(WFIZMQjThdH1>$x9A|!!Da}sSg{Od44d3%*!ftN##eE4oSr5th(II(?zY&Lm z5z0Nvin-I*T>Ot3gwyVdri0Q}Nw&fevYSz-MaohbLQD&Z879ljU@+%o%UB}@Lv!rQSh5VpSf2ZX^F7z^x}N8` zp1+^_kCypt_x<_Y_j|iv@7H@PKF$<)TAQESOS-q->*`lL6jyyI#RR1AsT_@*@_@BE5V*e&h$yW=>WP1da>{r=2+c(qm1M#d=f70)rzuBUTdI0t9ZTjct zFdfqVL5!iKJIW zWvKoYPYY8Vl;gw?8C-|mJGzuRn{WN`Skk12G2Y~(Ro-eYqUk$+lF+O)zL+d9w;T8z zYQ8pi3-e8ugcoswJBkrY@44-h?V+Y+hjjkq`WR{Ag3&g54qHmy*N|l2rprBjLH}ls zSsyM*-W(f9=y7+>$F5B$fQ~$n$%wp}WU~;2SUNi^HbR`5k+Mwre!-jJ5hS3;$VE{o zC#XqzV#39YvHXtwamAn*UFSDrr}i~p?FRXz(EPBk`aJyPOG?aqE!prF9b?{6HdYpMY;Lbq5(J9CZiy3;b&`0|8oXksiISg#Y+&Ym7&Dg+mH zpqz@r@lg?1rk7-W^A{c2lM6Si!l1xl_i&KKXJk189g$h#YOnaHjM;FA+c=fEYDejK z6`1g7az;9NIGt4=ybs!U05X}AS9JZUxr+EG#+WN~Oti%g`MbT`tmPq+Iiln7kh=Ou zjZOluCW-eI2F5B|I40+i+-&tiH%tYJ{T${v9Q8^YB+Ud4jMbTvXS`+JICXZuZZ!a@ ze|@6kVH5_rEn#7oH^Yg%fuDML2ROSwxc?<-3fyCTezv+JYO+P;0t(Wu06;suC`5~BVPr!=O!|D zJY0=!slW1K-868Ge(@3AqE8L%9e{uykQ`9d8kB7Vh`NqybL|8Y-{)7m%=|zZNX*1fpwZC6FCqEs;{o%J$ zyOXFr>7qQVT(%-e6Hh*4O>v#JMWAcEgI4v)sCUU(Y@=*l=1@M9-jVR*;DTLyaRSzjk%;c5oMRJ8^-_{ zzTtj{C{WukOHomA9DtY`=TDR!z;YVh*Q1z?TN`*ht?kkG&wSFS^cygY8~jhsiIP}| z%gjzvmT}sSA8G=h?j7f8t@w%EzqRGab4QL=54{Z__Bs`cNmGx4dNF9f60$8bM>fEEUoV0kvXL!PO9{S9jn z=c9S5fhUrSF5}dttU9WXpB&mWZ#2ClTt`Y6h*aOTDMGl@ezRSh9U@!LX}kO^7>CTG z`x_sYbQ5*CeKJO*sgR{d3yYfMEUfO7#dwa4pc!O(z_k%?nP^x4(EjE5_NEr(HA2Z) z8@>;iTP=oo$SS#m=+Rwzs&}f=TG~!zy!}eJvi7=Q%hBZgn{(;$&iLb~bk+VZ_`Y&c zp9^RXWfu?14vnY`{Wc})mic7)*Bzj+6`0$3mwVYAyWxR0w@W7&Op_(=jn7_TQG`sJ z!9QRh8;;xA9aB*#B?hKdZrmoB+{QN+HWT(0vSr}x7I}ltK$GGuda4&o_@Y^3?Fpme zWStTzZAavxUM;GFp4_)n}L0u0*c@LLrEFgSgog@AS~XsowHx0uiSkK&jI5biwKO6ER(#3-$vq{ z7v4jtXBzc<+czire6j&YKiCj$5@zbY`2UD@u_f`gG{*n`d%nhHAAoJMqrb#(bCCBQQPB%;SQvL>PRo2TyKI@R8+F!Xy6MYyFz+98qghTZG zopgXEB&usJlJ(}(55mI?w%i>^H1lwxfz(wUjhdO+bA}``Wb@9K6c2wwi&OJWOgh+h z$x6ssM;Iy6)vI?**wNsYQrSK8dWDuKQHH0{VUEOan9nOnwjD#;Ja)D9OIVS5d{23y zm$1tV1L0GRwQ?4V`!>y7&_T?%(2oU^Gd_FHyzL&MD?PFvv36ojCG92VkdQWCRtmg) ziU3LGmK5Q+uDG_hpfRCu?cu6vjM#TCBQc0`4jSiIrSnYJ`x1d=SVGm463Tu6%y1pZ z8;7>K|9b+$)w|7lq@28eumY9J1M+h_7q;<4n}Y2v;a%gjk%2vYer4#Z-&Ki6v~=E0 zO#=L02t|i&%nf<4)#V#9QSvS3*-4F7e3++!O{d~=n zdnLiH4|`06j>BTbo*e1M2ydb#pmCq4r`SGOjU7C*!?Nb5zL!ytG|_Itr37q!LXIYM z0>318Z=fSM&9Mv1NrTD-L}Yfx zxpFTI4RSdlNo7y)?0#fa$QqmeXMUIc2je=ucU_X>17Te-tu1xlOGSR4_UH9|Gf<&z z`b}bCD>KPn3HJ|WTwVcUM7GvUW8*Apwq9*Klkcz_m2&D>1bT%bi0(jwf=pQTfdu$3 z+o;^PK82^>f$Eu(z5S1E^yDdEo>H_t)H#^eMc@^qMzrO703XmyiTtTDRc>FF`Pg*x zI;3yLfpaYeJ{%CZZw248uL(+n8fljLuqOL*Yy#%Vk=ArE^|V#Uhg^95a92AjV(EoI zJ)w4OLPvAs&FmCOK4CTLos65gj@yEJ+tnG=r_83q?v1pl4+dVcU>Saq=LB?evQ{{;Zk;!G*u31eMqC%(Exo=4wLlSZoDYd zs%=v(IUpQfx;`PKt4nglG$6$yPIg_xb^8k4Vl4i|o_k4b_jS^X2<|LdXwOE0T+hw% z#3^gtOGe_=^u8g^&qn)#jXJGC0?-!DxU&8ufEzvddGTGk0V8@WNJh<; za+nhn=@!&k*83n$*+DkK=3Cp3Z?t zEhMj6$*&<~(yd05p4u-niq*?MN}ho(0?RVQXJ!3GI{2p~YguOo{gUrWy0TFSUBr~Oz46pa4vxCYV`BP(tNB@ZlwJRd9UiuOh^)o2`bfV-ujNX6 zb0lLJF_+J(EI=}UROe?M@2G>j!bMP92z2FT)hBtkHM+$qfQ3IX0W-}A-`(=?6Yhv+ zz(}X~DiJ>sSz-Dhk)7Vhh>!u9q8I}cKjmD^5dE=b(Pb8~kQ$0=8gBoG?EaPtXj-x4!6fGyP_!Lh2fh9jCLCJ9uW@*T_>uF*kG{FE6!pd%~UT}9V(WVC{z z*SOMV{H?$sPpV6+GNp56(?Z@2EXZHq&omI+yniGWn|Kga$NLTPUNT9omn=ez#0>5c zr3p2c51Z1Ii9qg(x_PKcU>;l7P=eW-4xlIkEn!EgUK_v(e{^d^ie zkN9+#Pi(V3-(5~eV-q8uWRRDnCF1@27G4e{McJVh1<(Oi(Q1gkdmX$(WMAji-B^>u zy_B@9q4F2hCCk8RDtd#CTI^n}+gNz9P|>&1C6B@(bb@p)I$Xua zWaKT@4a7+!QqduQVT-jF&FDU~MV9==IyZW?S+07AOeJ^EnbI2@|MoR$b)|p>Mt5qJ zCP+B?d{y0gOz*o*gj1kpxY^m+%wojG`uLz(MQi_j^Tr6OyL7%f?}sy|hkv{-?r5tg zojRr+k*cHTP-QYd{T1U+{Kh>%BarSg|8$NuK!gvb#|y%W9T1!)#L^sYBCW%Kk!hW_ z=S=ade|ymRXw~jm+1jv(D0OizItOGW(ICjtZ$o4)whKjw}9OIBuOINnDn!V~A z26VMnhsfwvhI!uE9zUD5HDW)riVJ!_j$OY zS9bw_U+j78wc;PU*m?)%IY|g_w%o#*;ZMUX}!7eznvpp z+C*Y~Du!q&HR@6FOUMcqlPrqGUswO$V<3>H#P^<=%)6ceVX;p#K??Cc%8v7c_@ki;Z?bx`Kxrq)!rp{(p(Gw~uUMq#4qSEo{L)ZTZor>`<8bpOyQMDGozxn_GMbU;6c%>*}EzNKb zY^KaQ-A2SV!My&hi}}=jlL=O;=*WS~Wj9Bb#*@|EN3}=G_qN6Otf^{aN#mtCO2YOI zX$};UtZL3{(r^ruT>~Grs4qemu`IA+uMkA?=;dyI=Ck#>eQn0g8ycF*^;Ye^3lBbQ zP^urD2vvy%eo^`=;Rw&y2SQ>o@vsCiU<{)Ejcd5#MYueNzlbcS(YdJf;~e4l#3TuU zmK;`Funph4dP0v~see~8w!-R~F0qeBhOt9Yqr2jYSw@99Ve%RyHgw6q1dIx&#PJbf zhn%$2i`tHOV6L&cDB_{`5|bqya^?I9khBt*&JZMa5T!5FtIpX|-$f{GOgkUnh&aW< zxyJl5n+zZ~JY`qW8jU5#ou-n`E_d+TC>_^i%K-qxu!gV7FY=Rvf$Sg|E7Lu6_3JDY0u<9WgOI=yoMQ0I?v|o7B(GE##6Ee1E6Xgc$$X-CrP0 z)r!>nmN;#(ls#F%7oK(9fLz$nAMEPd$nJlPP)E+C9S*JSw{;pKR}L=wZ;VA8_<>#f z^)%?#eR;W#%a)$<6=dpt_DUzeO;fAwEoCYjT%uPwrOk~C`9Ly++za#xu*DX}=TRd?pp(HoFdk9o+a?}ZWGTkoNK;w2J zDbfby$|Xr3uQOobNS7Z?DQ;Sb=Gn!=bDq5C=Ng>ve!?ZzQxSWLQSh2O$eK*gid9IE z9p7UVG(QwH(Luj5tf4+wDE&-1idaxVi+#G&-AUyV-4KnD0IV;;rUp1imhOBkzxxww zk`4W>e~v1=PX1BalH;di_DHFECy^q3b1#v351Dd(G#B7Ms&?)WuSMJegMV4?StAU_&tFpCrNaKx~ornSE6e9$A)7wk-xZ=gk0)q744uJkeuhTPK z<6LCzE}T-s>)PfVWADiy0nt5-irh)fH?BP!4^H@WOGXvcj*lq*M{Rtd!Kn6}B$Z#0 z`i^Jj$^!uS;0e8o#tAtNk!Jt`uCWk<&dK977P%G?o+s_=w{gKoCQ}F?D{-!&Y6S_H zm7eHo^oZqcnQluyl3u@+&5%t3a=ZsNfxco7W6H@dx?d)Br>wR4aL=E3bGm_Kuh*`- zQ4`qm)s5I$QEM2FG?#Zp&Hs=O1I&_hj01Bop!d$R5WgB|8~ln{DNo&Fq6&jsbY)to zI~OV^(p(I$!D2~)-oIz2o-j1e(Osw@863Kplb|s1Mo2r|hRG_Ii;RsqI2{d;V{p{n zH%06$^nrDSHkyEpH$FeFK>jWS+>n=mi6jY{L1|}ncZ_V`a z5|Kikcsrl_<`@ULhjV%Bom@jxq{_egtVLEA^p;ijWUHg$g}hDGHUnAvvSX0!8Vdp} zn%s+a@3dACsiUPKP3-a>;sW=el%n?4C`!k5+MLye`+b^{p04~Zzbg-&7-NMfFn4h+ z4~RgkTkn*6*jdq~lhdgArU^dUj$*AYzWE~b^Io}6iGro$qRmp~sH^9(`8u12 zOeFs2AoLS4J(b+ z6$}qyeD6PJf%kA9Gn~PL09Qe}2ej6)o#7?>i?%a8zz_RxZRTb`$9ModYBP%PfBrf2 z4+`rt;M|3h7C?J2JtScE08|LvzB^CMsXueL;#)>2IDY=$Q+aqx1nXx+<2KVXCl~xj zjj!q5+;B5#<}45N^Mc5F!j6z^3mFC*a2yXXGSN_imP^w@-0I8{4G53e; z-TtF(QSMm!uz!Z%z-LEH)u{NgV^Y&}{(RjufwHyh%)|4R(%N=4GR*Knm=W3rq|`}& zWM)JJB^7im*(d2S^X9k^heG}BEVN^U7qZiIssRwSv0qqcLi`0Ly8Aw(*=p9mh*PNL zt!fo>KXVr%U)X%q&Om**4Z`1tmi~Y~EqE*Lyuo)RX)`s0O2%<3U3KkL2kvM}@VKK- z3L4}h=M{~(aK8XxuNyL1A$4fw-JloON?6H&knZPNk2V<6#;GU0@gM$D13#qYHM*3y zUc8o(X4eifNL`t65GBBSBt7|XAnG}klNu*_F4KkT$U3Ipta0wgBJ6^j{Yjj^;IVu6 z3-U7NlTW3=Pkvv#$(DGm{Ik<~X~C9-g2GjxEj;H@@{s}sXgu%)!we)N+e}AMxbpP8 zEhuz_lk#qqx$4fe4s#*Ba0F*sX=bm}ay z<0yhEklm^w#OtI^WzrsltRZc$?5L9avAgMgb|;~XT~ZYY879G!;_VUEuyv=DqQ_-D z+#+2VUW@A15^Iu_MUq1&;uDF$Cp!x`0AGKV_?AeYL|D zMAVX*U1#A)i!he9+0B3$T5OM|G1|FdFD3!eP-!@a6T#u;?^~iVr5&Cq{ucRhHi40W zbA4M?=q-=i1SEnxOYoLt57VWL2d~5Y(OrdCYwdf$x7^$&H`T(N6_k*LUx}TZqGo@hn6l&K6cZPrN+}Ybc=P7Jva1C}F zeMbm?UC2{{dPaghY*VC%ORt?70fn4809!ETtkDE9(ZcH&chL_xWsiCsEhd1FUaBV# z2cXEl54GA*=n1;%j4__bvjhrs)QiPX0d&vLb0arKu_Zy~t{gKDvzq(eHsy{h!nr|Y z{Fu;uERA6JJV5DayQsbQHHK7e!E9B5f_E0T$bfPiRM89!`PS>R-P_ht-e6~mm8F9K z-0D{9OHfzubh}RS`dDFo$6U_!_C?L_>QQc2L3*EY@g>#9)SgQ>)MFv&r={W0!4MUh zG}}mhT*{jOWR(5$ugT1N#>LERDaW;(bZT^hl>PCu*M1_kw`xt8YJ9n2!&v$3 za+z_Z@oktVEo0)WK?dzHELcubV3C9d@nUIM1PoWbk0V6C`NbEWHKk%47%B#X$a0^t#&i z>ua^#*=qql)(0s?A9GnfDK8ICxS`1d*bYp!!D`~}PF>jV&RQj2RJc52g<$Xx|r(4Ph{HmJD<0D_~ zKOI&>J#<@jOR0gMTkq_|FQ+f98EvaI@X!zUDrCx?jJM;};G7k$)W1C8er0u(k>d$C%{UBG5RoHuI=IoX>T_2L@A*FphxOB=|@H_==E>rnM38VIN(-RGTa zeTj*&Y<_36fuxHbE*zA9&5QBYq`{&v-I?ejh(E{e%s{3^AreS|LtAiQu=?UYq@*Vw z9zgidk*oRHg)p{5_sWci${%=bDD5zY`9vy-A?m6d{YYDy*043ojG zISoVP_-$7 zD69-?TehDM^Sb%-FX5-hHYisxOw8WH?q9kH2&(Zp*sEaxZ2yuw_1Y}9xe!mQ%`aoU zGB$^ilLFLaF=LK_>zR=Jc6m4NNm*gHaDlpjF|ehh-`-o|%-HkG^y7`ZaFo2{u|@wi zn2l>;p8vKM=Mi&W0J-j~`LF8Y z#Y|JbV{XAyGhPWIWylL0wJt5DntjQm1D*uZ*;m$C=tNn8 zI*@(3b>&wdN^6N-eQxdK2(c96LAq&Zt0;*(Q(n+W_#*uwS1Kzz{oF~>7Ef67x|9{| zJj+&*_#Gmk*}VLLG^iD6XW|C3?3;ec^DPmg+kRZm@19o?$-81WQ{LaujZW(_OmO0; z=;0Jr{wNqFX`5!X(GD2Z{@e51*2k9dS7XS;GbQWBt?CrN->dqMFo3>GMJDsuNM@-w z+Zai61|t+zA7WzZeplB6W7r*mY2N_d+GZclqvfAUeRm5b)#EMqpnCt7sDWeGvf@;^ zg*{T zjkh%P!o*-&b5%7PzuJXi#Bni&UsiJI(v|AoK_i(tHFHC@*KT%<02ArT63)lr5e?fB z=K`nSZIG~H{IeYXl}ErNhH!GAK{49x)v}f0`+xg!d&d8JH4jQ3?L%34x&U6}Ap|z4 zwtF0N*f@&R2i9k|E-?hG9Yc~5Aan5ILW`gWk0^fcMqi%d1i6pKKFMD*N^UYngaljF zpMjQjSR>IQ-xv#cOI*3(K-ARCv)1Jt27%~E+FUFpe_d?*!blSkKl^({@amIqqxVKW zwYLMq49c*D8fPl%fCDQb6!2H!osMb0FN4D#-$rJfk4Tr24k)&e?FC6Q8MNZzLVk)<( zS9cUJcPx6z5xMu)(#C-yDZ2{i*;~Laaam@N%GL z`BjoOr~e-AM& z%UfesQ;X|(Z_;IRI!Y(cg*rM>w0)NSY6|Z>;nhfV?wkK}$5nUwrb`Chn!zveTS9Qn z(v>%c5Q@3ld4(*Ec5J_BxM zNr`rW>V$Ax7`2CBoa3gH)H|^n-`{R3e&fI``M6H?m=7^A@A5!pPY;Jk{lc^og#ZOf zuQ~ZBI?C>vHz28cX7sU2B-u(gPl1H^=mn##Kehw;Zef9#BnK$R4{DsLp|aADw&529 z%(b*Th8|UOcMb9jKlQ)17Q+U^n!t0jrP_Gy<8#gs3if%a0rt7-)W4q&K9!H*5DoGy z%O;i9GLb@qr>ndg#K%kS_1-I~y@yw&^m6~kZrcJtoY&5Y+DB?cDFkFre#*4!cQ-US z?VO+vYC6ry{%4htB%K8q&q)Jv}F%(yxQfQ=y;@N90ovMMS3VT5C`3I|X~q zV&(4Pd_;qEy3R_p0P5F&CqvE4aB0n=19bp3@Qt0!zG2`$V3^_TIlf{pcjLQ@jgz*C zbXMSca9`|KLjDCmk!gYyb)sduF0=7oR%-`YhCQ;9at|Br zWyq;nv0hC#9mtp?$q5LIY^2fIl+2`t0lO4pzRa5wMoYiN9`BqpD~K+|5<69LioXm0 zBS`@yQl!OJ)?1ThY{={m#>r1E6UOtUi=uhM|ypP#!rEQ-^Zqq95 zz|VU&2;{hwrgmotlLH9`WY@ROto4=d+kM#?50zNzp8f;M^{Kx$xV`UOTRFaO`JMVi za#rl-_XiW;<7Wl8-@}AV8lKkbpUhTYKUyir=}?b)Q*Gvl!@CFLFTwqC)%Wn-QyX;X zxH77wfh(N8h)gWSyzWt}(O;TQK8iyHn}xh;$T1?7V_sieqAN8ieTDE7tDyZk1n1cV$4o}i&L2)@u*nb67=LxBb)V`9N zDJnO(uOpgbx`SDM3E|te41lSf2JXM&9OIEhzg13%*P=VLwGG<8QI$<YA7gEUBY4IrU(cf$-FA|MSC(k&rf(%tnNKlgg? z_51t_53d)T;heqKKCAX#>%G=Q099nMFi0@q;NY<2<)qZ%;1D2iaEK^qD6l)CbMEeN zaL=TyB_)CKl9E(FXUBKeb{24OauG?|sGx-JMA_|y5?1g?g&|8wOcO;RV>Ftj#scIZx?IBRI( zvKyP5gB+g`-HDe^%pZce%)%48zms$g=n+U@<0LKXR5O7(M(GK-(9fOak;vt#0MdxphS}|e-`afDJgeg= zGZLB5KWfh@o)!jQm|`MJxPQXXCPaHq3lbJ;B9neZ!R0%X9x4P-w7I^WGJYfMF9)f0 z-{&++EG&Johx-Dlugurzqsuzzl0PYjl=X+cxZUeFO2C^nc;xqz%r_@5od9q1IaP&e zGq~tg(r^rs^5HN;;80>a`KH#2QtbCgEV@Jr2fddAT8^MNUhE%3^yWI8lTnH61r7t-d0OOnyco8FgIp>ustn zE7@s%j++uBLfzUtxaHX}K+%+uBjhFE8SVVKj3?Y-m~5vlE}26k-yv7(0iRD7zJ$;! z-l||;@Oz)y_t_g^-Y=<0TszQAO4GU8s)!qc$|*eA4{>g&`6^>b;Te1hK7IR!Xkv#0 zv4C=>Xg|?jiP>CN?lB8RVj>qkD?n1)_dlO{KX&}mH16vB4x7nk_~kB(t<`4Vb@`Ft zaInipO!BOR9i=;pP;^!|wuy3J5P45}&Bs|20g8F)7{X>NcD)vw9I}4ednO85LX9PP zsA8*P!=UA+9(=ppqc2jq?+JGVyCSf|xQjt7r<2GjOP2lT+qZsjvF);nG0-K&$SXus z$b&Lp13}>U0tyNWw*RE`5wh_U4IJc0+m79j?!Hb7xDkhq0lH8Ha@KZSI6|u~p#j`f z1Vv-iJtxHM4jiN)AUn!8uv9DteJ3mCihpt-)EFfdQvo2LgQ6A8Tn%rBve3y|{enA4 za)qBCi#2d?MX(XmL-mCxymzP2SPT^!dLFgwH(UEJV9b&DZ zX;Um6%=?@wQ*s@gOFV`(*UTWHPI9s!hSj&e7^0X)pR`vOPGs)s{0RfXuhxvvxxpNr zaVv_(_`P_wXd386AsAg+UGQB@o_ub2OL!4de)(_4F_)sC-|W_0*G$(0*BsV3OoeI^ zW@TyOp27XcRZA-HDN}|hZaa>pU#MTUU%OxR z`vbw7NS>aQ=ZdRp#cIjwUx0dyDU1e*{-wOr$-An`h3_=B)mfleQyNn~Q+zfyHbgd} zHfGZyHZD`l)0dDeO&`dmnt|*hAgf3eU{Ks9<(F~Gaj~%LXvLk5^(H)7h9&n+-t@T2 z7{!>V)fi7E&n$^>)Evn)Nfe1Tx1o(XcLh&cdII-H9v1E^Yr~2C@qDW}tD4XJdUc;m z>#=PXr*u4KvL9)j+b7XI4uWm;)%RMJt$5U;wK(sKkuvAwt zhdi%bQ&!*nPWAKEm(dy{%YZp}x8wJ?{2-yX&Qjze&Y?p+y!8k42Nf}m3uXh{TFK|-cro3VGFmQX@*Er&0@8ox|wbJWW z=H9%e;)3InbFj4kXp^|k_z1ZuaPS%v$rmB={Os*}a(g+7@spaI<-RaO}f7@6H`?o;;rQNc2edr2I$@|0(c1 zFbbYLXe%hQW4=QckPK+atpKQ|T@Kl8sca1zrx?p02d!MaHkwhIslk0sCtUct@C}H8 zo9Q$2IUrS9M@z>~$FWiN`ux}oFC@G_d=rmvj^2*7IeJm3*LDczsI=3x_%vlSl+prH z^7(rC1<%4YLYm`<{1eTV2DdU+5eK&N8kX-Snfr zBs)ITDu1pp^SQrFa5Hps6Z+)wx7jS2zqR77<%(y&VadoP&_A~v&pLBvc7e`n*Gk3SL5zRP*!H8*V31hm)2w^{J@CS$ zwOcU;7?Vgw%&+JB`6%^TXY{0eJ*y%?|0w&V$J+e&8ioZG>1;tC!Ts|Ht|2bj(c2sm z*O9BAoo7qi8LXa$RxQ7rPC9ZZ0w}D`>}*>$+@LqLqnpW>;|H>pNQMIbJR7?^w)?g( zD*N6#w#T`y&kUpU2|1iNh%{&U+)Zb72|ajh|D^rN(p=@%z7}*6JRdOkWa|-T*|!=- zjl(9Y;OW|suyC_hbAGa28PD*Uflzfgdq%{?#~mV6es_9yGTLkyZghT?_*nFyJ*?QA za`%LNduMvoxKybfuZ>vsqMgIH?%)8@P~qp~hqJWVx))${*?HW38M8z=>Z@>b{yAXR za$ zuE|8%$0+&OkBd;~eXs&)M-#Udn{Zd>j0--J8E`C|J-?@VLRqZ{qD*4NX@;d0=L@D-nmO9DnwUG9TCjTBzlV*6gA?`?gnhKPa5bUw zw6}9`5%d(H`DcV6?DOy2Y&2B=3~{v;q0vzWQb{^GTTt<^ai%~oA0PMs&itPz z|DGw#_M3tKVd!7d`sXf8T%s7lZ2u9xC`OnhWCW%SGHWSS5bTQZTQxAn1;hR@{_6_+ z49``VsNWz02PY0EF9iU3!tWcP8f#6@`PW_1;6LY-L!%R)^+BhRL?*m4oVKaA*|W1> ztQ&c(n6}v~)vJ$;q+zD@Ipdo*n^#EFr&NQ)$p13{7s)#& z5O-?H?3E7&0yvP03JvXF7gulxe${<_LVaKRZrt)>1@?2W_xjI(K#JvBG{rBKj036bEcXzM^IC%OqU*9i3W@ctaE|!n% zgy2%OIOu=ZhP^_EJT)A6cYR$_jaD|ks>(6UMN?Bt-B2Z3kB^Qq{O8X_Av-o^=KPRv zQp~KZMBsUNV%@(v=Qlz6N(+$>!yX?X%z?VF>HDKcg-0JAi%0;4I;b)KezRopTp{pR zpFVf*^(RA3BbNn(tFc1pq@ZsR?iBX>e(+zf7WfJm7i@!0uu1ke5hBSBIUqSXS>mX* zre={~fHu89AD;(U)y7XU_&Qf_U!_0de^rBvM1UXz)*Aq*9t$Wd@E3k@Bc$V@VNPF3 z5DX74rIS;jp!=^LfAjW{h6-sq|NX%Czp1DY!P5c=@t?luGxcHqrNT^Z*a9}$sG9lL zsw9R2L4R@4aRMWE;fa^<@V7bK5(FKh*=VcX-=fM>fTBW_{(k)WgSZD$eHo+w!=?m~ z=Q$_g-{$rbfeJ!FK|%1Gth~6-Wi2uiV_;~2Mv3xfadCHykma&;rzk}QqyaP8-h?lo zU3It};=TUn5)k-bi;6*wFD|Apt*CgV6q-wc<6K+y7YpJkXo0zU`DlQ8q)2D%zsY>0 zrK0!$D9Ow~@Yf6S6C;J>W{jT|HCFff&}ml zHZ&9X$It$;y%lqqVR&=?`d;%l6(U)2w9+2xB>cZUEb|$RiYkhTz~4^Wv4#fYh`-QT z;xCSZ5&+_8yWeve`u?V(Lk3R`AqoSjF#hq}e;oKdCya^+@%e_%UsT{>azUD2iyc7! zTdgW6LH>%sh530%QBi1mM#l8#`ue15>>?;M!p7Ei8f4T`U(Yi)KObLL$0Z;r7#|#r zI5#`{Yxw`@|0NaL{TdSCH~f&g%F0T_)oBbR`a&uT$R8**GMAZ>G zx>PqXXlwI1d#uMaH`749oBxlYp`akNGXkbJKDV@Fo}QjUYHLp!ZR|trqoSe|m_j3M zhIbhW)FJs)kZB$so8}9(q|X)gQEzobE>13s;Q|6kNC*n$b~_rePFeoulpCQWBv%5x zqN+;UyzcAQbP`>T(3-aTdTD4eAt50M2o&exsW-Pb8`dvR6re;R9I$b5!K`X9iMNsD zo#CDO*@a<4o^hQ9nV*}ByHK;3jvKzED9=VgMwv(*H|t*>RW&O4znq}`UUH^-9vvY) zD?!r3hWPxcz;>>OMbM>=U~0w5bif3 zQO^_Ne*q;B2nmSPNLlji?Ug8Q#FVb6iZ9Cp=Y{y0T||}csS4Q_`8bG?sY9VgH^rxd zN+yRM?ygkYFJ!e;vLN-)pvV}qJnF|_>+ktJ+%%l(S)}kF^}lx^n7Uw05)r=8P*iob{F2-R&b3Pmi+%|8_$x*6VQ4s@%q@gprO z;oUe~lUmBIKc&wpGr-=_L%v49Zcq#9;0r88S zgroEzS=$CgxlJd=Cn^OC3tOECU|R2|zC1M(1HE{W66D0Uq5Ze70dw#{8?4GAzNs_i z4{^`c)uE-?)4*DKTOUi_&4su(QyQ1})BX^JHx|wq;8KvrrAQCKJAYb0X#8&1)&m@+ zsx-)a)xkdF9(2}!xZV}`Z}DgRCxb?caCScNVkc(U8)5B1!1Y& z{$~fw3WAv`!@SY^t^+|pY!!1`%PLT2L( zSB+WU#7DL^ZgGcg=uKK{&vv{bE4{guc$%;mr^wk*UC9<|cIPq}{xv5j=dZE6;Lo-{ zSQR!ra1MEjii$w6qc1i{+GH#jKtMtwQy>$ie)aB|$CiYI1Rc);@%?^((LaaOSPt$l z4REQfuY~bb!}60jQ=0CSP2T{t6@She?9CmBz6<&OV`{@O(kw3>oJ%8KS~LEV&VmMd zs00kdzO(@E%22SnN9Gn67XmSlC^kmIB4h<-~;mS-kcn z_De1Gd|_D}cjrWu`U_^A)@NJ8B|NtN!e;D((=Q^iDc)K;J3C(|RG=}{S|+BXsHv&p zQMZz!v<6Be7L*4SdV71uz}Kl#q$2|B;+23%-x9fB%b(Ev9vSlo&~E^G02Pxp z$5k(lT_$?S&wlT(O=H!0j~jcN3hpy+K)Qw!J3Bj(xwq9c+|11BL_=a3`33o&XdvyP z{7WRXFIUNd7h7*j)#Nbz8_8;t zfoV_O;SKw8cVbmAl1WmBC{-C%#Y;3qrWI^*L8-K~G#e@`{Y%U~jsmaTj}iC`ddJ!W z&_5ek&=T!$9t#UY;^Pzey~UESi^z&w);LQYSGm=-gzcCzepU$76U1MXxvI-fYw+MC zf#NjnFT)}+z&7gsN*F*E*}Z0Usea>2F*o|M85Cx=H^oYq?Y71|^7vCOBPf6JSdo}+aAN>`w3Bc=;wPa{U-|HPeMCq0=!u%ym4~6V~qQ5 zt>++0n5?Px1_y4s%R~ui6MIEaEW;fOlm#d#??U5p)AO(L3Td90E*;nL3fM0$T?_iF z#Yr{}zXZX>O- zI)Z>a700CuA#hMqaRbDHFz&2^b7iEY7>z*6z*QRH&`snj4L&L9;KnonTAe_ztR?#M zmh8XLg9cyejct zGGF^qI4$*dJk`{kiNMyu!w;otGQ67V)V03k!@L4Blb{4~c`k3=Jju$QVnKl{I^ZC< zL=MenH20DR=8*nx-;((~-dJuN9re-Qj1T-EfmcaSwYebBNK|ld67W3ErGcpJUm`p& zLoeN>I~5A2j=;Og>F{4qBb)O4{wihcv-RZNRKOQYZVQ}$g;zmbSV5xH5cWP=Fn_{> z>J_DM$4(I^V>2XCp==il9sZyvfKy839*qY&@F|_vxGqc|iusC%ED(yr+|P7ca_i$W z)_K8vn1<%33 zkvU+=jf{kpIaL?xs!WB2jvkh{Y;0x47#fOIVAA~|4i!gf%m83X&BLRKJW9ogqCo76 z!_k$@$1-eUVluFe8%%OutOL$nyE8Mpszqqj$75g&pp})uJKn8e`Eb&pN8%&w0%YXk zoX~_*^Y?H28YUTrtr>UNL5?)qA|4U)Y9(68Uy{=IIOlRWOrVG4^d$X7>Zp)V%#Hun zpy$ZtQA`P2n+|~M-B2zjTMMwMhU(>5X6~+8&`q|84*?*Q1v}OB-hxE4l(~qo2q-euJM=i2kmLvPllxJ9tGak!+VH5%P z92UJi%atiF*bF83mVLRhd=9fm#mbJ7rLZCVCM5ScPpPzF-b4%`}FsCS`V^>vC;eGmwJ;=A@iErT4L&)uM zs2h21V&;0@PZ7hFjU?dB#aa8Q%$oWSXGHalSH~8J}0lzG>CX zwORwo&D;|=hRmXS>j8ne-wZrZYEMdu2^J(my2y071py4&{mBj7rjri5GUYa1tGz1oq*@q;$o{JIMNc8 z+1|k+TYVuX;E~PXk!bEeK!^^>Z_h^S6`wd(qSv*ya~@rRgTB@R4%(6kfOC}Z%QMr% zA>YkoRv0RBnQQ00xv3P=&H*|#Ip3c^cp!aJo}nFMF*cG;q$FgJpn9yLS5szTW;^~@ zHFg#a{NCt-IxOpAjaY zl*_0=mjiKu)y_oGz%ZhDJr}t20eG^sl6AlKku6cNv({n|RH;#sNwG(F+T52Vm3p%} zQ|*0WrV6Nn<~Em+d22fAyaY;sad z(e8IF$Vxpck>9rrlX{5j4r7^yH0(HgOLiDzL`M)Wc4m?i6U$Qu+*_lXqPB}c47R>m z_C*^QY^A;ZV#kCJ)+9gNE~|Rfyg>x(nB-_ub*4sMk+7hudBmF$$*=|vjYbV z88AkjP~z;}VRJ+9VBh6|kkADnG#z?m9maNKVzSXMr-ICrarkwQHI$m>?8JB7jILBq z8F@!4Y_t98q00LOYx6$mX22)g2|CTzfcv+IMnl1cZ702?3U10u`%8;?VL2=re-h!K zb%|V6H0It16_HGZIVB=YffqKq7Cf5Md>VfEIA-37nY>W11CPj6Wq?XdJZQut5~X&L zfeZ`gQ_h#&^jApou{4QSM zk8gUbA?sD>)qhUCmkIY!vlc}UMGFkRpL-ty-J z8!JIOM+Zo+U_3wHu8pW}`5L+FMZjpQuYxhsR`RAC4EE$@La?F91FB}^{yY|x2Bqbi zX7S!pYP?mxTbR>H_?Qr^Fm-gaCy(W(nV6Xfan2<=_V7M?xn5^ERJfy2GGRWlj#fLZ z?~L);hsM}y%+D94K0$!2&T0J}p>ovC2nGlm9&SRewEHrH!fc9E(aP$5m>;{;Rutco z`Ol(BuS`mMU8%GjtERQcLCpydKVLPqh*OuTLGO8dQExF=1{>LIzkn_6d+vS)ZHkQO zAiM4+Q8Y3MfNf2+rniQ7+MSvRk>?S~ZS)Y8`+GLSmeg#|HFU!B5D#nzw6;t`WqgqE zS?@N*?h!0mfh4N^#BqJu)!jY)IEzC^7%6t219;1EJFlTC(lh$avK)gilaatV^N;Y} z|NJeyP;h#Dx`Y>5qT0aLqYQ=r_y_zm7h7wZtO3wy`*h@!O9#HM5=SO9A~PKXD#|u( zcbD*a9XRkI#_4mzD{V_zXG@I$3u%E@^kg8s`&U1Ks5QjC;{upzxhe&Wyw)DcOC>^u z-ZaL?3rKNOMJzlZ#~&Iln@2?{hVM4dC|Y$lbDv>wrX|!ok9$JJp=U&xXiErvCw?w2 zlUpspQC42Q@*45Tm0gik`A2Wn0Xk)CRa`DOJUG@v`#6J)|62J)EaP?8Z;|07v~UFO z-Jhj!5*ZP<-!^Wk5(510Px=C6fB@cl>t#8hNv-T5s4#uL#tb!zTqt?vVb1(naH8+y3i+<)80s|1mHs^!W2_Cy*a&#?L`9;6@WKSukyzxFZ7d-v#QS(Hd1`apRnBGCS4V;t?osEyckL5!$Oz~dS1 z!Jxq~6*Gx{+1H=`caDkQ_1S2>eGh-mdB+{LKf!xn&TY@9sJ^3*IYPYG!|Q2{K~I)`oYUNHIY=zf3EcX|{K&{N3u7 zlmedaY%`56E-yFn)8G%Ue!5(ZfP)?P?BuO^6oXRTph>W=U~`k1{S!^#UdS`tj~)di(2MBtpuswpL8?pW6E;o^s8NpDNR*kb)4?;ogm#T*Y7Z(|^Dt>guRIPk?=_s{rRc+1;N>6r8#Vh=pq zK9EizXrXa@gYuOu5EBc4w?@(mWMsS0RDh|kiRmtW6~v59s)|iVKkzM=n+9~eIv89W zeyJ(#f^d1<9Z5ByUI8g%55_VpatB$LSrU)$2iQmb!}{5 zWD?`jjq3hAUituob;eEec!9$IS~a8-OOVA+85sA@W(r~@c+_&n$juEZ`ZQ4pVky}| zB5cQ}BRrxKRBSZ-^fDBzgv@@m{&h^?TQ#IV1LHZ1buod|sqDXE<`n{(F$N^UcMq_% z*C`T;Kp*#oc~umxVRt=>kD{x)Rn#DLD_b2S~t*8dj zL4Y-@47S+~E}WLU9ad@_nVWC`9(MG-)6+q=aYUS-RWAghCTft*4_Lg48A5fBZ0Xj| zwl4OABiFrYV7AiwIQ%};^Ps+cQta_$ezbb>?q$i3w=Qp5?+$%>HEr6e(07mgJz`EP zqQlX&iILv3orne&=3B*=5R^gd`61vgh2$Ly0)VHlUwxL;7+Cj8zJ*-QN&pgc$e3=T)7X;F2&81NZKMS1Cl36PwTkv$y$Lbb5S4uPDDUWO_3dTA*!n?PcNJd4lK;SP#R zb-{?LZ~?kJS{}Vo>icr!-bd~+0gHwL4hE@^UABg7j6~C@pqqniYnhO~{4wqFYp`+#YDmqIs6~omK;du@!pOn&6tsmtJ7YJujdRq29iy}F7pZ~mbj~%79 z9WV9=_U?d+=c=OHP{hz|c0J|*mGUBYWpHT$0?l6;H7BR1mGQJ}9hCIbI>4DU6O`5^ zO2vLELOp~06oa$al!Dj&nu$p)o1ej&RH?N9^|&>RN2uiN6#<5g5iaPH7U6T}*UO9( z)CY6;3o2+|zdFg8g}BOmZMi>XA=_|nFa$m3Q1yMKVrO7tl3p$Nap5j#($$FFR+1#F zgCK~wnDj469KPpR{^I{2s8_wRe>n{-IXlIePvI~V{nfGBy)#gh->t$>6Sxg490@4+ z`L-|#3hGI3&>9awvfVEU(-Yl!L+8X`XiVB87bmCJSolYDr0HK66LSIwNo9Rr4K*h`FKiO2XfkOW!~)LsIwneH=Apar${!fatQdVXmZbv`7#jW` zBc@D6`k|L56;P-e-kkzR1%&Q(@Mkb2KPc3JJM}?@0i2s1(1wvLfoRKwO!y|)?Z*|p#Jo;v*jp&0@j0CBSAG~rt*@$%iHXrh!WlJJMIJ5SFk%584-7C1l6{~O zL~`9ZU5~NddF{?uV;+=WW`MK1YolqXQTP!|$-BfxV87IN7IuY-3?DojZU1#L-2T_f zY9`Rq-p&pk{sRm@0)w!P+xvkY2;$B^92Cp`n4otW4XQ%!Kwk4mDRH1?*MY zu!k{r)1~Sp<11$T07_iYPf`~nIS2#>rB@-;4jqwK!sFe(JOrhT40X+3Rt2>7 zK#TkWv?}x#4;VFTYHH3imVfp>R`?%CX3<~~`4_NOwcTnHk`<*yXrV_M=OXps%?4{K*y62rBLRmIhOy^iRd9vho0 zdMuwM>W5r_@uA36YFxA_^Pi13$^NCz_D5sJKr}e z^Rk;}Jikx;TX~thmZ#t3Z5jv0$%bQOh}$Y#nM7`K*T}9bG>VmWjb*~1SFnUt2dW}S zg;{V)g##U@Bp~EFTLwFrmPRSJbX)}T$8w9Tc><^?3|Na4MZ%6Fu2Im2mPL~>R za5JcDE#9N#@n7@ff(e77;W-}!W(fwK_#kPUAkEFmIc(RAPj z`2d$z1%oUY7%Y>VpZPD~GpGnJ<QrDe6Q&ei&fI{hYqR8-oF|vRP%G<3-Fc%IyE-2<)0+VZA5d6Y*}Yl ztE$?NprI^y*+JK+{nun`sH35lYHympe4{tY~92gD(ag9IUH*rFoPhnsZ3CmemtT z!jBRZm6vByo~crT$=V3S({FA6PhC7nBdP-(AHsGFUk$pK&`F?|y1`ljF zHg_@W#EPcvc5~`H1m!39BE!L%{#T1Q%-{Vi?+zE6wW0f2_LF#V~ zOds9zswc7#%*agB{|%H>K=(Wn>k<`Sy4DX#tX_8Wj8R?3!P;bEU;#uYraHa?Mhfoe zN;Dd#dl_X%%OY*%=_EXYX}a(&NE4`0}dj*_}cl^azNGKLv9xg<8ZvVPx*_O!`1>QNT5d@*=W zV$vo(P~f)b&zb$zkAfDJI-#SY;Zg4U4ffJMKwBCD>-k384LwU^JM2KXIAQ5&3@P9;nj3q{Rce=8I zOCsnB8L*sBKydJHo&SN4!64`qjN--hxXP^a-PcH$=nvXD;)x)5q)XA`}Q!aBY!VQwpHkxcvhx{_ZQh zF2dtC0b{76X;yvG1f}Y(?xA#H#AEObjx0r!k&$~w<|)}nr(ec}P~Ipj7e3dBRg(sJ zVK{$u`BK|NSxS{iFZI-I7nP@y6ghxIXiiu>BuHO3OBtj^k$Eik$#0wf^p{#H&5Oe8 z@rQ|+6yNqgQPXd@zAxtYuHs7=4xvd^V$HZIcu)XPxxGh0d!4MiZk|6NnybWXa@k;l z5Q%WcH3gK)%E-UUm<2h?I+VA83)h6ijR8`7yL(ejv79CG_~$8H93OV3Lgn}S!&eEq zcM9p1)0H~yK4?0il=OeDVwHOQyBkFZDJX#kV(@@~tA1TV1MiD>SE9w47edM0&lpLF zuPJp%OEs{eKd>Hf#sLJ?FGGd!L8;reX{i!#e)mMtefhARH*QKhA7ITHmAlqy)vZ=V$P zk920!9>%=7K+UsXF{=@yiLGJlx7H<2Fv5P@*|h3IGBVze`Qml1lUW}$Q49?sp5~9= z{IeW8`)?4SG!L$G%3L#J2f&>70Tv-)OhDsrxzIz?ZOm*7e6{lOC2Z|2qzOAgRCUMp zq0IW~HtH&I?gJkPX8_rT%r*fd`vL^tX}1G2FA1hA19JXz1pKQ7^_CLBPXXxElwJsi z(5z927I|YlY5E%XR;{cm0>oFfBQ5qPXWk8b#8{pY)H16P$vLZ>VQ;Fp6q|t)3n1zC zFNy1>WeS;mW1^#Z-H^VGa1c;E$oBk?Bm7g~|Ai4G$^bF&t8r=_x2$h$l!KNscjZJt zG2++apyGOp0#q1Cgx?<@TKpI@&oZMe>O}jYj3qKs7KVRnWw749prDW9?NpF?td3uG z7!!JTaFp@KJ|U6uZK<|At3>EX4y|KE?$X=iA9FLRH3G( zE>#!E`VO$Sf0LAwQg#=ckl>de>+Y3VQj*ezpNdVw4HpmFSOtZyx|hYnntmEbhDul?CEg_`*>`t$2^krrP0h_*@>p6MglDtbk?8QpA+V4l^a9%TZEh}22!~d) zZx!TM@<>4qA&D@ux;>v%g}&h8bZ+#mpq3U<8MEZC2}QO7p~J?6{euJa(UqN_y1Ve{hK{^#qpbpRKTy5rGt6$! zM3<``<3(?ejkrB#bWX3%@*9>OBTcU?$6#g1vHP1d>z|D$rH4IS$eM;m4cV95ws)@r z^lfcf^4dajYhkst`F1fwXckpG6&Fx++;HV4*g5h+Ur%p}b7lu85oA|YR;IzsGBw-V zE0gWG;_WP`oF%AZ;JEKZ!f*=7^5ScbOC zp_R(4y+~($>xr$L&K;M`W>h&uX5}fwa*I5z(Hi44#~*WG@P_mU>9(3vZoGKt$w9;N z#NAQ5DlCU1hhh9TrE7p9m#^stUtk4OSRtO6@Wl%z3%DOPOYg0Re7L5Q*agWt2nOIl zQ!trN!hDfQSXhDyP3GRmWr@p#(ijzdJEfso>cinQVUF=m`V}2rD!poUmyOM58mQGu zV2-g|B-~1CMP;Shu7Z~rv1Z)>a#2}C4#2GMh3A~k0{iy{Evc?F^w8#JRF*qKg;s=d zagmVGz%H%093rg?P9~03Dhtb38t>-))A?8;eNmbw&Z_)n%6{~Y&!&$5lqXZBoy|fY zFd)^{U?GjwJK46XId{V$C8~U_27G4H_T~KM;^=UYX=$*wmeZmOm1(ibg@L6wR6!(^ z<>hNhpfC@h=L~TzW?fu8iV{~VRwMPvq_xWhgOI4y&f1y@8R?mpXA~)4w5e&Y`uq3Q zf>+|-hU2fK^ph176%)tcg-J*=t{)uKJ=a7~E3u-mZ00BIc3-{>KxCH@2^xXBJc5SQ z-u3*GF&lXJsW$8RHsgXmN_zV;xH>uI_k4U&H@D+2Z7BZkSYj{VsDC|c?Rs4V@BIxUT^4U5| zoC^I0mAHV|ph33w%=SGy&7hB}n;fneXJL^qXF^xwXn)l(WalOs`OA-r+&z0ZiNTqK z)glYS2?cS#;t9Kd;Bv$sB_YY^>Y^DK8PRf(K#!159Bd10@@k5NNF>>;KZJ{bkFzC1 z-JM-cjl@+kj2jYGyJ=^aJqSWSgfLGs3tC;jOzL@zw$o=B>Q_Er$0_?Y9Pmh~oWmPk z+2YG2@cEsFzx#8Mr>pw&p52Fy?RAwy2bGOq#;Q@n6`xdTr>E=U`*PZtQ;htP-xz!a zr6~Zu9RI{F1YbSR2}Z^F(x>QqwP=$r;6ksQ${ytF>kBGJsFXj#d~QQmv~|{dK&7CA z;>FCwl!u6l&FB#X)hHQn@j7dadMnZW0ZU_aUA${}qFobzs-uJYym@)C;22U``VMSV zgeKZA>I)uh9PT6_hl>T7$txM`TVoh;9|HC*Hj<(zEURC>u`AUrI zvftGt&yTld%#`Q%c;(K5$*`<1#{cPVc^sA%E5*RtY}5sE>GFa^@erU9LJ6!mEF3EVuqcxbX(n<>v7>sq^zEui){+v;WA!UGt8Cn@c zNVt`sH0=gb)0DhWFoE|H!r;(Gn0ad%NH;gfuDhAa#ek~+I9oIEOF9_QH?3MmUB?R2 zrRRZkdv}%=mo4Gr;h49UZ)am)S%}x&Vr{B~tEPdjnMgRXWw4VN>l>1pwNHqP6*c@b z_J_KOJkKj~*5XFVn~hOs1SAL(5jtQ^C(UE^3*RsI%KysLk9w0j`FhDGDD#S znem*p&h90EV99VtM3&h%=8Hi2HVRhPap@Q1<+^p~ZB>X+@l`2VAHb9o&hHdY)Afr#OI})E z3^)p_%qb8GM`CZ9#fX%$S5;J)tro~k7mlpbQ@F=LN zYUAzpC%>m>4nix1Yw}J`8izH8CzV)7XxLQ&K;vKeLi8_3) zRL3%N^i>~6BT)=s(C=NIpKj609Gfk_-y#*v%o__xUNn`fds3p4~@bEvk~T4pCRMG5$*r9=G)m zJm*IZj|zE`sN?nxhSIEGETr6^zV+lsB7qR7J!pfwAs1ZhJZLrC3%a$Nh9?=sdP*Eu z`)t+Aoh~StZf8>5d-5q|M_ATr%AD|xsM$iVROxhYw0d;n#Fq{3+7tBr@Q6BS({QAX zZtLT5y(N?Nm5ldsXV{dB(AaA=PgO1fg{QMov66uMbsl%c45^g2&Jmp31%};q5Ogcc zGtZ|_dlzj6%HvKw9MwVR~!$qfIx`hMsTJS-3bMD=ma1>0@+QX zqocUqe3s)@oR#&Yp`l)NR!ss(qgq!}V{(~5dy~VRSDXWn>z+Nabm-6_QBcp6hv;Ok zvr~e)Za4k=^Pf)Uw8wp{BB;xmpfV9a#J-aEdyopL{TFA@YnFhHzldCiP|Js^Npkd*|X~LwbY?5^$ zS0@MBw`V6M@NuOjrHrSma@ z-Uk|C#dC!S>Lezo>6tlHQ^!7MZPsM#;7ksz-Z{B>GBLHLrk0}wN`rEAif0oh|E4Am zOsTJ>hT3YXuc@Gh>QZWJtR_#!HYhNF#>K=a(<(ZqaPjG{9jRAde4OlTTglm>g~CF7 zC}wmB*;&;SHCONz8wsjuz6rrNtUA@OFJ2{o_9x`iwmlh4@++y94_OcsO|wQ0Cx3Q< zaCP7ysy5a_8LzgMR?tz?Ik_`{IhaseSe{`qWYgcR$JksSDIakI#OV5Uko-$l69=N0 z`JZ)lUAAoMcd)ae^1^H?JCa33`B`M!)=bl;Oro)4VWT*r&-cWTu_M~bT{E5DLH{5+O(QK!>be?OYY zetu&@hEjls8`)cPCx*#sE4!HR9E55`PGL4}MzBc}yHN1ivRdtEU#kN(`-hUx@X=Jl zBmnBwz74CWzBr5h27gbNU3NJK0R^=Glz}j_bLS5F_~VZ`ND2W=0ZOPq4pU7?yPE3f zwX>-{rZa+y{XtUUA_eyXyr0M>bMeKO5Z>D}rJy4Z#dQ1jZR~<}uM#)jdh1PYD<<@) zpu!CUiYkJrG~tKUYV+nTtW57wKE7D)sQ_;=@%Mz%X}Vn#RQP)$Q85T=R(>(1WagV) zF;pJYDpZh~jrL|<@2ro#tbD z^a+2m4NSUY;|~zo+LNuL8@YM;lQo<48(XcZxrIp+H}D`&`1GbQ|KjJ;idq^u>YpXV zijpH#UsX!>R?QR{5zglRDHIkOrk-P%bah9dH|IVT`%D@aNMnWv(85_GC^Co>!8?_+ zpKaIIj{A&f#G3K5ws)i^D`%=FH`=f*jkfQ~q`Zs@vZ=A6vspzQ8Nkm72eTqnvXvWq z8}0!m@zSQ%PqGmQ$L6k z?uWi7`u+{nDJn)>>-zQUXh-Z`I=}=oDrP#(oPPm@26)pDACC@~X1s2N18-$G6do}D zdvX+ZZgvK}_`-`!5SnQz2O7dv0+p#IP%pjoB7OelO7b5*js^{lBpU}8D#%QsgdJ;X zWLO|wwCsEu6>S;-04^AC6X?&F<5|mQv;JXL5u9yG-KmbWZK~x+(#m)f@Z0@ft$*1hY z3FPbL#!Bi$8qHXRhYwSoEGVfUc*gr=JpZYlzxwipRm&_e5%ROj#05O zMKH6#NhOu7RB<$D+0oIC++3Z=ncX}bT{s#1puyzs8$zks)wJ(WA$|Jwe(nI3((*|Y zXli5x1v5!?=J&RZPh`vF)SgpwHSuUkEi5Rgcbz5GX7=~ZtZ$+CiW;hO_anEEkt$_U zUS19p)NiSwBwP9PLj{C8&p;|5NJ#qzHzoM#>vV%gBC6;0w6{dGv;A-meI9gdw`|$M zey@}1&wqY|75%XT3A&T|t(u^I^5K6dz};05&BE$hy6DnNRhAQo879lr&wWr)=Yr6h zcT(4{U(a}MRk_Y{b6FhWdbP{KZ5ZlQQBb=?==9#u89_B(v2FnL6x;N?acZ3JY9D>x z&h|B52L<)P2Oks@KZB;pDDX29Qq%IWbtVjr1hq~1TEcG&=CF|?qg2HXA_Qds<`wu! zrn8?F21WpBZDGQIB-Kc(0#y&6)1hD}L=5Bm?z`_&aa}77j+#tkIT&Tegt6r8Xitvz z9ZmYG&g4I^5LjW#fABFypL66nlhkVV<=q{3fDXhlSvwd@lP8R)U;XM9rHF#0VyMM^ zjQ!WE*HCh1E=^ysjMYXLN;{lFWx0o`u{eXyTe5_1xZ%bQ`9DFt`ddLGj)rI>EAC%^ zy^0)NJ;>2*5IK3UONf&@H844CWTgaz6CERCnGrLL)x{ykRg{reLc0%TQ3;bNV^K;f z@NVOC)mKqzK_)fVmXj@;!DB{6(b@Cox97WrirQbE&po@hQPRO(v~leUa%s(?$r0A% z?^aKKt|lM5;>tE!xxIQ;LC=jJHk)Uq)`U|>w>KLlwj^)R(i8T4_b2ts;BdV@LePs-i0x>=IF%6Vp ze8+e0+@*rg4sgn_3>8?}{sSGVV1p5s|TK*Ntet*6gEUqK;}qsf10IJH`{d76#Sz|LF^ z)z8Y(Ib&${_z1nIrUwq^(VFdvlwbUFA2d8~wqUBQoba22rr?uWkex!2!$N8C!UZ%m zXs8<9%cwecIQcKM5FfXPR)4#KiZXYTV^bD|v631!q>dbIo2j^>ncn!efmZLeQf>+X zo^3SPt&&1~S}4Tdn!?cHs(Ew-2zE?meN4d$y(BStjCHG`n) zPK^1xiTs@ifGnb}Y66a>{YDi{1ufupg+#_m%Ax^WyldiZb}SFWgEv4{H8KEaw6 zKIhP&U?Hdg<4i1_5mb$XuKdiW*lxbgxNMy7Y+vK~yV_R>s!4{@L={s62*7V=|Ned4 z1Kq*uXFe~Re1+{<0Sx4*XPEKFjho1$)QnK1=g5&l4$z6^$jKdS-d?Zn8!*TDP;r2$ z;$un=Vj9H@!=WNKu5nmYeV_Eb8)#Eh#PNrc=)0dbkXJwmoqg^_D)(-%pBH5oFs?=A zRL*%jYw8-?FAbF@t{WeaQ}{^YAC#-Aic%`dO{e6&TR5=Fo#xG*%earFu&`muhZi|) zaU41oApRi8AAbA^wc5GRoJGqhJ^3Jg`tQHfoY}LKA`}%Bt?r$659lw-pauh-n4+R$ z+Oc~ttzEy70z#t{jxg&taMIH@_BAyVPW7R5yaW{oGIWF(b!%2qi}TYd?a*Et%xS)+ zPnkd?`Pm*dYLw~(fUtqA^@ryZ9Y?5@n>VbcRbReOBmC=VRNCnQ63t%Ma94mOr2gDuQ*41XYt!Jw<(HoX4{Hr#A#up96Iy za7N;O403Wh64XiTLegD<5(-za!E9i9a^W-@&F|omvI^ReUrsA>%IR#j0Ns4^O-J89 zwxTd0HL0gP6V&+q@syUHW;&K%_+uRPC{g7f*2MX`g93*NLGA7)ozB}pP|rXAe3jA( z&fic<@Is>Jq>HWu^|Y(?db^%tKRs_gH9rR`9z^KFw+#D&pg!=x181y>zpV|XQj;Gk zUU)QqFvA}_cz_8{CX>}8?FwpZEAq=(v101PK3X1}LdK8DPNZtY?dldNrcEN(VS=Q24hDCObzn4BWXJVU97sG9O0V5qrMtfrH1Ze~3PE)#X<2k2=`eW>9!4(SgQ>p36s_OgZ#@x$iu0kFLUey= zVJ>AR?9pyWi2*+q6|;#pfT>U!HrCf(A9wlqeVW zN3CUzxt2ayTSt2`TsYWfiXuL+RMDf;t{IqXLTO2YYN~rpmP9D1@X?Rtj?rzm-KMghl(6dr_Cei%PAOa_aBtAT97qN2 ze~`~08WR>m9z0@38;=OZz0IFpLLg_7SUz?Hg*)3(OIZ=^%rB*tc@^X`Y$OdCKS>SU zi;=eAB8Gc%jHGsX^4)TarPtdKm{#ucy{zRCJ&rNUVJ-C7m zi5gGi&ss_od1%B5BSI*HmD7Exxyrm>&%{(KfUqv(8P*@;a!FwxlhebL9>1NOsg7>B z`DRWTHAN{q2;e{i3RO?1L&7=GfP$bt^w0y;&}u_h+;lrN**Md-y$2~RZY!niT*KS` zpoUOIBZp)0=??|ZAbvkaiURQ|sjQ>2>IQaI7((`L-uyhV0?&<7cjZJ0sy=5mtJTE? z+3aUfM$Vi8Ve-WBw18Db4-XF&G^5=j^!~rpR1>5R{_{RP$oJaWp_P;Nd(pU%Ch~S} zq}4mBDY?Lb-`$DI%#Vx+Ijp#*Bq!4Bs5ZKIrX7u&c{Vxt3|9p8yA7EtAwBYaV$?F- zf$vN~#XZt$J+gMx+i>3Az$nVg&!g0oWEGg#T3I+?2`WY~0zrjk0>d1Q8e4T7ZL?zC{>B877-2U_BMc=nbrznB&+TCDC5GI9*0g7$ym z#IbbG#plsTS9@y8Nk?McpIw5DEq8d>ZOp2?m>LfsqGme>Y6%Lbj}B(gOIzaUjyrB= z-{yxrOZ+7oPd1SdELQs!Ea%Rn$6I4`k z2q?+Q%2GgRvZ<#U9pkc|H=kl(y-v>?m-RYK;kO6BC|&XV{qKK2qZL$BWoin5!2MXg zdKIf92}~|)7^fjT{&Wmu=A+cka;`MW%1ZcC!6~DT@P27ri8iwXySGX(J!j5YN?}5! zfdt{0;yxqoQ7!wiB8>`E^YXG{s^oL+3ANFkN-iZ^+8U zo8po(DQ@$3wEO!{SY7?IBB*%&aV|{zLqS6h0WIf*}9DjF*bsJT3sbIDGih3A~3NFFRN z+AYGoZt3h?eYpoGM#9=!4JqQbJli=PbR9^XyJj=6&psXQMNMs_zr5EIW7Z zq$&=Qat$2G%6BfMG67E9xsF<^iUuq}MY8z6{N;Id?TZ#IQk@gLBbsP}sN$oSPh^TZ z7X{A|=5apw{G1ldA`{G<(olnE9w+lfvnXZ6KTH0ZH>#aA~%wNc6dzkJ=a?aXF zZmc|5t#e~in#TTtxr%gFvLc$BTfph1^3`v$rB^CN4viN`XokWEIiq zP*;nK3aGFkmo{$RM&Eq9MpX*8+;XdG3}CVz$OX^&_-S+K!mEEpgM-64sHd6oODdKB zX+=>U6?0U5dfYZDNITf!G9xF>q3KJnqdF!@B?UQ@yz3_>N%`z|^(*$%Jzo(9kOtuM z`RAXh$kuDFxt2#;F*T;zR}cjC{`>D`1(gZv&A%ZB&%uRqLvBAOp6 zEY1hw)gOv(sNqAq`nw-EZ>&Fg4IRP$y7la@+etR|CFCm3z2rYMWba}#JP6Vyc< zJcLdyNE;OE{$l3G<-hmdyF3)`?`g(4%jkx?|3F{A|0-=<^)b7UG?Ay5FF!ZS)M#R` zSgl#Jh7+MbL31Z~&`rySQ$e{k9nNc@pSB#Px@HfRYH#Mund4`tzsXDC%>_YL6H~&X_9dr+L%^J%;>Fa_-1=Mf!=k5He?0TO*%u@6z=s7UQtS_cdjI|RpRqou&CQ%o z5iUMRB4{+BTQ*YKFhPznkQ@;JyNgGWBv!egs{uPOzkO@b-4 zzbJb8nLOSpp7Uw5=PPpP#5pHZbBd^paVo2*q>TOBsXQlzf(Lt3pr4N-hp-@E^b{u_ zj`W{*0hQ!uQC7kpiec4s+^7*M)eL;nKpN81)6{?m81w+gfM`DT)YB?s0)8jR|DHX& z>G|iMBjRNCSF(xUY0wb<4XjqL{faiMct?$qem##$1%irm0`vY*G(p|Tsf)h)dKI~P z2a;ddC@Qb2Q$D-h{l>6BZyFumF};-Dzo591l9-@ZaxT=KN)tDj4LodOML`-Br^j=k z)MO@kOVn_k7=Qu<6)q^6tn_rgzTOT6_4mL39nD&JA>DZQpJ*HBAl;B}GtCm#45&m9%>!`xllBSb_=#74Hu^)FABWnBZLj9{Tbn1>Rc_R0Ihj9UtCF1T#jB7)HaxgD5n}jUqza>DgEQ zOY65Js*#p3N*7!)21+?uf@8W4OVzV)dxXE zCj$2b_p6aRor$dMXXj?Ig31F{AkYyiE$)Q@yo%B)@*U(S1l54a88xd3>cbB|tVYPd zLv)bylfg`cqF-F|sd1ay(eOv_+u1%{Z3|=534F6qX``I!1l3f*veL;FDSU!)e{5}A zm~39nIKfvpgag@f*cAh2e;(Jno*Qwlm>bxavbnj9O(+Lw)v7h@ygrtbbKj+WdtKQi zrp=+KsG+374-WpTsFaW7=TK&PGMo1|)0ba=r;<`bDMVv{j>AAMc+O|fTR=D7emAu` z4x%lrc)+EhhCf;RH&at-jxy09YTDP=k9O_a$*T36RL1;i*tnTgU6ezm83&XZ9%E9& z=Eih-8QrCsGC#mXP;03uE17Z=chRgF)99iLm#Mk}Dk|;;o@-6o%#T0S%bK9h zUbviYzUL82NIpbK$p`32avZr?H>pJP5fKsUef{D4Z|PrezD5h@gwk)WpGMDdaMTyy zB~wgH46Cf{lESVG7*S|%&+axp+mHG?OG~ppkdD~9(LeX4&|ZG_mS1r>jUF4r_r_J_+1|c= zhZ4S!g$6DF-kj4nF*T8La*f(pO)7%Ykpv9C`X{3gBKn6acL@pkhXE791=`L{Mj)wSaE8?Jh-7x9(??KKomx$8F(c>0T7he!YmU#%Nl2 z7B_F+q=qWZ;51$yJjVQ(s7RW|e!n0N!`ZhG&ncpNzxn2CDlRP}pMXG0;6S$TzWGuq zWDh_5C#Civz~aXr*HHX{gB<-;Kt%zYtWd zpswGziPL0#%09W_6ghVKsU@gQoU(?W&nzZ*iM!U(+4JVoHCJ7sI$db!Kv3~q_cww% zYthAY)9)W8L@HH zs7MNr{HJ){K*B-FP@fv>RMeNKC-6=qGr;cMyQ#X3hwWv8dW03KjHLZ^U>A47s>=pE zLB(}1;nYT$f{a2<1}-3}_-G=J&Lj5G1Qb(XWc;A+gG!2#qM(?9)M6R!UlqGOp; z=w!l7J$CFk9*E;t$|vDR1L_PHtmd{;>Cx_7e!Zu zT}_Sq80Wj%zpM3VV4%|Jisf&A``a09;zzVS2x=>*{D7kU)KgD!Wn0hwr0mQdHG-8k zPww5LGA&ZX6y|*-O184HVH`a;g-0S2)KwH38b;S#eGNzZv+p3Qa$0RNR@CtELxY)} znNCRw@w9f`CRR{SKZ2@F{0LBrP0FVD&8unmcmGwY2oj8G{y>Z`9P z(;hlbOO~9=>20o7_@PlmLzbMJM4zwtf;_x^>9VV?r8ti4ec`D`Rqo20Zn{amLog3+ z-nxy7I4J16ORuGf5z(AF$(j%(l$u+td{8%h@s3hZ`!hlPY5fLz?}LxXZ|HCiHk;im zf;xUg5Y3%9oZMZU$kn;yP^ZVEpkh#j#)djdPmHDbE#K2Q^XJm_*IuJKv>>P;B_Jud zFa4ot1$E{UCaCv5u2iCe+)Qf7OCcLpF^6zUqFg49n>MVW;lXxv<%Q$8p{}6VgLxEp zsFpUcApBTo{@%K0cn4TCuXo1hptHgR(hASKQ7m zOoqz`G(mmlnWt6zuypBC)wu?V#5LpE(Qe>5fCWywBw?Md=Ri&;?BBv-y+GoyH(0s0$V> zP#pja9)WBW7hZUQ@U1DHO?~hi%?T=A zTJ#nX)S)XuJ;m4Sc|A3*Gyc4;w(IqJs*guSFlNk{cID`dC#Vf3GZiXUM2Elr#y`07 zEae_4lEDWn6A4HxIucM$(fhZt;UPO6T{w8emyb!~5oOl!@Q6NKNi0%o6QU@coJ{6W zzLV;9p~6N=t5#N1vw6gs#Dj74!;c$S6AiWwegtRCpN2x>D&X!EmP zkbZ~`@7qMPrcYHSe)#%nf(ioH-w5igb1$Zw?|)o%a*kxNr6c1Ym8K_9Dw85-=O&5@ zccCDEXBy<`L_1=$Y4y5f8p5f2B8EpR^FDk}LAG@2G7v6(jmG*@1B-VV{^}bzXJ=WX z4LJ?wp-vS+jidNo+o-XoV!#qqSSp@-?pZ}JL3*H;f;d9?L>&l1iRTm@6?DS!!FD5| z*W^@Nj-ZT!(8GlaW_`ULq!;rz7v6h(R|2P5gIfkh;i~0evkmM!e(u7FboYJ#ns+MwDCd zSKpx&6giHsfdff;@IeJ$C?}f-6$)wt2LzVo9j5%0SdQW!&r$s6s9+Q*X6R7#OM-eH zE2#HBMtSUaSIB10#=KMx@=D}^4iY$Ev5ul6IAenYo2vPlNIYD|3TmNpA%PnSM#@6a zr~?x%dwU1|*s<~sQ>aNL*6*(g;bSKLtn3_$!?W4uNX~;fD?m;fr6=Ag=s$| zcqsdtj-*3}5;=!#fl9!S{W3B#RA*?ygozY1*o}kTYH4E3P&#Yo2+EK9f(~%>`@h#T z(dyk8neW(l>)+5{rzcBLp)*(W=Kz1w9PG&|D2M_$_x2(ts37;qi)#L?ng}Y7B9+DO zb8$Ya-~3$j$K+ehC*pgf%aN=?a(D6+f~o;I)25vfRP;vCGu02)@lJuEK1R=*FYEPs ziUvlT__0n1>M?=}AF0he3RGNtELW6i+!J->N;Hzq{3f3(j22~Yk5or)ik$xMe=FD| zb%5_-mGWh~=IX1N)CO<`i!tI&{(Aa;=t>&|wIGiJD%b~g)ptMAN1uFg+7Z;ih|x4^ z<|6hLi&9GI?w`J)HJ`qvqHnKeHwZ)p!~Yb72hTt9AEMGkAP$HD=HGbZbz1w=I-0^6 z0VYkKMZ?2F$$O9|*|DjtoJZ_J-buJxwDQoOEodZploU4)Hqo+j+Q?ZG3OQ{GhE~nz zP6T{c6L+koeQQ7K*8~*}J_za;UviL_Pap*h8_j8^8hVW4$9s%&vIG_Wr?oXas6=5F zRpcen#PMTk!Tfps-o!tH71SH=dyG4NIc#drqtQxjz{2+Bf zod;DEEa>Tn6wxAh0N?AC@ebOt)UYgaW)< zS>3Cq(!?JqA$AA7xw?_Q-g#yb)B?r?$nN7$5!aLRm;66_*8yNvakUTIfu$^M>9D}k zdlNxG0a0vG#1><3@lT8;_Lx{=nu&=Tqb6$9*c&zw0YRGdx^#Az-34~p-g|rh`Q~vh zci+CZZ+qihxO?xrcj`BDXTCXe=FEjO{oL6`-xTd=DYtpR+kOZ^jp4ylQfeZbRCU&I zvz0VY^F!Do$4RzR-65!x5>x@?OuO0%Dpo0C1d8bn`5=YJ$QAg=z3bKf&eOdoKagD6 z7fFGj{`%LywxnB_%0uJOl1z92gX$ilw+6E^FTC&qO9gn!>XZaEoAsiiqahL9%jX`} z7cF3t>NHXfG6aGe#O6LiLU?B%Hqeh1*VvXaB{_w{cR{EUACU zOs}KUla3FB6vP3YKBlNJb-Hus4%&AxlG4~b)w!%TF?s4V>d=k{2R!wPK|c)E!z>>3 zhRc|smU4$#!qSuy4g*_)X6JKf$!1fIv*JI9I3zZZ z<~D}|7@*_dx@{XL%V>E5Yw?BZ_VM5Z+SZFpx*TBC+P%BHB%Ck$fvxB+LRRV_NKWk z**s=+A7S;OoM%9SI|LiDgt9-q*rzR(^8g2RF@Og^zMMbk>B+&GsOHvuzg*u?@0igN z&zVv{a0s>I)z3$x57WNg+bEVvsy~~l`_-@RHPh5kL1{?`2JZ;Dh4E3YD4YB8G zeB498fhm2|RrFyZRmD~MGdod2oxyZ7zHfYs{tNXnET`?`)*76AI)UYtR zh8Ku-VLjYrHkDV-__;gqbzuW$>~V*6{=6wF9p&>NpFzWhQ4f~<&zw2K%mQG_9_0f& zsJPk>Ls0icP%Q6Sm6UdxpqgoZZb1Q_ja2tv05Ch8}P4-hEi_vtQ|QsB-lkXHTx$Bij=_O6bZ~c?Gix$kdeJ-z>&M#>w@IXuoOs@S_ZX$eN751A z74GftOX$0uEsvlM=RWsbNRwF*lE(w_a>mN_06F#Jvjd-9`OM@qnop3^U3}hh+pToj z6_*>;3t(?H*I=USji4r{C9wpR>pV^-wPF*MgEYs9sFPeC!AejCkTdNHf{ImAR64J=Cq zidYhmnwrK_$O*ji^aLgH9^3exl$>fBVRT+-pka`|BkwyO6&20qjaE6O0}M0<0Fa=b z%hNAYr%a{}Y%u}S8t&iBfd*S7sNa6q`UooQ`mS5Imj3(SHz}ZVPnvVZO_a%vZsitDSQBLTRUb1oqhJ%Tt4HBnu~O{ zCg3LigFHbhb@1RJp61`=l$@3@X=>kve0UeL!s1dky6xN|(o<4vN>C9e4v^Cl9;Bu6 zCJ85w9;A@=el%=gZyG*qsFBh@{}f~d(lbo+HaCJgo$a9BeBV3sh{Ufjb2O1Nvo(o+m}P{(|Ipvwnhby^zb;I;vh`Xa7p zsB1oDCDgWkN9x$E7j@#cpkw?&boR2i>82Za1@uoWom9acZjw&M)6uAd)EWsY%st6=iCJZVGzblL7PD)u-XJ{m_|*&b>K-VH04^M^$~_WZl1yS4+rmM;7bTCPwb2f@~%Pd;|mp@xX|;GG)W&0er>bBvi2936K1r%K`TyMJ;3X9;lDx z^2Qv{J#{eI?b@Rc4IDMuSe)q9wF5=$*}>+lR#Du+JxoxGS}Z|@%F^1kYmDvKty{Mk zi!bN#w*x6E^i4(Q6u5zyV$gzbSO%IPuc*hs6zwHc*g$&6j~z*mK6D?A9>V*~=kew= z4xSc37{TG>*RH?0mp^4iDLkcrlpHL{$5D_PO?fBx(Vm!c+IF~@zTcckI}c{GID#tq ztLoaFU!KcnH$E}7AIaxVKCj?eIcx+I9PDhjFxv-{ht(md(Q(miP30sH%KUjyhFOEt zL=`gtD6^P@$5>k3P6;YweMTOx1Qitw3gy`SMh-iPk$btqji-D2J5O%pIi~ipY85(w zc=qCpFP_m7)V$mr?)X_>jT=;SOlVYP#VSZDru@z7R3@#4pfVY95>)=nA9gG&{cqp4 zo$aCSr^u)%;|92n7%`m2u_P5n>Bo;B%Q}2m1s!BChfd^C-rb`$5>(*j+y-(v?bv&O zO*|!2??EGI*o5hn5ObKalGtE+upf;a+>d7zE~BAChnmg}x~Gu59*T~mgVD!m%#;~4 zXv8?M2UPD<0|F!3a*{NDY$yc3hja@%!dbbzO=pg?%#wLwKzw8bm9eRswmxMvd)6%a z$xnX5i!q$~lpx3GTtQNs%YixwJ-&p5leC5F)QZ(>DQwsn3hg(93QOCt1h0)Df3GKyFI*=*WXAWx1ops=;6g#Ez z7<`uT_b=0?_zkmgnHlMn#tZWjGx8{v4WyTHIkfE%LY+f-8_od(d0Kh^MeN!_Kdk(g zj4#9eYA}rNoX5EVo`sc zgx`s2r;foie#|hMI&lz98P}V-bz;Fx2^K=}V1SP{{+-#-2PU*nAC9sDDlf@mJE0j= zlFt&<^jOMIK1`piFQL_YSq&q&H~9v3HL5VDeKqg97him#$^-&C4D2I$25Kt14B!*e z(=IGI9mNBL36mxo)jXL=stG}bnW@B-1Vc~*KvE4+Wz`m*?w6_lqx<7n*SD<_)GAA< z6~A;xP+?+f^XAP~u3Z~``)^P8@LZF3VPRp$kT0g~;13Ih&g3cn+#DE-u4ozsjV&4g zNK)}m2r4=+r>Q9?=4dRiJs+fA+qUhXHEY+IDJ_wXhj60~ozyvV&gGpwMzh|Q6Z4d$ z1d3t()^C?%75|s5YLOH=Fc{+oasTeSW%NFqgKE#KocoNPZX{QZ(jto5{sVRNEuu#s zeT?l;&M-s~qj+>|ARVy7IB>$b)MvyL@(W}=Ro=1d^ns3#fAJr4VHv9-5|G+(+@-8< zn8(txWVVBOZ2xBJ$x_$}6DFEEKWo-()5)Tv1u+%L&*`w6{tk5xQv2^$uV!;oUr|5a z5i7JWPx|rd^KzdcD&lE=Of$PX=1v_(Q$`J_@G3Gcnbz-)ret0;h65No52wTyrls<8 zvMA{|OQ|xL+!bZhsNvys-t1XMhZ+M~sI&kxkWnC5|q-j}ERq3!``J*G=BqkZiF+F(U8Vh5}o%PUT#XJSwPwRgw1oeq0o-nre zP{Cx?BXVyinfBlE+|$*aTRg+z&JQ{p=oFzr#sLZH{rBI0#_FKvWM{D?AeTRE>AX*M z+*ou2yO7Wq;<74YDM48oPw_K3z=8?$p9#JYihVrT*u<;)qoa=++o-@661sl<`qIRS z6X>c%SMqkK!^{GV)MReRj~-!yx{5yhdbKqVD~}O~dP)I%INo zie&K;6;yI2rMw#$6I19>=4PhSNhT&`xoNyAwGE9PIl|~|g@uK&L~x)XTB2GY57^xqHBnb3}pDXEjQUZ?x~EBzd#G=>_B8u!R#zAt#`)>N1S*E>ScFsR$5MA3kPeO;Kha!4Op6&8 zkN}X=(o(jO%xwcC^P6_;rvpdh2|J|u1TkUv^XG6`GB|NO?cyDzRxDY}y4DAHs${J46q?Q`SHgMj909|4A1brK$;4oD&H*XllTEqg$lqAKm5RYr_prDg1L0zJl;lj zL@(+Q!h?ZwHmP`OYTsQQ;+B`)a2s2a&u2CjWkgXyas-=NE2q>PKYIP^MB04B&sgD@ zJ$trU@aQg_=J-s$J5Om7g8Bgy)DU)rA!rt#mtVDruxJ$4cku01MNrXph;T*9@Zcfd zc`G4~ci7{_gG^2Xf}GYE`~!KapY{6n6;GXdmQj5eF=C{V(xI~xT~r}xFTeax z`fBMi3K=+>I`tmP(|R3Q(&cZ$C}JJJ0wz`{Bh+^gt>U75Dq(U_kd;c=ywzpbj_r6r zFv9FnJ#E_AmRTu~Q^Y6a)b)Eo`kV5QdIw!zbXps?Y^TFK=;_G>wR3mgEv8K%OIQ4u zG+|Y_Q~#D>@OmIz9FQ(TiddMJ&1R)or;y2MPC84fvQwyE?;bRD(gZ`gx_9qk%rVL8 zeGInHK{hA6>;(0u`=6xf7*^}x#f{KZF3e^VV~2N9c;D`H8LtQ*#8x$6j30xa@0Kk! z-zR2AaP(v|NEcsxnNepbWOavP9+Z|bfj8eg4@!gCzHVW08Ljx?M_$kqMgE;b4MA zIb`u1zFpJ{)G>VfpMLr&?cckbZn*XmS}n z3$LI*{pnBKzqd032UmiM1-_7aW0ynl37k0?C}d~yMnEwX$D7WiW~5L~K{iWGodgxc z6uPK>LQwg;KD;Z6d`tY5pn58x*8bd;pn~{dZ(^)omcw1+FVEx(x32dX(PH~jbSAFv z?Y~|9;oX@^P;a>5273Pa=eeWej+!N?I9wYM(_o%zbe+;WCvi27PyInd0#XHuVRCYc zk)A>yb;pjKbch!m;26wOmS6tjZkjTAl9^i0WOF{px|Wh*Jh& z*oQkVF4i=#cn+i8UAlBN`fZTtV}K=u5qRR;z+w%Ut6IuZ=6%s8Xz0{A)VW7rqZ4>C zdM`z8Ut=Vv{4sE+$ODH{1BlM7^EP43Xc|3g#3^Y{KeJFxh^b8NJEwS?k2Dat;SlUF zWs0d%n4Q|Y?*K1y$e{dU2lW}qi>BD_rVnoz!L$8FGKwjGkj|6YbCi^tuNke#oT{iMWFt=2M*W}+uD(>0HhX@3l5N-&euUGzzZc>zo%eTzne;vnhcd8KQb!Y1pF4VHxk-wYY*o z37YmyoQb`C9s|UIzu=EGqT_0$<&udsO=Hc3eq-hMdtZ1oU-6T@<8CE^U2%K+V3Imz zOym^?yj+ZFZuF&Hw^DxPXZ~0<>sSNCt7TDKuh|UUZp|;yH`psmB!Lx*gHB?xe1*%X z^Owsog5JyZzN_E^7JLH?a%sv31o`v^5!ZvC5Yv2pHf2z@-E!iXUXGd#YHpvETl z-B=uFwLH%y-cV`u6UCl~yNOQw(3yHa&iZTiO@~=R38(MusVU1xX_xSNTc5JG<94q# zTHPU*84~eN^BNl+#2!z7;nn7ccuu3S*{Q4})6PA4@z8cO7pD z708X&N((yNcZD)}+%nnE4rKmLxjP(v9k zSv*O(kEo}FC+H8VSkc~nWDu(;P0+g(z?uQ{M$-X(H79C_WN04}9y%1pAA$@23k{IdoaruoM|7UP7f=QIS5ITWI;Bp?Izo_#v9AfC+q%0c&G|R;k_Uv zyh|0|!vqkonVF0K{D-1=rp|a>*wP03#!rl&A`8a8Q=P`V()tT{{eo3FGXVbiSi56a zN{y4{9Kb*!+i3AG)2x1!K>RwDmt!yj`<-J<0jt93S;+5ZFdTutd}1J|!Tx0BG8PVR z%3_DWt&kOyZu#<-s5AQNU9HPunFaIV0K~^Dw^u)3Ja{O&908qZgnuvj^J@coo#kNh zn*jlN_-d2(!X+^`R&~NabJaKC%}CsVSTJ%yfzEmS_xzNUPcHH8BjE8SG~e%_M%1gH z*+SxVLu5h73*I<>yP9GlVlEUtbwS;I6eioL}j8ix-EFkx#?u1ib+H z=M#Xy24*v)VfiqM8D9@h(>((xpkkLPYbjORNKRS!o<UWo9<{)`F*PoeR zGXLcQpbM@|pxbXerYY})J>_&m@%hm&h`z0-(}}9Qa3?|p_Dur?H^I2Xm~o;b^gQz^ zzQIw(o>3Myp0Yt^;=non>bS{-2yTB)*>3`f3ui*;M~Wh7kLuM`xU>SZ5~JUk z3YEUF-x)ZkcX0cgoiYsTDF%bDQi@B()Q06zM#bN0oo!c$MwbY&ryt-?O@eaJP*C49 z5va65l?+5SqddXApRfB64$Q}Rk$vBWEFbn$p6nrFuCq0P7=2;f8S}@+Ne()Y_B%1s zH{6{pHhPymOb<`B@mcG4C7jmr6J%WBJYjDq0s`-gO#O$@zL>D5$}trH+=g2IHJ|u! zXM}c$M>6TpnEbJ3fBb1TB{IkV;eDM=&kD17#J|Cf?Je zEff|Mqzl8j;qKtkpt|9OC-|Z{Rtx8Gv1dEuG^*!paAj~rc*vu$Y)W}a)jfkmNaZ&k zqQh=yCfofG!QE<4-4{10DZ4U$-Ti8JphK1gLR(A4UPIgFyf#?>PQn$F!ztRUDkS zoY3dr&udxaUJe2Do4Gwb;eq||`5URs+EZ3Je*M!Z^JhqIL6hd8C%U%uAeBbXyUlP$ zBs!iu>OG^;Gxd$H7YVTF6)DQJ!QMmIYxzNm(j-Y5Tr)Z}@a3lY)A7h^SXCx6135j- zV#tar+WsAB!n!NX$fX;f2Q;z=XN`<^2`hscIYulEH!X(KCd;bYq#r#w^$4pf!z$-s zF`t%9n7*PEpnRI~M;R2?ZK#uoXiglfeS>O)S)-_7ZtgWtZ&c%-be)Z=Lr{@$WFV|8 zk@?V{q_LPb{l&Qxk3iouuk!X_E%o90u#djs2x3uCm?aSYHj=U3XM+L9icpYCd*o|w zSp0XzOMhq5njlyvHmfoW#SxeH(+77i6 z)GW2C%)**G4XMTUBl4G)CiI@oo@;dN+E~V0iv>m$^?OSJV`^3l^Cyy`1XT|Rr1JU^ zL{kP_2iR5^tX%*^7^lS6Nc;&TCtoN_2ZF|M@urRVAf~^|6f4JDpBuvI)ww@^!YX#L zX-*&8vYVM;F!9F3d4qK@=P6sv?K7v?d^xuKd;4a$ttG2h%Ja~=G|GW!T50Tp6YlyA zL-E&&y>BVxPv-LEAy6A&!Nn`Y_^3%)^YIfXI+X9X}NRt7(cU7 z&P4zv-R}>2quk=A#ZHrXWe31k`HRN?-3G2%=xMjV@q8UuXh4a6`ZZQkMmJ8`n>k&D zJ?4hZK2e7F!s~?UH=Mdsej#j37++Qo2eMKqK`h@7M;aJg+>Yc|?;iWbKgc#pnlUvu zj~Y5N?N$TarskwupX8f4bJxFncz`ETA$AWBHSKoLr>p)c2w&Zc7N_ZI{H>KGTDNr? zPba!ySArzy$4hYVR)o_LFbTWq>b=k813+IzPwOgb4fh@pOH2hZ5z=0(gBnf+6kobp zWupj6YB-`0(2$F3)W?e?1p7KBf%v#i)x4aFs>tK@5&fW0ewEHulRJcHsnLbCk90{? zLOlBOmI-282h+C(X~grJfqlKQi%CQ=0wVq$tdv~#;J(23hgiW&v4|-iYi@`ZmmeLR zTJ0&btPtMmbS4hgIwoZE7ZxO>T;!6_C#%d@o45em)09&l3lke4OBd6F{aOrC5>k9*k z9I93bRgPs@?Ii|s*f&A4e3A<|Sk7J5)3o!}$Y|4*KgBM%F^~bq_#AetVCNJvY zYZoR*r|A4|Z=L~A^3I-FO^&)5dx-KOhyw}V4bcP+2H_pkl-m2O(H%_|bDnu@GuKXi# zZkJQzBX2~Im^73tTb&beG(ye}MW$Zj4)mo7a!AD$cxr_G?dR#JrHj?)T2BDhb^AlS z=*kWFq=C=3?OClM_zE(MVT?s5S^JF6L%nrWj1?IP&3o>T;MG=hZR_OJo~^!xiPVGA zGP>`!#P(-QSKSsCc>Y8(55+H7fu3a3U`|dMFK@OvmKRZ(5Db|Dnrnj0+XRl-a10c> z(&}r*qI*%j$w`I%U7?h;eY59>>vE4rVTJ4@ok785?WepDap8}C6L=!1$z7!#Xgx-( z6dU;b6=Sp0W16!J#zormOo+N+cN`cETyFnxro~ z2UWXik2eY`YQ9`DUFJg+KWZ@T^nFEW`ch&-SNsNrB*4Q@kI>pFgT(X{?7IoacF=h& zsYx>yOuQEDLVQhJ)a=*_Nkuge>+*da^>Vkb6o*MEysV!n9FOp4%gW5XBL8xBL`E`2GyA7L_*Ou(DZ$-PLyH8 z<9{Y|h9CZ^RN`XsMT)gxW_^35{DU`gmccud_bMJ2dL-CHVcSn&e&U36nBnFVB|xD# z{izr9J1rXUpffR$$wyGBU3BKT7Lj;43gb^_SX`5QDy!0Z>+rwJ^C!w@ExFnMa#jh} zixw|aW^e-VB$Bi8)P=e*%RJPZ;O+9R^;{Ra#0vGo$hBlyIaNFz`)D`(+y3DjGxMC;AvqP zV)x;tsL zMM5h6^V^3{I&M*{m_G?>xYAPIw1{E%AGh$D*qC zt!Mp>1eo!Hot~qs&4k82Ff_|^s8ge$a0(-$B`u8fA`)6;hLqzh1|SkcU<(f28H|e* zEIXRbnT1(uI5KIF>BF#EKzXANj$#wBEW856K+%*eH`sk(&&_*pzjCM5BHrPA(k8;^ z|HKPftX2qonbM`GVc;?fS3h zgwys9rnJ{kA%3bZ2{*I#hIj_Y=`#au8!^ohr#c8q)iJr@RJlkRv4J=0IvsGcloK?8pBW`>)b-ZQxRJwPNGjHUClN=TCr{``rdn*8jFI zN^}+p@Vbe}{mTAP<-{MrZ1<`21ONXu8Yn%e6dPC?AA}#Y{#j)rU|#wYXzTjV-fL3l z!qwaOURC_FO6tGnMCkd0{~Zz)xKe3RWSiN$1O0ziDgD<>4O=sEy#0U$JO`2idO1g(evLg7i3`u=xS@utVX)FSQ>+Xe*0g#) zOCiOO+>?^>B`J{mamC`Zf|r?`_Z+bR27;QaZyhA>ypk3DUY}X`Z&%1JYUQewA|E$< z`04@z@awIo!~8Fj*RI7^GMV>`{Rx$KcQJ@K^YZyJ>n1)pOXVUU(a_1XpVoXFm<)aF zUiZ>k^$PcQzvUmaKe}sQJYLVgKgf&r*7RO`gPDPI+wpSE0pz0^B|}B$z^XqFVQXFc0vDRbn~RL*tT&NPkl3WTA%sL2UKqUMmfa@whWbpsaU<3@k7g9Yg05KB1Io1?zPb7$e(|wuh#qP%X9c#pdO^lz>1# z9$ZDp=l>g1*DuBix!|U#iZ*5gus-=&< zOjj5jl#+fo*WOk&cyzxXt|c#12n9Yf8BTNMcV$>sOoSEy$tq^fr8c`dDSK~iqkbNU zLrbOyQdcAqGdS~!6|RDr3iG({m+G05QBa0HA555tdpqW03%IkaKassF*m{EnhId8B zBpabjfi8*|6K*Nf<)A_SgGZcRz!S2W~v zgu154K|uQ~lP~SYwXie|lXtc15jl7D((JacTlF&lJ>WwmL3Ww`D{bDNKL&BsA#r4* z`MDJ2>Q?>nm_Nlrn85KL@J?i{^z>@(vlE5u*qsZC@CmaFeV6a>C+X~#QlwivtTOoD zTdPIf-}DJp&UP8BNR+m@*=ATPJBm1elF1O{D-d%#Drg1LqDy>kr>}LgxAnUz5Y`_W z><&{h^@pxYnH%#BOAH09h`%MOesNs*{l2Fzb-Uk)^82B#~EUw7<{) zxP~mxsR_Z6f0k8D&23H-{}5o#IpE-5J6>V?W&=~?hpn)NQ{dQXoIu0$Qa$6vpXOl2 z*2^&s7_VB~nQz9~qJVHS<+P4&+`Z*i@7UES&%Oqg>f$2p)kX;R)%t7yLRO{^7Z~6b z!T;Hl)I&C}z#dy{l_T^Ssjzk6nxNxtxAj|zfV&>CWc){gl~;&^`F8`finF^VTb^mF zoGj3pqJN-k+sng_xA98I$J>VGhI5%8bgG(7!soq6-r$mHbQ}cK*C(qt&kyrHOiewQ z1?R@E8GlHnq@Kr?c7{LNOfZB$dt+ns zOv~=$0=FCNE|Fjzd|qMR-8FWQR%*~)?uY;Cuuh%v4mLM`h{dGVV@}7fq3k<1yHS0b+uyt)VqF3*}H#vT>{5(W)i0!V?Bfz|NSRHR4}hS!8n6Sc4doaWS5<|UePGU>8GZc7XG9K9n#qYJPHqHzD=h(Vrw2dd2$&|`4p%aj? zw?bEhxVaoJd{ivw|1L%X2gfUXx53i<0QSfEDy33^=u2%!a@K=}6$fkwI6t!z^11I8 z9?^aHX-Bk;zRQ+r)9Z)$6a*YhU|eM2vmD6rta42}7%pcn`7+DSKiwZGrW|yv`TIoS zJrg^S6z0787T>qI9`d<%!GBEBTz!H6iVH);$KgowZbu*02T6`28AcBL`a)p!<7Zrz zu1od@b?f+H(gq69XYxeMLsY9#Fq5eux=ZUS)98 zIVCMk;Ho^LtJTYPkztHJj_|z}pS(O%`*zfJ)9cGBMz&>x<90C5$>Ys)e;4`pYmz29 zdIJ8F-&Vyyf=68XemR@T3e^*%x)#5u_qua@lP8TuTjRH3<|@hW`$FEnyBj5L!#U7m+-PX=^iJbR25Z*Zo}3G=NzNf_ zS*BZc#hAB|k?&kT!btnx?Zu$u5NdWa$|0BMONUjZo zhGXDaCwzi$e3oMdc56R>Kn_7l?KB+`N3EB0ylE_Q9K4nmcmjEO&Wd*oK62y0_XdPz zB_>uqGfF`2<q71H8?*~Q(QCr> z$!|jtSU+rbTx%(YRzvRCjSS8O?)%u?^{mD9!yGiHx~Iek7HWn^AElzX^~TTF;s7BP zNNIxh4zV4_MHCkvUaGFYZAiQj+t+)*yWp~8Q;ru%|0JMdB#WE*{=L(MXm^zIg&O&M zhCee7{gMi!2VEhZUAefaQ0*=2nfa+PTdQMMh~~HQC#d0;lO_B6*cjJ_&@-#}0i!t2 z@Eg6UKnL+D%XrjN;Da0v`wX+Bo3b5=J9Y|V5pz3l*tmGXY&tW5x65!S;Csh~C<+Kh z>U>$FTxZd!*^+twA+kQmsB&}TaY1s8=~pQfdq7Mx0_@55ZDn=_-wb}O6`V%W-{_ex zZsU?&9^_-=t?|$l<@o+u4N}LT1wCOep!Th{Ve!oOk7eomda9XDivD&n53qclh$E|5 zxvTA+MH&D2woo--KPxJ>`73Mh=C5IH9qTjv`S;_z#5AtXIC0PXJ~x&>I9}u~2d#HJ=0>2zpZL=yG5OaCF6qvfwQfz4vIi_SDK}oLsnbilj#y%Mc zBa4&EBLojQv3JuO@AkA!`?oNqklMQFh~e|xZe#BeBm3L8aw|6&GFy^8%;;cLc3#9! zp8K&ZUeN@mGj%WKCJfeYq$YCShE+*%{r#keXVNN(-1Apkx5>)TCN%z2D_r zNA7Eq!&&`&Ub%A@1=@JPCGoAK^`>}nCt?U(*C-jmSE!4X>m|Umaq^-9QCuZy`*g4# z*5dljSj<-o-|uh{5{NX(`#jw57bDx)ZHeo!2IV$DtJm)g`@%|D2r*He4Tz8xtUud# zctw=VW;&34b`{_xHJ^6~4oPKB)=BADYZ@JE?^fI5!CZN&QPym#4MCCGRn1Q$&XI{@ z;Xvi%pq;AOCfHll)V_AJT_H!ATW+w>nDDv6pU-sYe@iN)I7`JgFL4!j(rlYBxmedR zz;!4?PP%X1|4D(h>xJy_>zI-siOR(3%%KAAnXR|D=ew6{L%-a!HZ`fzL>;tNbjP_$O6*f3YH7Ic%^Wt%;;u1eSb=i6JB;f^xrcx&E!HJo zo6v)DHZwZP<6th(>eSD&5b)~b-8?^QXy@;fx#e-oY8o_fFgfPVNw=3LA1(NaXsMnx z+1f+-ZgCm^yMG0%@Y)tmIgvA7fL#Zk95Mc+;*X{&HPS8@5bpEcHi?3pA`sj&-Z=T; zqD5?Iw$Ku~s;{UU{*`xGqI^4$tm)|dX1T`o5wgrYa|rGYbJEVUbJyiiWaWan@ljzE(r5-;~e|0f;+)b~g!{#`?Zu zekaPcFyPYYM!#meON$gOEf|$%=;qe>v?3r#AaUs&#tb*i@L7Jz2wA!EhVZ@Y<#{W= zQ8WK&+naoa1pi4MqLFp%o|0pjJD;;)^sEv#*vU2xhh7^Nu$8n}X+ zG~=NKGu*~&vaxN)rTN)`zTT+n{GQ6{o@)3X+PtIZHD5J3Ts`WOBTE0Mxn0-}RMTCP zn@Y%_!!k`WH_j72zAcxQui z-|1AsPp$-**I5}0p3Rl?&sGwLN{O#sY(gYlWKU2}=ZBPK6f3phgrCmGP5C)Rl=!kjE5*8E59IvgU35=rZetgAGfFqcVit zK^ftw^sVs)9#VsZ`e_pHDM=lEUcL@tON=SWqwc|Y^;<=68=-IQtNYxc_UL_Y_w-ZS(lH+_aN3A*QfB$TmWMzKpbNX>XXgMC`|}iB3&3D`iX~ z;d=PbkONOf7eFYvw08^h>x>EnwXS0ZtPMeF-H&U}rr0HDg2FFc_ttW&<-%mE5yA zOm*5p>S;SO^;egfKFgmsZg9TDH#a!`z?7rVR2w(>AhDHrGhs*$t;sAWV#(eY|93Qz z5{bkw;&}xDsEmkEmUc@$i5vl(LNNSH``L=VPn1~DT@CKcQg7(pr}OHTc489vbV_0E z;HAG;p}WC}@@lKhM9e_U1^j2>+Un&je0uK(g=tFEr_-~unywWLBARp(u_s^&E5prx z?B$3xq35D-&~ZXe#+x?|SZWPx{Co1(HC-Ay8cK}}W1-IJL@6+IbezA_APCU*m_U|* zjl>Ww^4&lnPgV4wFyaDvVto0ugN)34N@6|>eHX;YkzUbtV6;_g*WQ{)^!2q1@uQGf z0k)c9i~QG(FhH9S-@#O#-mJ=YtC3CH;hgFVmyue(&ZZsDhfoZFg_NHH)Gn(B4#}OX zdl_y-!GWq}Ny0a%$vniTq@zi^0TZ3PADz22ZVLRKdl?;#@b!y z71A`IBxT>%KZr|;b%Sb{29clb&Pv$CQn^vrBWIM*z&7ugRW)^IuJpxp63&8BU@%i! z%4-9M(oMd4Q{HvOw*>@!)mVaQ3Ubw0GMR7htQ3c8b00)~61wl%CL+PaYKIC(dDCPO2p99SBZ~XEk04%W&JoV1<$K9e zKm2q&PPS~-B!OwaD4c_5{JZMn8cI$#T2ONo`S4UL$uDP&F_UuQ<*IWTQ?#CKLand% ztNi1wJq}-5cuczwQ{#24F<@^v$XLU2R|&x$jZx&xBQ+UsWj^f$qqJzQ`kbDi2w-<% z`KlyTEjEmMZiu+&|5?)#c9!TWLvAEgfIiVWH@7NpT#K@x9u4t&54B$eErZ+J zhDXPNWwkuy5UJpPn6S=4gxNFoOE*|R;`v1DeNRVuu>XD*V}ED!SKWDAw~JuSZkPSa zl0a&-xE{Trw+b@+$6@1;GELjsDB}ywKp2m?~3@{P&k$~P=wvLUxUs44B%yy1>}C0-7Zk^ z3i^JJTw7)G*C7eqg;p-RgB&7g{py0w?ok`Q*sW#K`CNi7JZsqJ(1;UwCv(B%m9}*8 z(aZF@Az4GI9j^eId7_4&WPpDyZlPUaRp7MOd8r}OqvLT^w!!iJ)XMTB!DZlUlUekO z%XHCiJZ|qUwgA8j=~{Ayvp_%vE=20U)G@amcX`t&NZkzsyOrxHci#ctpiJ6}=^4a2 zrG>EOpB_oUeONjeiLm%6I-cf`h_DyS%e~*0A*4 zdNpHDv8r$IZYx|;qPx*piVDR#|CvwP_^pLPYm-^sQ?Ur?7c5#gSwhOm1nl2JMg^qz z)y2vuL45emi>t#zMSKRd3H5{DWJ4sYWVhVg#KnX92r8Q>g%YxtSg}1()z^H68f{l* zpIJA(hf$@^(jVNu5eSB)=*+NUH5wL=8|sx3vp;DyzDP9UlvzkQQ|`twgR$|MB6v-6ZnWJ ziEjQ>`OHoG^%#fC!$trJ)k}2Y##Np;+@lh8R|Qi=MkNR0ztdiH=gG{BOrYJurBGcZ zZ`Xg)*nB(ttfexSgiyD6(oImpzVg$)E4EEh63n)_0ic2DOE@?Ph}+#o7;qntqYL`< zjpXb>8|$OdFtC5%K{dbd66;S^W^23j1z#fTf9*N((%5g5?!qW8YZOAY`hVM z#vao}L;Rifk*Kx0l?%C$P8hKokt2I-O$pOd9F50`+_2jOd{bg|dyozcL2twDlG@{q zzh>ChhBE0R+GR@cIc#QhWrKPdT5bkAD#}nyZxl0Ud{pq=mt~4`PkD^3@EPpgB8*9Vd>y}jZRd1#0S;stJ-WxOct=Y{GFse9%E)Z*UC0R;GiwJrIa7on=}c~0Jt z99uQi+s=>q>8%u2{TAvu7W?u=xU1E9y&VGbxfNBQT1>F6kb9OPQhiClzdD?r`vDD& zuCGn}?(~|JdkO1{=CFEQE5uA@I(x>0L=Y{sWw~7GV9?_Cd4P;E5y&4i$C(t3GnCEWCh#m_h;p( zk6ZG8EG}U<^pSpkIC(&7pFBAA)@%#D7cfsF5rosHg*sv;1Kz7zb|M2ck;g9+= z$l3tpQQe3!$k2dxI$xEAXQj!59#m2Wr&)Yg#suy6pBVOp4VEJa)EJu;uFZDWv`=$ue7 zJS85d4blW2TfJBf<*F{Lvj|F#fcP?8eKz#$#y^AI;4lCf(7ajP{!at|_%8zB8V!W- z{~-W){)V;DMXoFU5v5ld{~Nrw68*sY&yaaDB`{R>cO?%0G<*Mzqzl28b^(#}|3N9t zpaXTf^(gx>|I_>)fEOGQs-XXW@B;h4brSo7_5TS0$o`8A7!R~@{NJJ(VB92tI#z7M$icP|8Nn+f9nj(dC>X?b^&DdxBKsNiGKVONU(|p)XDQS(@5ngO@&2B zC`T=g_TEcbUj8SLp25w4VeEeo4`|T4{Gh%knap*v-uO==l;VNfi`YXfzXyN)3a8g_ ztPh?oBQSKG>>GU-n*l14*Z??mxxBArlLM3KlYzx~f}ZhKM1&moC0SWms^b}QO2oy6 zZt(8`$UOvlZo>?l@Qc{~j`05OZel2PeR=JNS7Vu$pE7{~M~>yV@HedrJwsNgF#!ke zzJY=1%kkGNwzjKZHutJBthhmdGo&o?jP|_8qgFL?~xa_UYh2`FytR^QVCm&{cyvWQOzt+CTtb5Ne5UZpzPVxCe*?%4fhFC-YgG#VB zQOpw73_!Y|=H$eQPRgI+eRbf(U;X}=O++Mzii+x>Gw3-bDM=iVrrtR`OgCAvTdGS07|)fuy1KZmr)a3#8U$y~5n#jHe5eoZ&bKYGRJF9E zfByW*^+}dD%Vmtua;{VT%~^}nc6^=HI2j5OQtsKA zQzIg-&sYN=k`XY;zDNPvBiqt%7sS5aUPryKiB_+D_4RhYid$z`4|sTZI{Oy>AVHa| z5VGSN$g=f797H-vats^8RP`!2Se?A6Z|?%ES^u8n(k_!h1~rOaTqf}!VL!10N4nt4odWyLM0A zsY#;8#1t3j$G+G*f%+}cd<>_z!fN!yx9YxJLH698m6f}6dA$*WISBwcX~cBrzjrwC*GAXFcX1Bhq5BUK|5-6!)En|DVp>cjg0m1_^)ZR?INqkF5#21o{k=Vb zzY5XA@pro)C%dw~(5_ruppe81UV!v(w;HRfn}Rz=GaLESMLn;2_`UE}2=G#QUv3)r znSaaNtwai3T%s~J?c*)P4YNH)>ffIA@PqJHv_pqu2;VF6me<o#BMUw#2v7q|X= zGAMuEi8-aB*>vNfXwMW%xnSr#SQs}mbA@8s*GKA6{bsa+d}kEzbU*vCY?qsswnALz z#@0>{$PR(FphSizWi}oGSO8oj6faA@@?NasY$XnFjXEo0*l3ShCazp# z?56tqWyE^Bz8v_&sQbZxHb}or%Dbx)Jd{Pk-wf8+0z@I^nxyC-7tG@YUhc=gDeWV@ z@_u8{)ua3Y5S;(^it{))1}^hDcmeIh7nHBPAJZ|&TLlj1*6i_I5z*=K%T(L=ve4qm1h(z>PG_Gj{ zkx-7#b`jgJ`JDPC8<{|jB<28e2C1oQQqh&ax|tXmT>{@y+b5728EkLB8_@YvD!l!) zuwBV2HaarGy@TWwMDiPFx6S8P0EmhNnIFwT=!69l9~Z~%9Z5vU915w0grQUi;44MiFve%eoz=-SuzqgB{n%bUzB@C@+bWGVbd0pNh;v3 z`yz;~F>~JA`)Sx%V@7otb4&7>oq^%kTF2`P;@qQQ%Z<)Bb`DQ4iW$ng_;=p~TVEcC zwLE331m}+qy?^R3;OimQVQ|g!=fb55h%o-hkX7ONvhdl>9}$zRp<7f3fJBgw3M5b+ z22S3iV(T>8OTgdi>hjGA2#Dd8;K-sBR3&{h5Np87&dNPmBQ*`hB_&nwdIs(e%-e7o z!Nd-&*4aN@M4V|#gC8x1+uxspqjQ6?+VA%QNc;K~U zwRzmTX#mCBV7@SX_SpyT5CZwfoPj>sww+xm8~2jQNwr&9{!=Z-a`U3KV%-z<-8^^B)zMc00&U)v^ii>9 z`EH^|qUy82p`)G#l-?}0zh9D%hnyvA|J6~nbVqODCQbt>xve&gW_A{{pd@1bqspRi zffoXDVVMt>fgElG@7iVXo9&mvZ!fxo&lkJQBQ3xrix~c(lMpafFNP(%R1f9|EJVF}ROR%zqzO;!LD!)PP6F&-^3))jdOv!borwdiZMJ`p$ zTrT{GgHcK0ey}0(eDxkzxG4Mlv3~x=u8;l%pxaP%>K5Yv;$+p)Obx<8eEMnbE_6;p zzwG(JRDK`ApB3dv6asA1u|7U8rOk+8Cs)q20q)2}is##;fAC!cRp~0#A2s{5vpi4< zjI68sT>acue5gV1R%72KodJL_(lV`7f%ccBN9%9d;?JTps&Lc>Ke?%{-*iCW@FW41 z?{UWSA0(t>m0efxy?|wwpO=U^G!P7)4Dc}26qU14s2s9bU z3TJ!l#=J*b!PZEiPCyZu#JWAH6raQTcJ#O>tMW5|$@=BEcAU9Tx4^+2pqqk04rhXL z_2?t*En$I)~iuYL0TFvYE9KTZ#r(9auWW-d3tHHrd4isEr*t zh*(6iK(NiY2nYUP#*xN51lR<&CE6JGj_i}4+!Pi~mZSWQcOfRx1x?&=cuo?S*9WSn zR?_{4(%Mtk$F%{V6gCz;TsP#$PJ~kCEoE14h}Zfri_B{yWUzHPIv z|L-M^jr~}TvD6NQxFb{alhP08(CX8ty4{y=9jycDhe3msvKpZ}L0Cv)QiW-bXJkn_ zM8@G6`U`V zja^+7b8D0>EmD7~MrJOM!_T2ar?~tji+mcI8@vF^Jg<2`5tWBQfnz_2I-(^<5}e#x z299bK^+xGPPm|H>^CM$d36aDaH=RQs2iQz$M=}g7C}7msbST=YB`Gb!T$hoVF4*37 z#m->L{r~_n^A#Rv`(q<-F2HQDOkx#&<`4{Jzamc?(h2?vy(8e{jR}XBRa=ZpD!>Hy zB^~8^7Zo9v@^`jA7bp7EedU0M+FhfkO)wy&hSx0naD3v#z5}g3j3ZnLaLVT4Akjqp4;^b;7JH1vl+k(kb#mY-h=fy=p3S4D9p&aa<5u(YVh^FYO&L3KqB@#)n{QaO?4-Q9>)SW`S zKrUg7$i53g31()5S55WZG+Oa)LD8)%qlpmG^sqrpz*ksu_MA*>JUb_Aj;F$Y(?Joe z14rGf@FiOu?C}Wk&~b|JF%Z*`V)`84*np#f4C^!u!{_5GOI%G*QeHlVc(XO{pGsPr z!1H*ywAMmQ5_Bx_O&dY;#9A|KX_B-g&9j36kR+2||hWm3Jt#{SOJaaBwKfvz$- ztKg)$)JAsUf(*yjt7v}OF5B#<&gZ|c(%>kNSPn21UW#5Gs&{m(X$O#UH zsSV(p3isQU5Eox*mPj(x#AiFE=HN6c?jK}#s(oFVO_whKNA~U zp0MA;U$3VW&(748Qc6-%MO76$mhgQTzsHFIYXDgGzwSGT6(*YCl*_29*(T{XFqK)8 zX3rV{{TT3E1#v9Vhau;zgalD-=<~cB<(c$3ZL>AovDO?K9W4Zotm*55^>T<9 zBzb^Kq{|3^&^eM9vF9F*+Po(L&w_!Ten4=WQJ1dNL+9jL`o9hSn};wL_&2YDrEfpy zm3UL}oL***^1_50;9Gh>IdSrKD1c=yGYyXeEw~C6ZTiQm01qrUf-5~_G z;O@}46Wj?NAkaW?cemg)uE7be!Ce#F-SsT?-tV`+|KcC#>fD{H9;0EbHG8hATC<*d z>Zzh8=bZ)8gSP(-9h5@@p-DkG;_mJ)AvM(sp+w(!pPqiaX=HSiW|z}{yuoU!FJ9HV z;(wtn!r@W?k`c}#`ul%DCv?!|?|>_nmww{p{_ii&L8$u*02U3m6w}E6(+L9ndA#{` zCz^*;o%8XQwY?wzeI(^rug|nrFWt35STHcbKLr;L59m1|$HBn?DcX~4;bALV$Cz`@LxP-VQkv)8EH9a-?XP~&-b)`R|94>wL40J2X zT4_Q^nH z{nhf)*fItgyRgX_o_|15zx!9GdoqELH5CLD zH^}1aD)rJ$AybhPwS)79Tos?h^3 zgfC?bLdWB;_0mMXuO_zr-b#w(ap4>e7jJ*!6ais71n~%+DQ0@kuL0f;9W{Y=NF7Zg zr~cK>>XW}GOQif}BRkWt(p`Rme$RL*Ob#Sq0Qt)7W?PuzsgIJSW>X@0mNV zft~{bT#VJzhycV6`u=*!jG20YnJZK1u_|p;2%MGp91`Nq;j}4z@N=1pni^1A@S^A9 zN{S-pH-9VA=6RL-w>x+Wzyt~PJsoX209AgpaX=@=h(sZkEpWC%|74!krxU?t*s&nAtW^;J-}7@L?d2{7KAea`#Ibr#IWx z!BTp&3u1}p9-NWS)78uPiu=nlS-btp+cZIMPj)H8cuhQ5U}=+o~u-ckR;;~77f7VaR`03}%?nEBE0FWBG^b@-;lBRpj zhqUiQB6iVfmgIhpg(=N=FY01Wk>rvDod3k8UGYf%f%#<7kbCc&lHISMxl$!isCW%aLXH11mj;yZW0F@%eOosfT z3LzjP#_3Gj0$R?787d29kA@N%Ej#_+DO~PkatCXaX<4CMA6a4ghwa@xoPd3)E3oL9 zm_~NFq$DIJYR8_l0BB5qSWZMFR##vO2u$OE$_MLlj%bz5T$X1xa}DMX?l57jR~HX` zmqVW$9Uh){buf1ZoiA>1w;G#x{G9<^$pIF4#v#Dq%@V0-`nX7`bM@-pK<0%krEgd6m zG!k#bC9*+hc8Y9&bSB4rSqv4=P?+|)j-(wC^`@$Z^phz6g!V=-FyBzsYNQxr8o=~r ztsuiNKut-ca_jE(@eh?%t46p1a)(xRc1v7XSFh;NhmsZ-+vUcI!vuKDgJa)ocnlA44sQbmuJWw@$vDNC#wh=lW6%sqBP+P1=G{y3MbOrP+%qh0Sm;Q zn!-0wsV_Ce=%g&T#M{f^qnniBhHzf+N7xX_)G3Vq`8Gl{Om48C7;7(~d$XbJV>HrN z2BC0uOpxj%UA%(A)_I)|z0$=)9lcozBTF*_b1n(_k)_&K!)BvnrnFCvOo73{x>hB} zDCf^x$%d!U0rhoe!{&WOA+Ksl;bz;)l9F$Mrp*(1W%a$B+}g#e&jKs~^HM4*vD2lR z4g_4b?_Y~30iz}48sACzTn2Uvfp+KM>%#?wm6n?v0C9I-7|Ca>)H6+F#sshTAigR| zGD+JvZE55ceio=&v0bPMkc=G9Wh#uR8;lOyYO zelXn;KF3O6PXSjW0TcKBep0YFA|hgI4s(Eg`yFl=kc{+(3l#xXo3pN1o@=4+@Pf6L zf4dl&TglAs_e)t&@Iyl8#l(V9^MC@$r1#Cr7$Ij}DK-iM)DSwn%l*e<5hC56_65Le zE!8RT1pqQb@2`(^2f?n0)(TaX*fPYVMzJVW;=IH>Rcq6n(lZrp*L=;JapA2W;<~uQ zO04AZ^V+jMr3!zCM`K+>bpdKzgqr=>8rM-Ly8!V1(beMSSif*o9uNSaQOc5^({nCY zUv~t${&wylB4<2On&*yAPB~}-A^swl|5i;0$3xJazrIhataW9 zx7#1_gMp8@Jk#uGo+Ht(e}y^$a2n@ngLG6veg^ed@83-KRgsscll1L9hs!HkpdgARU@=Hn<=OUtHTG>Fm*iRFq$A>lx^tu|LTgf+y!%B!@ThqjoG!9FQWc zWO$djDnb!~3Jp86^fw9^)**D(;~+1!KPZGN@{47_z?+EdJ%HCC0UW2wPjB7-2EN;k z zqvODFly?d-T+$aFVS6K5XnVis5vV!6uxAS9OP~o{=IC;hnU-o+{;*$ZR{t8^*+cq# zTIO-xgVn*wm{Sc|xe_L5zcaU@wo2so*C9OA->4WqVQJTr|GDZJt}d9>bzT=nYWIuS zecApkLDr)&pXXE|bC$u}EiWzt&}ZZtq}+V*$)peY9;m#Oa{PgtIP6&>-1ud*;Ro+y z$7EdwRG~h_3n3zg7ApSbeoG>3QY&!4Dr1NxAKjV}EB_hqSi(cduG) z%xmg7Hg!||((id=;>C*#%SQ<@Dr7qw3IqyexY-_(4j;9&w1y-de#5qOq>al6W2Lw_zPbK-BdGQhL6m-=Fi} zBEJuzNc(>L=7%O9mfGhR2!EQvWrq@)Sg;BFYBTne4mHA=G{z2#w7^bWu z_L02xe5h2KZC=R(t2V*qWVH=)3=}wN_Wqvqq!%Q24WFYsi49BJr4!beF{OwZ;wS)F;6QDkX+iS6*e^0>%a^{qC!a%vYy<_PzIQ&hp~8_T zyE2k_iY6N1K0;1d3R@b>|p06u^ z->kPkV3N)i)46&bQwLA#tfthV(R?f}Ek>OeI$m<(Dh?tefoUmMHyV|5H+&*1wHDEy z9ajetW0!mE)Ay5;lhR@}T9u%O*|OMrW&tk%#;7d^jjXR5ZwX%kOn}n6M$hbY`4q*7 z$)%#~XEYr~I5!f_Q8+&nL?{dYAxJz;pkQm7t^T|3b#*X{0J@ULC1}5Qp`fr**><P72AVzA-;}uF!dOI697wK zDIct^9_hAZ_mh7SUBnLbvi2glQJlwOV0W@QO>;#}ZMFz77xe4N{UJEm^YsT6Q+2$~ zt!p2e!~smr2aLvTzkJw8+p9D!y*{~_MP)TBEpcplaWU4xQ9_H8n-?|rdcu|x0Mrim zrH!{5D>i=G%#lR4Cf38iPokCPk&-SNzIcY`yhOrxxv_>RY@+IkpaTNCi7(^QWV7sB_ZfH&uEsw1JRYZa{9C*|9$6ranWss zj<&W$JlFC|hV!VpUE@;_irZ0ccq>@*uC09wSE01r?wg^94;8WN^2LHhwvCg}^S6m; zMyV$t&@JR=iH`8@Us@>cJ49yVgK;&>vZJ*W-0)Rjxb?jV(TUtySDcMGm^S+c3qM^AT|EbGT8I|q~8$q z7C4(7}8>h?f@htqU_3&i!IG;s6A6k5xb!>S&PwFUjv9TMB>${n` zRb)NmTon^Ccan)y>|d;@btXQF04CY=nyQ`bv~oXx`3ySLtIUpXE8Q@-uTMIBtqDqj z!@Tyd1&{kS#{!@6CvN1IbIQghN$N+#j^RBRI{^=0Qo ze`!mMjWT?TG|BU1D1(-#iT1YdS9!y;Je9&~GHA|(4^VUtY*wI4N`6mz#_~}X$!e8pK;1{A^T!yRP;bT%ef!=u3V7EjEJMU9)%*4c` zhH4gpher~h|8rmKMM?7v3$ftlgILG1=}WLs#z6{RY%u$Lt@V==N1GS!Qo@+L(r1W7T@31;aR?{0yre|c&6ZW=$9qmD zIA=v(C@eZ$h9w41RUYJ8{uf!IHJ{GFD96p4P@o+RKdcZMVpz5ZXJCMk6 zuze;yDbkLojL}h2ecrFc!EmmpXC=heYj6~MG*G~ww<7mUE^g`l-0pJl*n(GPX1a^h z0R+X+hFOG@&oAcQ(8G&=?R&@ON!v~KKAVh~`X+Q+g>Toi4Xx&#!Fmu=N7f zb32Q10{oLzQqxXW-iMC+eVd`eG$kETW#EPJw)OE`&Kh|VyM%Olzh|!ls9U-H+HjAMgEAWm zkBV|@{(e*Ri2rRPa_;P=W37bmtahcr4jzCH1+G>id#Y7WI$i|T^`$WswZ_RL(064K z5JZk-m8OR4iRk@xL?-Lk<3Ra4n|c2Es)8aIr)Tec7y8lKdqBgCHp*%`3OnZF0k9PG zALIiwa$|}&vDKAOH3H`olOoGoP;;yDBSd8ve1mj2Vx+);1|0)~r4r&BChQ;v@(-B( zk)%Ob(b-`tlv0h6QoG2pD!FxE{wgs9L^=}+x=SgOemjLa?F*bPq9W!qAojYChV7ve z_$<0vqCUm!*< zt<`ne?=}kfmpz(kz3wg^80^YO{2Tfja#?iCqeC@V6?(#bmcJrZcju_ggrL z)0J<$=)BYxMUch~RiMCO9@d4(pu^vW`Zg-C^|`HaUCJ}LO2$OyiqtdDo1xh5E-|_@ zMeO2Zf)B`nUnePLZQYz5XWDd=O16p> zxAf3liLd;_YfE;^#j*S8V67+n3KbolRVtmXlXAb_aBv>FC2gtPE3I#%%^p#tZ8z5= zil-w>l(RlDhd_vZ({%fzBU?pLLBHhKH>cy=amz7JqAp9mSh)$%e3@(**?1!Q7nR)pdxb^BjD$8}C_IoG&S|y7!;3fAksc5N^1}1@ZU!bpPpH%bF)V**RjBN;T5MH&pWeDzH4dAQRTsbI0e9 zKr^-R{{HsoN}mrR^IC(g)i=XPjE@5v^G5=a6NEq?xvCU@UVK7nG3Nazk4mZGKUXTY zp#JxLT;G;8Xz7uDZ~t=akJ7h4+4yFtv?B>$2^`FG7Fg*yGE7h_1WU7ysa-S2J{R)~ zvOC7*c9^b|=ab614jp8%cDvHhDW&kp87(*tssGJ6#dS&svwRWpff zA!`8GkjBL}*_m7tlXF>TCTt?%u8qyR>nOqrztE4Iv3tIQk`1J4bu#^(&z5-?$<0Q$ zV{}kkpALcYILGv}&#t2XJ#MN()g5f|wmk3U#I8y3Ne6rz?S10*O-A^702aX#z7T)3 z&~pG%-HCO;yAM2uW)JJlt_NJo?f2CXZ8@r9+k+vu20glE{47t1idn^n_s<*RSVUvV z@4U|lty}pY4{Me7YMp*qKTatLsWvo84pzFi>HqZHPJLN_c|LJ~#C7Gy-VNzj5Rx=Q zD*e{Po*(FdmytC>2y8u}w0tJm!-Epa_1NUo4VOHQoC}TylrxDB6dE zNV_&(8mGT0>~j19fkk%!N0+0<%Ermi;3q38ot)%dJJDq5+z$sLiUA%{lM&6NKkpB2 zQ>b~rv9!HZGXOIj5AiKB_EL5LIDg!f`IxG>wXeZ=4VE2=UozgZW`RD+Hl8b}Lq+oO z<+4Z)^&M9431u+j8`GInrw@tq5X~1HA;$hS^k{0@EcEWxoaXXb<*zzC0Y09Iv<*MjidjbTp!8V zusJ+k?Aq%Yyt5(uikj7B)pWozC*i+{zX}zbGfCUpg5yA)bNt0B6gG)nRy}^jSTHb@ zFC|q0q!t&TLx4_#?-x>~EFKg`#rZ2aqmY9d130&-HJWOCPM788&uFFt+M}LHi`_G0P)`p5d6X0B8~_u}C8ee5WQ^uY#|1p+X^z26K>5=kK2PZjiCaUjnXQ&ifd#5F_1!g< zh#li~M7V)GRVX`YTu+G&_V!Rx<~ygqv*{cQwH(!&l~mMM+eoOSZhHmE5IXp!pAMQB zh!NTiAvtmRr@=HP@4I;&;gv^7j+Z;`Uk75y8O{SrnbgX)DTBMh z!^2g^I<@bQ8_#}xzrXi%vPV|4c>GXPXudoC0~-YC2>W_|P#I37gJ|Eg=hp#XL(ysP z6}N^K4jNC_7@v{lFkqVrphp4D6#L9fR#o`bE^K|psHh@x9tLUlpIeiGsP}sEg_5)+ znmcfCci3;u7)#P&(m65yJeTdW&_0nZ|JPvTWxnBIsM}M8<2|HH7W0$OrDa_fxQwrVE~)hZxNgs{-JqX1hldeUrC6#FUQgr zl5XFu!nwnu8HdZa4&Dd08{;f_-=Tw9Wi#pkzz;FQW^RSrO8TFwg_Q*qVnUy|*S<+b zxkf^K+RADDhwOC1+XUO&xm6WiryfrBipHN$xaLW{mK~4x|Fqq#_CDTeHbOviDKUHE zBRC>vU4Ty14u3|$GO9REIk`hc-^T3#k+bGamHSLkCH|Ufn}VF$<8tsIWiY7;Ern*_ z+Ti2kCn?$a*@}r+Bh z+QqmY1lCV6)E9kP@os*R%Ss=52%O*D-HkIbO&vuv6ck?M9A1zlI-0;}%DwhagWn!GOs_4qrIYDN~M*)COHfT~WV!pvML zY$bscJME+eu{O%(?UM*HF_JYzCS_BWx#4jm1G75kxOyLFZEx!J8|G*ldgIJDjA(t; zLv1(I)eS$WXwguQ^^7(SCb6(BjN-Oi6u)-;$s@Y|p70~aCfNp)z-M{`FPtnqIbXy4 zH(PxfSNFF}>g|`4!yy9(Wm#Bq3tHzxfoBvrm2xLOG;p@r!1OSKnWPM*(@L;FZWKOa zlJcHm%>Me17wMxiDn9w!+JS+jnw3BOq<94B#mb^YppcG;n`T7sUM-;9Zv)A0`62=| zN+k?^9*z7;%#=78&Wg$~7P?WtpC7q&y2xwJ%&Svk(w5!M9TZPdi=qd#b9g42tbq=R ziBaGM&o(_29KWl7-m@}*l14GI{Cj^2l)G{)_$mj}8mX6H* z#pas1S@^#l;IhP9pw#*4nJ#C<{<8aQ+x$iF3q?Xe0LlIWyM00%s-U3Y{gEjPf(t%u zK#p6g)ZUY*)={hX0~hG?4#ZY;S(Vmx6O*gfKRv(*&R0Qy?gkta;3wHjk{oM=h_^5d5n?@^at z{E3Wi<9eJtjn7JBLlz(5kOkE0z{@BP-_iDpejnel_X?2#6b2DQc2D|XdWTGy$nO_u zsBZ5~LTPBo@ju>v?j= z@*f3mD@p_xzSli(mYTgrykPnAENaHttjOh>*!Xkj)4ONP4Hhqlj*+jn&oI9+V?l92 zxXDR5RgL1_tQxUBQ3VA|iICEt%FWZBR}$t$A@WSxC}hsQ=%6*J_#%4$n$Ykj)zsFtQNByJKzTo|wBlb-lz|fQJ1rjpS|0<7yjcINgrwWXIBp1} zLo>)JE~)L=EpqEon)ByzhI3}0Z?2Z535}N@?rm(QwdH#X87BgK#ZmP-i%__i&(}9M znmu*paZ@Jm*-~{F(RYzyXTB{GrT9F{l#eQ++Aj*7*!9X5gtJ523VnOJngjX!3Nb8= z09YD?w1%nvajz)Q6mnj*-vt)qA+~m=m&okr&Z^b0oXkf=eQ>paXE9l7Ah}pmKxHos z?mtgRYbw8qd-nfT?F+<3lfU#XwYecslRwyBGk$h~@((SU^;)Qm*UQcD%+9+Imua)VFK|l)=zo2< zxW0PB6)n>N*8lt~lt@ne>&CqA?wVIzvcb4wIw+jX~lcBPUHCR|i1`(usQ{sX0{v$fjba^BwrRZ&0zc^!FYg4s! zxMDLZVVVqzt%U?*^jui|ZOaLI7^uN3WnVKf$RU`H|n(H)Jds9C8R)`ek^Mtwh4MJBB zVmGVR`WM(3Yz^55@>5_a(BI~R3U!zdhV7W~v`Y3Joo(++3Jc$MJYAPs19bmDfO6?E zA(!@_$5{stc*+ut1b&`A#x4TROCd9Sb!x-Y-ps&YZEgcD0?L_)^v9-cRXTc9T6L*O zP&kr6Z$pv1e0h~NVFFd67JYqb@Phq!G#NFKeK4c-AJVeVqlbej-usRrAqd||WlVY< zA>IbTzSc^E7prHQLZt9wgPX&S9#_-;Kfh28y=c{UeGsEhy|vN|#}^x%r2Z2GIU znIo9J`BwnpV}6YsM|lU$SSP@CXd2pg&KcT?cq+m{4*YV2jf|iJBln>K;B+xaY{jfA zNE<9*$ttmnsW}D5#A@fpCCQ5k=#JICE6Auofv(~OtciK$?^Kqj7o4RwrknD{!NP2w zSI3d#RpS*8U!wjDMRAERv#|67Gti4Qh)7AJ0TR~@LWO}n^=r@(zL5kr;l}5=e{-MT zKgXxRNC0dME}H9{IqktLM4>{X#!Hjp6xpk-Q3j&EfplUqQrm zNBou&k|bs+xnxhAD7d#(NAx8(-h=1U!N$37Zx_+U_n$((fFn}*h)k>qd5THz3#j6m zt-qFL_W;ddTzu#XK*aiF+}Y6as`ik?q%C@37}?y+cX=>JN(-p|$;!z&0;;T#=TWX= zz+EoCZ?LPo-|sn3bb!IG?M_>=oJI5VJY5Ik8LqPnNJ91lDQ9i(vu8^8^mCe`NCe*E z89vgEWbmp+nmtBOtqI;N*D|0ShhR{C8KN&DC_Mw%y5zL9@G2@Qjq71|3Ag0LuZe>| zFuV#T_gv3Ql`b*zy;rN2WW;OQH>2oNEa_4Ug$ zY8sj2KUSDjx@(%vmZ_cs5&~Ug(X)$DX27XzzR@wSA0zb>Fq!~5dC&Te7m#wCqnq4y zM2EQ06a#Z+uoU_2qV`|u9ax?E$TT;j)J#msuZ$qrCrIfwqtpI!&=?@K2^aSMi+4Qa zt?W2D_Ozwaw*|B04d6!BAR+I2HBJ%}FwoRB?xq{>`IN6&X@HGlga`tGF6CnfHsxz9K!AeSgq3w-;~u$ zf0PZ$j)J(ftPks~s?zB;v1JrtWPI@n{^VukmATm8+=wVYqQg=nOHj!i<>uyL%!|^} zCmkwe@--nYm{`$crDbwhB;D=>4$kJw#HXRFwJEMS^W-lt>xJDl8+HT$g&;T}NsioT z6+m_IAENpK5RIi36*a^;I5}r9vO-UsyHU8;fgx^oPI3n9H*3wVr5k*~vBo7PK=YN) z;~9LvtKg})awJMBGN53A$EZ>EMQ{5~T|gp)BRZKOhU@`cO zzDU(cosGp;e6RIp^3dZK@`e1{TEvu9;eT#}U254qR1zboDEV)%4R%!cjam#%{TBfpvQ)8|I|LfkNtIKXo)b@?anw!7L{T??g3pBA*};pu6N@nU#`~Xh?w4p^bhVp#>E9}%IY4wo;Z(OQ zE(vI(Ln(Z;8;6`j8B!GcJd0=0xzXFTCm;?bBhb|QihZ+H}fKQZ}S%Gl6Y<>7Leyumow#of41n)>CjVyW)> z&u7ssuZ)6{KH!Dximpr(bav*5y6$#r^j7P9PcMRM7VA}?0p9Uu<%Y+dHupvFL&qbV z>k}|5w+n#MmIJ7q;pB>n;vreX0NE&1io`>W_yP=A98Hne^`WXcZq#Tns(s^Mmakih z$ukRSoChC$9>4C;IDPo{(fJQF;F%wUW96jqpfYo6x{>2KqnIIb1@jv50A$scU8=6- z?A{&M@U~$RIVB_`?J+b5Q$;-;O->~=q9%VV7}e5&T2Lwtth`PavtX51msl|u`;(7^L!PhU_-2q%t{>I9+RUU~5+QC5Sfb>ttz`q`&8HPO!%2uzEjZ zMPmk4!AS{29@0bWg}k`6{?!+7By6-+OOo&x6~M&+eVQ9Gettrr(eIB%qy36bum|*# z(P#>**wu2a1sd-c6!m`KEJJMY^{)gTCG;xh^v&9fFs~^uS`9Ei&gaD}w zugrAcf~kp#*!|{Of>mArq0KazhSKxxbO$*2 zKbJPnngX7JT}F9E5_Zbgc&3A8ArrJaCHaG421BF({0OEld9G!!qpMM_ddZ>>Iax@i z3YS;3BAR{i(vASNyRUgGm4vkI?K6v*O+j&y|A|XX{2l;{^eh_~&`G6DJp~ts>ZPi6 znwB9?weqWN;oWnp#k1UXISX%o-Ekiq=Cnh{Q;>03R(TpAjzwsM_Eoc>9Ck)J0H96? zo^I>S<8sA-R-JfX9^ak*4JPGHtAiIYt9*VfJw@IP(q^xtfp7EvFYbkCt?$TZUE|he zkQDg_iFivX>kgYejLSHi>5d9_Xmc8mN*%6bKh@^EPseLj%U4=|Xz&9-w{gDM_l{lW zm#}M>yq5gkN)LphH(xhuEGHazo^LnW_GWuzhT>tbPQV>gpZl$-iZ}ZMvcWVDIxKd| zsX6Dy|B$O~LuUac!alII;XtQ?TqFyudMDWn;%n~r2M2i8ZT>O@ z#4@maYQ2W~LHA+bIMlFzX{aFBm|;LahDP0Eu$nEY)JSkvD?ma=akQy@WH-wUYU5W* zGL3WNoUvn@JyqY-{du1vmWz(Bs4H$-Y8?3tuxdN)em-UU-vH##?hM`{54ifDm})@K zou|q54($?c=!OH72t_`f{(6E$sV^UrxooFekn`}&Pdo#x^*(h?{gTm0 z*eif$*tz!XR@!`Q^;=Y#Sb50rUn$xOD&Wp5$FZaj?`9Dh#uC);Ca{}J+QKA3sx9?U zuIjyXV+-H+{l6p778QM|;pL21V0avW2^p0MkY(_xktra&(9l;pQ$C=81l7t;@l*l7!van4v4SLBYXy4}_mwTFJXma&!{!P1~8LwSZW4VV3V zzt`#~syai7{@jVN>Am)SJ*%(I%36|NCJLt6b^$54sIACvNmiMi-Otd6+y;(K^R)0I z33fp!n>Z9FCnvT{4r>BtaL8h_Ys)bCGR8E}gJW{ODFYev*vVA7I~HB6-OY;nfk~rl=p9HYdAD-b=9< zCGrK!5y)zn0t^u zfJGzU1BgmlMKKb`!d(6Z=+>3^#05N2bp33^0-necb^|K;8qvg%8$5pqCArtXQoiQb z6u70|`B<&=6M&C2G?2grZqYG8gsI`qDsz^vJE;UvN-G1i>rn|7N_6Nm5(23Tld7a| zW1`ZF%n52TLtV$g>NPJw2cA ziX#bKO=(v;^Ix8%kM@dmousThsVV0B1MK2Wgg1Glwakq z{`}Q%t+Ed$T*%cCqx_tQf}*i#8xn;`=}#cnQ1q9<1iMJeuCmK->*e~VE|In4Mk7;! zsSN#+?c29+xvF8Vun$*Le$#Vv8=B>^MJ*+5P|M*?WmE_m=oTrmnT1SB%S z0MGc#-@pqZ*Lx99PrmybC6%IM=qu*}67wO|oaeiX%KRRv$^)^|wqv@!gOwKUdYMcg zV;6tjsz1(1ysl9O)c<}Auuy0KP<8btN{yHpmM<-taYn?venUnI9VRdlyaMe5*#PyB@4nwl{5ng zpjkYiW=B_VAV6KZDtY}MOk(BTYv4QZa1Wbt%Ma^l%qL3ag%eklQvr(Matg$vA&+O~ zG&{tY<RF*<9vD2xh4wcRK zjymx?aF!O%ZP5kMns}jjRtF*zxBop$Mj!^AH2hZ%87w^9PigCU1(E_L)qkHegwZWu z-#)r<=`Q=yuzaGu4pznR4%+x|(o6AyaqCE+gNM%S^Qz#0fa2eJDJZ6-zDnBkk2d9} zS7-rtr^@p|$gcA_vvYH?*ogzB+G1Z#-Hgw`BBa9UL9*V z{#g9r5CPyHqVnRX&kPJP{qmdEQ%lfPm7g+#4TdZAmexY}#&*+9>q`4AJnWCIRJHPV zQ6o}zl7?!m0h)RdI}N8K>zv<;4B*-(sElt6tgIL^GBOFDOP+`d`6f2vO8y7qJ&FS2 zk6WkEN61(cVa&NF#!Y4GZH&g;lENI?PyVSdh@1ZIF3UO_Tm(CE0<8bcV&Q`)bf|rm9fH)9VS3R>?L^o zA}$_4J}@RvSiq*B5a`kGmJ&w4jLkk>rEIi0(D%DPdOi0(_B5eJaiYVsMx~spsI$9&LXbs~Y?)DWX3=Es6A=uMcdYb4sjF)J>n zIq^ClKqISf>tKnMp~(D*L0%tYf^C-MpI9S##%Tze!3u>7OgEkpbYOU*m(!&GB@`%H zKw~a0DM7);hbaPZx)fXs@x-P=OxW(ii=nX&gG17zu?!y~8HJ=xZ zsG3uh#Yq`JQT_W&`&#NLe}yYcf5b=qCtm*NgV+!Fg;B!leg6~f{$Qe*iRR^84Pin=@fz zVJ&fFm5vg4?9YL?ij9$mUXI)iO?b^>7i;X;hlc4;8SZwX3E4@w*S@d^p%P2(DVzM+ z*(qwh=oMSTN&6=)1Hz>tu$~5%EH)i}GG&0`Iz8=eoev0sQlx=G8{A7uOT~0_2mlx{ zBGE=Orx=3Hg*5L#KB=Rw6B*;H96`i`RBJKzHhvS(jm23@=$1aC`CreT@AV{299$l; zEDO7TaG;{DUf>xFx>p9jT#t>YX=ns(4gWuMy=7RH-TJ*PAtBw}UD8NMNlT}MAl==a zA`Q|d(%m2-A=0IEcO%_h|G9jgy?^_|`yT7?@Po^BuQl(Ob6#VN^GaTue5WUAAcG2> z3ym?!iObE6i@k}RTb4y!&q(yLapldg3@sHrkTjnfPD9tI?n1Vh8u9;e3dy-zajLBSJ) zn7FK>x+ycPr06c@zL~=9-}Cf`6!OF)9saIbUIVHh)^<$**lNAlBr%(jl$1odu21M{ zrxSy;H6&szPJd~#vDW-ynnIA13|E#UFzBAm)%XRi0)9k$5F7>DPc)y~s5~23OiV96 z=@Rrwg$vJqXYa^{RMpuA(LP@;%cm8nZf*g_1fS|1#;ag#NW=1w3ZGa8yQ|DY%y0VITNS6?d zvRSc&ma@>>7d4{-W05CfUPj2pw-JMk)!RRXJ_hsXANIqbW8;emJ@CvBGLMwu?$7Bw zi(nvV4ap4ig^{A?oNq{ite`BRC;KZYmB|toUpfs z?#x7D_A;?>(N3(Z}Y7@^`#mA+%0^HjaA$Ub-*&A)H5{|4sia=wyx zGeIjF$7ZpKr1KMs)0aJXIYSV{3q3y%;&neJpCP6N>#c{otKQx^+DFQpB~!} z$|zX4xRTjx^*MISKW?l3sorKuK&CW|_hZ-6KZES2}R9qZKU0!1f0y5bQQhd*O&$p9N`~}t*qt(Pq1LEm$@utD8*@POh1dg1w z)oyk#Pkj_SK35kS?qB!6)$USIXXe`-GAPnCe3(#GTm#V>DHD_Y`RRPA7}CbAG~rTu z#Lf^jw|ND|Ie4hYY#!Hrb8KwvA}C-dBHFw*BNk+3MFUPTETJdwfRj^$UO+R!BK5mR zOdjP1f3e@MlerZO?dxC9+sRJEG<3qnBKdVADn_yb-r&c@rcbN`r}`U{C=KO@CQjOj@PhAqiVo!VA<}T3j;x zPXR{Th6CqX2#AOlZ&WTWz6pEw9)=Dkv2+55q1c9xT?Fk7006H6H>=3Wf zOGp8FawqYfUN@)+_{==Bny%=cD2_*K9vV~HCL;nI680q!ol90Z24*`9V5-X@+y)%j zc3|IhpGk2P{ktdJf;@qU->57fB2;mi-Cf$eJt&>;+yOtmva(Y3L#W&-KuSwPuOC&V zbJj=1#1vlV8L6TByo)!k(a}t8=Vw{^VipB0Mje zXo+k)LkPuTl%lAJIh(gEkuBAS&13JFBcj3Ak=({j7Z zgle&b#M&a=b;;jax<5}400axf!VDg%C{J(|trlkby55s>Exn~HVqP>gg|cK($0Y(z>Q8)dE-J1-5Q&Q)G^RUt!@()#X5GgYQl z-c*~xC|gj z2hi-Q7RYsjxLkxxJT2eWp7+oCY!Jp00{p!EF9W}*Ter#dn8Sn)zKyfnF7R%@)XN~s zF9cL+&e*{x&&gq3s;}!H#8^;r)O_T7f0lXGWEH+1lNkWWxJ9=?@SF)jU*>yMDE=-l zAv@TNXR+haQX+Ik-gJtXN^YE^G*$11Eu~{%6I(9aY_(8yJop2B2+=Wc1IJF^euRZ* zRQVM*797EY$=)aKYs*lUhJr{f59)(z`OJ~!-0TngZ6ibh!6>m(3rk2M6D~8rAKEkon4exa}p=$V^Dc z%1h=n{iUS95W<~>RN3}OSkZi_tzPH6;}};W?=o4|J*{a&hKINQr@>|(bu;^@aU?wG z?ywo}>2|uaWP7Q#_dzoGl(o^E zi#&dN<*)iNDn_R+@{{#66dY`cWP|^%a}~h6=mIUSAV3Obhgi^@>Mm=qHP&O0H|A>N zU&l;>!kr(UAQ_uCkxBhUPN>!~;`6O4TuFn5*xz@*)!ID6@&T zR0-0B!O)L(OW(<~y17M^i20N+-Z;xK$Eq$FCUhp*hRk6G?v_z*E6K@8yO#lVeRPUm z-uN|G-hP6Rx&pS$G1b1#pYKE&C#!dYf}C>v_qwevX{FSZy|3Fn)y{#Q->Nw=)zO_i5K(-eV8#qHbKmOnQFARaK@ z!zt5#0~{x>@!uvyuGZcMb?+PoS^U&5?ol6a_Y7m|r+Ua(%`#kgWRlwK`Rd>QU6cNV zR5Wz6DX00d1E?gFY*0{&=zmG+Rzs9j6^U5i~3PL;-*4 zgL^$amHkZ-HBhRH+(C&0juy=yZMNl82wc1xmp^f#WwrC7D=~A4gua~J`P+T@YL#`F zz?n`_C9S{#o+1|I6Jbz3-%y(Pv*X=Qlf2fA_dz9^;Z{sPB&Y3u)6-=D_EUzc^ZffC zGq{1E!RF7qqx8OtcWvq0g6#pE!xPekQ!|I)3h4kanS6yAhTV$h$5oGKtd^i;nO@7n zRC-$|N0Gj~feqRR#Hnh3bR6MJn>ktdg2*UErC;}|bo+Z%Ig4z?vfq=S%c0x^Xfft= zaxwj(xQW|pikn?$CF0&_fBDHb;TI8)5pdR&WHdaneFs*K>y1m)u9 zXNOQ>+K`>yf{g=zW%v{q+{ZNZMld+y1&xdQ8}G8X`-B8_eb(Ugw>l|MRv5DxlFHBwA z{s4i)MiPkad-r%$imbUVz{a<0SqC3+7jR^x0D5E?9Z~VNwLLpGH;P2DQ(7t0_f{BN z>YH+h`4?-L2c_NlhK8UO6Juk(sa#6oeBY+od5_S46db#{kyIXO~c2@F)!u>AQtsZNKW@@uvksU2(0y*tN7H#`$!zxBIV2&?H_7PD>S^O&J9kh= z^%LUdre$)nI>6Ds1QP1A;t@NSmcd;^qDP~|dvGBaO3p}I_=2t(lR2Zj&NBeslt*cb zZ#2)5YKpiEPQOg;IzdKB66*(5w!uqDr9aw(9?EdkIaX*Gy@p089G;%Z{s$>!O6MCDtct|fJd~r#d_69cD z&!uqa{o-8ravT}_bgt*My}x=A5LMM*Nb3e#smLUxniZ2CL<0Bt&O4i=S< z4-sGc&TG!Rg~|tGmf^_LZE}#E z_kmbDw9~*tH4@hDWG#Qgeu7@!~E^iX!Y+nbNo|^`e_54&(u& zxkN`pm%-L%eVfq&hh0=LTyGJHtcaer`(TOBCN#$whMP&#Ye6L3+^Bc&Bq_`Bb_D6A zIWklaPmkZ@S=|d%jYZ%+3hq=G55*wcLqy~CPH9l_@QH+Aia27fWBBW|TkoIexVhFo zZKYQ_9Dd&}(jKC{0FTdRi&=LMfJeh;H%#HbSqXYt?LgZ0ux3sCyW{%RM)y8S3b1wO)0IliPMmMNf0J9jwc_HAQ@vfTP>`o*sUvT$!i67Xp^v_hc)(_o zgDF2oqlg>mV4^fxn37EI-w3k2tr#w^H5e5oZ|BD@ybvTg8)`ui?DrNyn>u1ifkeAO zTN54iv!fq(Utc$EH|`IZB2iF?mJIPt6)7lXgq1pwyBQQnMsdWtHB_6N^-^z8dC35m zVpKHm*TbXNyA8{}V%4I<8p%4cN-;dHuRZJ#OOyj|fjS>(V-*!F&ntBMM+}Ed^J?MM z6sM?3zm@Dj5Sq}lrN)HVR&J?ab1MU^w7x!j?#NfMP?4tiNVwk7wZpd54K^7e=fI#9 zPyswM6BSR9G2d~3h`X_|f%|(@3wn`F2hlnrH4LKvnnBd5~v zlTIj-9s=@=1MLfwjgpW%D>Ufffe?Xd(m! z()@CJmjzYfnas%ax?4x(U_a+|41!5TNW`6q;}$%0hFEOQAU#IKiY~#J= z4+d(=%9GTQDNTR2gpINul04UlezW@C?wEaX9_zO~Tzl9=A>vVTuM8{cEYm84WV}50 ze_1H=2{I;MQudSD(L-*u5fjKG%7oNpTdOaYyvVv%OUgo_^zumbv2yvR*%NBYDTjVZ zv46&lX8CW_h#28AY!yaEE?9NG?wN*HSm~iflbE6xG=YTJGAVK5i8STLzTw*8!pUZU-!1Tibzb7NErR-YfDb_kyCKg?^8?3P#jfo*$jX~!p-VW^i zf2^jIyh2<_yGIJyBb(}m15NN)qU**b$%5v2aGg+GWLbr6*x%Ie%mC1C$u zgR}r2X~`>knRHi)pG1g7g+!k6_F;M2r40LO3jCH+ERq+u`BizgA>{>xE_t<;RF%F= z-JDS`kR(i8DJ~CQ`~S`xs?1oDR)Ue~RxEtm)EBUynsq5h44e6kY(w2No7R}Hhb|*f z3r3-R@vpoQ|yE1H`I|mZ|8&_9c6Y^X2;>rtT zew(oKj<--=Q=xV<1V$TIfTN(t1LVFO9D2K{Z z^jTF)OKbOXAH6T`^v@sjhVfOhm)5==SHh3iSXJhumA3P5|JkiUv_Kb0@gV_X;B%Xr z)RJx$O#4xVMQmyDIJTAJ)!xj{O5fL8Z==JYE~WKjrf&@lNH zp=9S!Ck_`sm6SQFjpG$^b3tQ-XW>%VxHVB0sgDz`bOP615f_PTbdG^YXO>?kqV!vQ zXg|Zs)#~_IVnJetQ3eDQM3-N)2ga|}Al1lKU^qS-32fa~BsaXuuW{n$F%}qsg1P0R zF6-fcNI_JP?SR>N(5?Y3Igq+fTC`$`?e0!mcm+$8IsVwBFg%b#wz{H|+v~Q&!-u~( zi4LN^N5y6}?d5*3D-Rk4yVW<>kBTU@&8Z?c{GyXbJK$}R(~cd8bWK({6+~FiU!Qcv zH(pG&{dZ!-2Re?WxL9-y0(28Bm$0y6EDLQ~(_+Dcl8A!hHm)qoz~CTGbq3$rHSMmg z8&cJ@Ms9ZFGZc^1BAOg+AA2%OdK61t9~kI;jRe(!@oyy5qBQf9YYuszh%rAN^KxR0 z62ij4k^dAXe%#Weri+rO{D={Xd=%Ul8W4&cEm75WrNZKNw!TM<5A2QG&D3ek+^r9n z0t-D|5PzS{(H4_T!3k-Z?RM7geXjpx`Fnm2eg620=SV`Tt5KRIyCrPx243^P6{+_8 z(oKU-*!);X*qu#G=KOt>QH$%hDzN*l@Bh^&?Uus-=WM+QiJ69!P2bv52WNh843Gf zvy8V%^K52=qHs3*2zgX6k<5lC$w<1^Tss{Kfek#RbQ$px`IOLINJ}eqz&Zaz+oQCM%nAQu$>_%V7pEZ_&JanW zooJ6;juJ3j&Jtj>T)PWBBP+v#`%r&=rKh!c3ep5E%P ztQ(X!K?l#-KaSujaNrp8?Toc3FHbz5c{33ipKTly+g2Pvq#kc%&OT|<=7@dsR~4B zk|+@~@}kIgkUwN|G&cI|r*YxL%b~D8vb6b+&cbclzh?d{{gs`%cJ$?sm`FOXr~oa_ zf!*kdz^w`Ah3J8EOxe6bV=cOxuSkz`DKV|(?=+Wzp}JO5QUR?D`wqEY`%;baZ2Yz; z(FYQ|&A;hBC{}Ru?$RiY?e|fTGd@y<)GZX-AXMdL8YMaIEVl{I?M_V8&vGq$jTgu> z^1(I`^V*Yx>VDeMh6$3Zr*SXiOXhr=n28d-CG9legcQLO2ZAx4cTt9q3{c+guo7;N z{*#Tf5d;4;e;mI=;_qK{E$~c@K;=K0`5$q}0E?r^7W}Jg|BV@nxQT%O;pRS2Bl&l- z``0hQj{y<&MmzthUof5VF(!6H@Ryvn%b?;8H!h?Fxt5?;g-WKM-#UjM!oEZm?V3%6AUw;FCo$+X|;uZp!|2sm-W!osASpG&Ph zrWIt@*W&^&@AYMKWwrODqxEb(!KTUPHw~3?mbkfTUJK3)pS`Fp+@Y_uzFF_ps;$gbq&=Nt6Lb!&cieI8!&!r-jB{Y_q7$u~j@ zsBC;bdu-F;uPC%T0MmSYauP6Wt&wg9o3HVo-~DF+GMWp+m9j&R=4NsHm{+V!Or58j zvM0MtthrUx@BzvJp}PbTX@p4Oj^WB0N~k)CD0uJfDYk|LVREHnKDD(8gUT9-c%7_} zw^qV`#zF*qYU1=t3fTUjiz`M5VP1i*4;@!|bAD^fXa@ULz9Zf~pS9G&_rJVJz)kK{ zQ7uH+0oWbzDD>;tDIAutx36mI+4ZF@DLV!C;eXD=zc=w*|Fko;+WuGa-O#(*)*V2j zt8&@HHF49{)((#hvY2VL5qy~<027OmJ(C<8apbETa{kL(li39U^|W&)mLY}LfEf;r z@Z-;C!sk1$;_5M^rS~_?(mk zAxZg~8Q)jP-_M+knpUyP-(Vaahot;VVb{w#8pU^W|B;~o&#&tK_XpZQj;iMCOA5%! zewxh=oNr5ZKhKzv?=siXGYv?|i1K(!rLp^(+eK2S`#EUQToTWORE@y>67+Z$2o2L$ zxD2Ng^gL}cP}d7dpPeT6>X>uXZbe#LvYVWZO=(|6P;f+JN~>HW&R9q7=<{cE_F{9I z=&`?+^nfXdvx2)wCKFX6OAyh}igxbn)$s6euU*??65UGWTzNRtVrD0k_U74&es9ji?+5;jT_xa7G zj+D2JRz4$2?@TMosJO8DDc>|~6_YJ(gZfXW%d~DOBdG5n*24?M<^LOCYyxFD>;n08 zS86-ftG|iLl_H3zrKp4Tm0PfgSILZS)bc{zWs9GIsF21>osT3$$?tPn+WPD)g+JFC~u%2s;w7M z_ZN}_GKy2B<%cE8^GU^SFS^Qha@h==F)0JBFbJ*RSjUi3YoSPpJnI(Xo`k7?I}@6v zfwPS+^Sf&erjyNn|GiwQ5K>v7sd}4&ibVKa8r|}@81#t(_rBD>-$Du#^8CQG`JVg^ z;&E6kCF19{th}oYQZtd@L(MzrnYtL%FJY2+Ye-#unp-8zi6%R3+j|u;%@oIP>+bi( z?Ut)cA|xxP23B4Df3(*47i~$##m}q8@e?Ho`eYP)(VF41o{IQVc+S*5hJ;Wh^fAY) zp^A0y`ZCyvt(ap?fF@Pm=c6H(7$+wuyxU)#=IhCKSRl8#2;Cd-7^m~pTr?>;kU-ao zc;~eUI!<_KF{oTwOYKJ29oMRp^H3t_xRQ!^zo!n4I_>p+!BS^BsMjU_34?$nyq!U2 zril(ExZ6ZJG(yrDb~ZbWn=*q3S%xCVvO-E>O9*sxg_^x&kS66o$?cH?O}i5)i-G@w z+5tt0qDZ^hcV{~E=O}H_De>PKrWES;AJ;w7qA6zuGXKr-$D zjouxA;>;Jy>eUG1Pfjb`V7vZ;F7q{#6@BDXN3gKr#V#;e4s;!_Qn6W0G5^Z+GYQEv zTdXpGnKh}P-mYEj8yw7KN$zl(MTpQuCg6ZQ+tLM*NLu%g0ozYN>{A+;rQv#-Tq#0& zxV`9=q04}cR`>d!M5Jcb3a5In4EF8SQRUFPiuc7^*hEB9?irzA->S3Pi$cKp18=?7 z^Ma9kdNjAUNF15dY)H+B;Hh^0!2R&MS^FIZmE=l-ssgvhI)J~wQBa7!b#Uy)Ig3?L zxfmAyko6U&cbTV@8`Msq6HgMt4aZ82}~|65xO=tsv=OUkKX zVU$&##jT^sFDZF(wcyl1nQ?e~L7uKjYY78~EW+LG5Jmpxcd!ipboF#|DTmb*!!;0j z6L$hiZ>RLqxh$YThqph~0`a}WLOLs$XudC_HSuq9{oh#R#FN?4 zLQqcAA@8HEUe9wB#Q>Bh{pUn+qp;d^Y}t>a;_^iHwCbfdxu#rG3I}qz+-bD(*qm5F zF=4z|-Ko^v7`+PoMmfRPj56{A#uNA?v^iBRZ`_NRD@|ri3}z3G+>VzPXqcF5s`u=N zezkfHwQess9Uh(bhAi)eZddPr@OHo=Ard@fiUMSo0XTbH1_p)!nj0n>a_~Yw#{BG0 zc${gz#xnAO_EI46OWT&&Z@j|Tl2%WQp$a>8{XJ|YLJ565NkWBB!vz|gmI|+O8glRs zkG|N;?S`!Gh~qmUOY_kFG^~sLV1ZAGz<)=-`m{N~&s8_?-|v7ep7_yx47aA|GZZ%m zhsuQ*2~t*#DXYL8JKBtq4Fin4$tDh3k>O0*E4#1oS*XdJg<_UAHWIqJ8J?v@f1Z8y z^NpIjl#+l_`}8w1QjVIA4hbEQ%aq4CPhRg$Js<`LdkGe7xNV()CSJQP3RK|GSivMh3Zg0ABInR&BaMJe&bP4~81`QRJ zn7LKmQN3YzEw6KtyZgJ@B+Sp?g`kNjErK$m$mxK$#VXRGig;`FC_3h^HK(oYbb{oZ zzPIW)ewm*q8dZ3%OhM6}CsUVGkWH}s)jVKuB806OCWBKu%a0c>%%Wdf{%f%QTLNzG zH>_M18l@zeAFkn0Oa%@jQls;_b`qGlNgW)<)kI8C81J&8ySs)9Zt?W4Ytix2KcbNd zy)ivZExBgKMSAgK3A^{;8Fv)ujE6AM1Z92}%JJDpo(PA2^N(^?qo!1|HN!i}$IV|_ z-@n_Ijj|oK2l?Tl1IFhA42p$`3C$+TZxyJKRs3T>8M#d^0BJ#sd!uXu4UKlh+Xmak zK;357aM@faMtC-x_6kF4;jyu7*6Hn zEmo|%jDcaYvu52O{6B{u^Ro$E%oJBWy|8W>bk#mmKp~z~LnrY!F&7m$tJW0~u5!gM zTVT_y`4yqIuc~5@7RE zf_F8jWO}a`o4Px8jh$V&r07R3aVc2nTk7Z(mzU$5+4npv5A$me3^t|}zJ!t9sJ5`E zRg>TS`7^7DD85~U57E{#^H8U?VOsuZTW2}>!y}XHK0SIyrEaMPR6;wOkdVUjhEJa) ztG1lnN8jvA`=@2Lp@7cK4Xd4q=MmM8n@3$2>ZKY+Pmh#n(pyCPF}K(2VmImlx)u3q zX{JJ`_nn9dZ+Qs^;wvPV9dugz#@L;8wk*Y{lg-Ot-ezfomZEXFGpU=DKr>pTe6Bq5-E7W!j(z>3iZLa=*iS4q&eNT zQF?MZQS}~oe_o#@O5OFVcX;~|I>yAbT|eu-7@Io(I`cNoG#n;fbG*;w;TC1)yHj#e zjO!TmZW?zR-tnf*FQ?&hYWW=s2U)8Qy&7>Tr9GRjgUZ-7jP2p(R#&!Exo;k#IBDtW z7FJqwZ<6k1S>N+kHqlj~nS!YXUq@YC0_r_l`0ZSs-_LowqqAGN4^VZD*Hs98gpZ#A zic9(P7&$!m|U zQU*~PykOH{sk7kb@M8BUYVF$K5u&>@$H>-Hw~qdplL;AI&pCiKprqb^U`$ zY99~xP*i!;S6%k*L3cO}S4sBmqXeG>UIZ#AV!h;rUeY08&9W4|uA8p+k68`&F_`U5 z863+WwBP6xo_P8AOf7o%L%nse`&J0qBi8WiGop)|8p?mBg+9o%(D%VCutFY6+}CGH zZ7IV4R`$iuotyne-rGvO0($SCqG4AD?G*N^{@8m^i*jZ#3g^!A_LE}~FOo?Nifum@ zerF3aGzokYgaIoEpynN1`&mC8D)hdcUuBOSekx{1uB8(W|L}Bfu_4HZEmKLocjZD? zY%_n_4xe08GYl{h-pXVL8%$Y%JZCx?ql#37-TRT#Y^4^B5r&b~=5Qf9(cuL>Pp03g zOmVNutQ!xD4NvOvdbcpv+p0KRCAXucV6d?da{x`ea2aY|lRB2N>xpcVv%5O1I0}et zdQnh_>5M<(`-AOhV0XlsJE61)j^SrI1}KIAFL7v0rK4Ch?%1T_l$o0hE!FZr{R9W*+@lxN90T+|6gA)1QVqiU^%Rg;K2efL%byjBinMWA;VlfQp)z(%C^ z?^}G#^ymM2lOeeH=l*n=Et5rJZ@Ul!CnxCZgnzauf0g>Y1dr_}g;&9awUl*1DpHe6 zRckL8#))SYJ{AaMZ_m(tQf*SaxfKoglY)r>Lsx91Q+~j!d?ZNv$j9vt*=;FP^fB z9-fC{q#OKDW863KV3c;959jhRhQaQiJ2;XuVAcOt_}Q~(PfrhZoZ|oKtGTZW@2#eO z`AC~Vod+X>jP5B_qOzY;G&7|){bRSuN~ig7&h?=Asji_e;yF`z4)j>W$Ct3sJFQn= zQ$3!XY`uq*`{h!MF)`zu{C>4u9X4Myv;MkLXvU4glwn89f1IH&q0fu+?U^gTX1Rzi2^%>hX!uhQ^@dqeICtps7^39(ZapPwa@Q$jhU=5xXl@d9`p% z2duDG3RVkl%dL>b{ABC?{(EsLsnWADX8jw-pOR-TbSIy;hMxCCKL?H(3{1?jk|;7^ zQh?5Lo$CV4eE%XM7j?cnaz_hZYP$R|8N~gS=90kQwi1YR0>oziav-zYt$;r&SHScb z!soPwznR2x2N2D^X-$vEoxzQu{u#AofuF^64Zdq@B#Hzqin%^<~R3rT6^_ zon&l50qyzTc4fuWb#Li0sMg|NU2miqZRvx;WN1W$n5U;{gx77i+cHZ#q?N!+JeFJJ z?F_dczOw&hSI*60f80B!6D|kiDZG=4K%XFO)$=j5&k#iygeu{@-M(u1RD-EjNSnQ~ zZMT}y1fO&-r)kM#K&PQ$R-3ytk2aNs{t+HNo4)}T{?g1q0HdCtvPei==`MJbIkXu) zSpo}dLYv%l#9Z^f<+D~&_-`5m{6k?ZvuJ)Svta@F*x13z#r6) z0MoV;=iU3+5)@wp_w!LH`-8e^gM~(iW6*eXH;aV8wK+pi+dGm_ZYU)$RrT%L7Zq)f z+LQ}c>h-Bv9PNT@q4*HGnAd#$!B0?U`#ss-^#C|g%CMj9fb$+I=KbFi+sG!Q>g5=k zA9P8n1d3@J8!#nveX+Ud7#O2Vw67VLEgrCB>Za6kDPFl1i_V} zpa?xyeG(^c@nb6iZNA9aQ3RylYrDyDilUGsGRi7y4M@K+kx+^WB|x$Bv)g!QlFMWM zvY_{Cpa+#=dkTipoVZ8Lo+o<$Ew9@5fts*qUsh7|f<)FhLQXRYf5P6c zNA5VKxm~N#gm{GwXS7|_%PiZc%A%nm5fqu@vi58Qb=W$5hC2>y(ekhJuy#pV9HKNk z3_7zw4Nq$irQk#-62$fG(i6)ur4TZN{v?4cX0KGGQ{oX)OqdMZ!my8zS0RyB@8|@B zvkvF#WMzDHqsG~nW3x0gGytkQn(EA7H(DY?4@uPJMTGI+BH@S$

q3=dVUnju0?j zMqmEEXv*>P(nU#o`(iX9Gnk*UgnI{GNhcxXQxEO+e0h=du;>73TvptHWj|NV0r5N< z1x!n5=oBUSPqIf}isQ5JH{SbdT@s4on$pA_Z=@)g*(zsJV zG}(Hw_i7Dz2zUk_?$2I)@!VzD^<3?Uu|Mff#=km`kBmf)#Alb&1yxb1bLeBV2aSka z+aOPXT3!XN6t2Tm8>PzcTiPu*TThW*-j4Sty@sHev2t^`oVl>})%OIzVpjKShgFh4 zc%RVB=6)?*j{7H9CJ6Ce2zq+lZml#0lGnrcSL}YEnwQZ`*DtLQH*$cotW{M`kBy|| zfTEX|dowUZZCzR>a#>Veg-RA#r0FM)@=NSIi>(WlIH*0Sz)1gEngcO3xXsS*+WpRx zn%gB9aab5ITmW4J0Syhl^cM7We~)uCb^qxToQZIHTpY4%QA7lhoWcjJxnNl>Edtm5 znF?zaI{CD+t-a`6%?5?{{C{ajS;9@S2q1{de}w`BXdhzm5kB`&pLhN%DM56faft3S zt|8t-^?z>-6d{8^B+2}qd9IzGot{>KPH)`b7*q==X=%4Uqn;_9S6UG6?(Ra;e>BTJ zK`uno2HTYaO3HeoPIdZo2|JCT-w3eJyNgRoc1%y>;YLXKpfcc({Zny;92EsJ+HfQJ zgY_7H4teuJa-P5m&&$ixzt~lusqzpEFOASYtIz%_ZRMhc5_liPZZTo}D^r+EZY(!9 zclF=^g_V`{!h%Tj`+w1w#7mG7Y?-cn7yYAo{WEF!zc)5%*^u zF`;j4Yy`udWR>(Zp>*m{Ab}lRW?n1+@Sz6FiF$G(UfwzoGALg?VcED1>9#WHvY$Ex#z*o3$4dv@MdHcYE-fM9BPa?mHjjgr>&69z`pcC% z_M?GD7`TLyFsUBbhug5m#yD9&en160c(c2VvHkkOj$Az-I}=|np{8t>9V(XM_^o+<94=}5HDA&)?MCI<~B8i3Z zRxvOJJl^iB%-1%l{41iZ*aPWtceU!Rk9B0oo9-ptyo_040Wlox4M>HvW6MTBNqf;h zg(7!E=|jlr8gv5gmcD%oUO@~|BtzaVD?{ZQl{u($G~15Ac&VHZ{=zrs^ZHgLA*SWM zOAoJjcP4}z0pSaa5TvdX^U2YbvGF|!7c$w-O? z!l28?jkQ@Jm_OA5f8BWX);PZGl zQtCG)w-w#{`Du4_ih&Sou&QE4%u(Bi+dC9Kt6&igjU*1yRU#_M$gY`cBb~%p?W+FG+2+N-{tD$y6i+vomsigMt$NMd8t?W}L# z-e0^X=fK92>|QNm2x52hgzZ5_lM+{hU4#fXxInm3MJc=3>>C_te|+$uKjuR;D*PH= zJZ{FoP;$6A%;+cc8^Iay+BvRzh$>4JhJ@~j0juw-#KR1;E82e|^&vSqkzT4O=hx!#xFrVmN=O}|*JpQftgwD9 z>7hO`T_36*RAK0|=+sC8sUAwMD%AD>TyYd)>9|S#>pRtbRaq+i(!eMLOBb1!u@lT? zZ;4`*Rq^yM+0W3iu_pra!m;Z-Hk-qHZ3uRJKb&l zPF)9ECWFTS_9Y1T!HL6W*OXvSPO4YAdl+4Q3k!`xrNHqe=~qEADC8*#=ZsB{4aoPB zGVIzIXS-@t1?zceo)CSnf21542n8)O5D>Erf2U2BK--}@fOTo}2d%gNEL8d-Pd#Ii ze7<3fKg@wMqp{8!PjX631B0Kxd?V`j;^~~$2rC-#ok>mkBns0(Z=FD zqf9t<)B&H98Mir3MM+I1`VSOFC<2Xu8f%nvA&OB5hVq4_xa|}aAV%WwUCxG*3E;&S z{vxNut&p~C^L>zB+pT<~47=}$$ zznAf<&!#te1>H)Rz&Y`$JPeBsQdwI$Y;(^oE2jiER$OvDCs#>NJ-2Ufqxz&u zMY@DP9QG&l=m`~^viF4c{(NTW#{)zJl6rr`9MZ6B11fX^g0PVhC9%n2m5Jy)P-&T4 zwPbNUqE*T8eg?S0Afb*N&9{XQAzZ?p)M=Ny@8sjPJAHZW!J#1JLF${$rVY$xFg!MM zANTi}jYx%kUjwF($`_9GaSwEK=Q z#J^`9NzA9R3F5psM6Ybg>Aw5)4G$M8k_Kbcj;2X4NKun+M-p&qPrUlT)-#yQnp<5# zJ-`0Y*Wa(QAc=ztR%d_%<$mQ&9lFl9vs-hp~+2TO3F>>WG4S}fnZ%( z=UogfCFc?@t2!MY6`sHqjWT@+mz>b;`>q}oDYc1b5=vU(1Hx0x5+)(Vm(4ZF0A2yf{qqfY46Fg! zS(*A9mqnXF{Uc#hY zuQg4NOF?bhuJwYaqG{LCNg1bN4}1%N8C#sAT=sUDvnU*QI>yb(&HX*gRnNEE9h@28 zeDotk$gQri@&lXld$800ghEtcMj%Bye;@g9GyICkV@N^hZr|yC6>XcK0U$j85PT;D zy2-24UvwZYUby{e@*cEL+p^|^_{MD^Oo>;l{?5yU0YfU)4YsqbUxs!w{gn73)drTz ztCGyJitFWK$LuLxeW_QCPg67AMQ&trDA$(4X(!>JJVu2Ia>9wlL`mF_n5$__$LSW6 z1%^3Kss4N-2`lbrqZC<+o1=f2Xsn37f#m)TGmE_HZ*K8S!) z_G2mw+RRjiAxtZ?VW~ZQ_5C8?_7b!)_?(tjVzvrG)V&we%lhx#dinuVG8mBUmd(Ta z0mI4(2V<$$>{XQDXrmij;DC5kzB_ZUDFaY5;H!8}>-u#9 zm$6?7bAuZwB``n_$88VOM-s}q@tq(I0yQF?Oq7Ov>Wv3l~*^~xjkMz+5OUX&9|~0-+*F@cnqSL`U~?d z9!TZGTo)Yk=to+vKjXIN|~0ZEMV3Dv4RMedtG7#YT0#b{L* z&G;&!oo*L|P~ynOly+<;m(MEIyReBgMb<%cq&UK*pbyLgPcX{UAJ+HR)s&?Cnu&>t z?zcOI6TLX1B=S1d9N!Hw^Gdt4=3K_*UzM27AnOy^sAUzhw!y~2Aa%D)I?V|=Zh%(R zW73o}@1tRkYpLV=5eor*^o84^iyP7fhwKnw?B^c}P!%z0FvAZYBayf;bKwT%p;=_>rnKm0R0D@(f7*+EyK zEKT_KkLmqQu>ak*%Q#lLT+7p=m$=-~&*i5_w4kih!7gz56@;^BpA&%O(iI-z5LYD? z*7RiQ^sf8>#7oyi02cd;Ezib$tYGg8J|?i9}$a>QD2CPA1fipq((v+D1)qE1%f5b zZ1GE-HeiZBUB$r^g>`-L35_HyTWl>X4^@def=2AXA+7{;N~A=$eHJglu3=Kr zKqn8zz^$_9ieK_(T+e=S;uV>as4tlsu3Mxq)E2k@@VQGweC~D&q@XnjZvBB1YSV*X zR!)s?hZW9LhF%sH=y3aEa484uv(bt1-@mSV5A&`&-=B}iyv0mUa282*E_z$QT5mwY z?_4!tz%A6q^+$%TNKQd_vTZX-cpW&PRMkO77;3ywak?~qr(Na~b!sMeeX~mv@JB0a zNRDzy-wwz59VU;1Xk1QcX)V8X&Cg-1!kipT6S}>!FB@P-^fMbk)OWMHbv&J50*1&# zZJpO^LYIW?R0oV%C@IH2pI4RB(&-Xz?x*dcO zI~%~u`XyL&QA5Fh>i+BXDetc|A)@MPY~jR-@ur93W`ly6>M$DjF90N`@ES}7yZ8DZ zz-7rUlA6aS3u!7O)0{S0baNB@Y2qLdiCNq-W70mOcW(N3I=8xiz6%l_PiesT7)Qd~ zyq3HhB4g>rEVDnj3m45C9N5SDhTgrqfKYth0n#?=|FQO#VO6egx3?$=2uMgtsid@Y zmvncRbazRYNJ&d~!=z(^v`8bNbR*r}{a$nZ*ILiBkNxg_JRkN)C-cBLZ|=CRbBysD z4BUWjNW>`!IV5*91E-9%VA_#VDkh_TK>u8s!Tt zth&aas?pEnFghDI4!CsEpB1uByhLJ+U6_=)oiUQ12Ahq9gtyvK2@=)bq*UkD8)FkL zpnYOJM%HYPkyfGQ9C6H6JBlDhxj0IICh#U#U*j#^YJwdFskU?{l&%mJF$EGsAeM3a zf&c@zn3_gI~r1)Xi0qfyix$B?$wu(tj%4&=!Aejx3cytXV0%W1A z8`uEIdrEqk0b>&l{>-?VxK!&Z;+l1TUI;`QpCBw$oSgfw??|U6jyx?G7)mKEf)sTv z^b_n>Pqy2A{hamN^)k*qGqHlB8AHODO)wdrRbg7p6U~uuCq|=iNwDBm_i1Vvg3)m2 zbRnzf$WHq;{lMm&L=@lo+sh7%uCRC*es;bn2$$x*F3%F6f*ApCU30u3IV;u|W19Mh z4WUZLbM%N@(qsyc8q>j?N)1At$Z4=+9k~Pm=cUXCuVztQ%4UH1R>!hXORqUWFO0-e zQR6s4dGx}-X?gPzaOAdU2?dTxN9`NzgYG)H1mbpQ#Me%QUOupiE%@JTgx-VpM~x2G zx(rw9QPqb?7vc(C%rU6dWGr8?=Wx&h<*?m@kJjp9ED!uy(?J3T7q9j>SoAzcaP6l) zQMu2J;{S~J%1gqoZjfwpsc}y-)9bjn`ocz@m>M>o(uJXJ%G*`7&K|+(b`8l^=EYJ3 z1~YHndFCufot}sxV2)L1;^i_pAO?6f3yys)FtDI3Jhf3z#H~&)5tmaW9--Y<#99mN zo>tQk(_F$6A&;l{EHd=1G=d*DoWn9?a-D6ek`zc-ksVvY!`~^)bi>Gcz5MosH3tuD z4J)kABiCz<``rG#6WS+tqbMpz+FtF$J+5{uEL{8;0pj0L%opcCwFsB!-@`44Yrb!nzV@ThTIasy`v@&%X6RQ4Zp@R z@!&uV8tVO%NIHZK#bZ^(14&(lwkH(??baRw0WPs4{NI+u@9@pHl7aYep@S@{i*ig0X(>(PC}o*BmX7CegxGjSs_=NFIc8JA@!Gw_ z7L8%#bYOjw;Mf=kqy#t|_kf>{@W^%g@#Nr?3r2@ck}{#&EM$AsG(Jz$RM+?3cwLiD z6A~(fOk;1Ddyw1vg%AcYusX!Q-&K}#pxQ^%dy82}qU1?sla?q5RNUe|D z3ooi9BpSB<$QkTD#3wn+*_hLV<-MKgTjWB}|3x&Fx?U;2qmE*urVe!-ec4k;o}ZGx z?A>TY@`qZ8LZ5twIF$H<$|T~QA&!739BHVjlcM-m5-rxcR6swCm71;-Gmjlx{le`$ zt`M6vjwa1@ecQZAIf(0Gt4T;WnNx|U$~Y~ZW2iXsIen3@lQp5HDRf(K*GAafI04n6 zej%4&N|@D$BeWJ)h3%aa{ez(r?;iNzas2w8CsKV_xdY@9SVKgN;$G1fe)%u>D= z)68un!wl|$f1-hSa274hKum(_zaXffIWjIdo2K@ERx{O}QR9#hecGPGBAUt!+7p@D z4#~R45Zc2NlZg2{G|3${{EEe#mCi@6mrlBCJ@y^yMP?|AcnsQhv(s0PnZ#Y~*|@2p zSmMajtaGsHB`N>5+^;5EIZ7Z+tl7l_&@)jKMP=OPW}mrSX%8Nqg0*FxJ?e^k%Tf0Z zEIkHEAYREzS^30W!?Vg+MCZSf9>>WAxt!h+U|>+2Ux^kcy6$C4wlTRP@vKN4Ur6i8 zZi305fpn>=w=$KSLpz{Ku^{A4B1a);S@Q6=WXE}z%6+JoMJ9&I5(dB`Bv4baZab>2 ztu4z)6g;0i#~Hu}usQ>Rw8GjH>L<4rL$=nM&e<$x{`H8L;6hkeP?*~XE5)4M>cKmf zgCH7Z>QgH-QpHzO0c{0Ny z#7An%+I-g%qaPnJlhu$!;`wYnf)~L^?2CoEy${RkdbDI3tTCg=ZykuJG}t3RL#37X zO330u8C%4pqIP;9<}yQOcp;MRWiOFKThXjE{qp#J_dxlVYr3=3O(c9g2g!%W{h^X8 zfVM!!WsokorwXwVO-?%YI$H(A7gUE^jTT?mg{3_yE(&t%r-*B2#rqb8gH)1C?tzNS zf`>9`u!N)KwF(ZoUX*>-vtNnHS=&a&KRRQ7fk#M6-u#R9y5FGYuLppUET&QbQGL`h z_i;-)pbmfDo-5Rc$YO&LnFh{!xFpkobVbj-GnImXbRZ~%uoijqf$D7}eLoME!^fHy z&llrz#zYC>9Qc3CHXAnXZB7rUg-py?5>9ule(bn|3F8(QB!UD*z_8+tVhzSCCb$mL&u=*2PL)kXmrwZR8_`klXlzr1Hq$FG zpIb?>DtF~FrgY`@cP1~Q!!+%ya_3P?MEi{<9?)+xn2NwT0Wz+loB-RR@|MmUk+O$* zs5~80#cXZBUB)Ys;jSvk3Ek=qr|}DE7W9Oj-g#+b6GwC@9z;PaC;Ie`CpE~O-f!O02}Qdl{q8TSOUIEpTb3#}?jgp?)Uq#V~M zh>Jie?;crN5RUz=FlW)rE1yTh$6KpQ7sP})SPOhYJtQU7l7^`GUfu+KAEteFRHclG z$A@X~#sLY1IH>abTlnj{ea!tSJI``=^=zJl=6MB<)E#DILrH3$;!4ZJe6>bz3h8`3 zp9W1F+wzVL(_msZ8${w+^PLno&&JacX;e~3BHzWFz@H#IJryMmO4ibZ^|uJ?okL;( z&lmS*Y3zWhs%5WkHXd7(D)HfVqs<;z*mp$7Vg`|>6hk*QlW-aDpQ7NV6<2c^en;cb zSqz)1!j2WDtQxG8t937t?M`{o^U4JI4>&muthXSxx943e#?+M3zPj!iPS%Q%d4Ily z)EJF}eVY7l)D&UPU!?e(WWUqorKSH+}B=N$TB>U{&SYc6VCNH zbL8OU_ip6|4GFbf&i7b@glHa0+tke8CFPBc<8tam$ba^m9@bB%*IgM}FR`w5N+*DR z%0P6JXa$>K>%f9&3>hO@RIh&#BGYu_EN5u_&z0%iGQ|!I9(&ZM=qYkMDiP#yej1lI z=fP3+72-e5}8Ebc};KMoJ=MOit$ROMxfMx7t-@A5_#1IZ#olp$wXufu+?i5Vgj zPRdHnAo53rhUROOh>r}3-rJ7ZGW?)%tJ^SUW4-t((pTln&_RhvP2JZo#>`;*E@lJS zw&Im%b&ax$t?hFtap~jJ8jFA?COJ*RfhG+m&5fxNka=^l5Z>PJbeFMaP|(p4kyEY} zCfFP6+`bo%nd%JKb9(uru8D-*T7y<;+nVTBsoiC&^T(oqU_`R8bVGP<4Lb#_hOiOV z0i+vPQo9ZJxJ9z-01j126}TA2Ll7gm*;zI z&Od^+AR{c>$fz^c;VlK;bAbcEFaKm4GeB~1oaHvp74J1jQ8GMIP5C!i_?!%O#}Naw z44i)`+OTmMBP@%>SXw>szr+E=P??A3* z+n`p1Sp}R)e;*PI`0K~8FZYAym8lb$)OSP@&yE*?J8W1|Qj#!tpz!au0*fMmxCI-| z1g{IU2^*c@^tOFLQFnyF@c;|uf|Utv+b)2;z1~t1%Wk5twJvdEp;;YTO$&?9pQFpty<#v>s|r;I5FAo+p7}*+~?*d zSXfv%JU&*+ti$};^w016z67HscX-};tZm-BCxXR@KuYGRUGqIbn3NMH28rJxS&o9X zcGU75)>k~W?`k$3V0-ul0cEH&Mw|p$KtSN~@)BPJs?N|VBlXWwcnuDDzY$DBLxE=l z-7hdg?sOqZ&)88%_SHwSl5eP74We&piv_)H0!j10uIvYxokg+?Y50BrE*RhQcSsSo z5dG_8o{E9rciyeaH?T2As0#SF|L>IUj$8l4rN2+3T3AksR)RdY33F2x6pv(UkT%0W zytiw3){6~<5o&~%R+b97ieV{X@6%l7jK2_ZBSpxn-PXDiy6#E)52^(_kdZO5GCU5< z`GGMafYG|(r+nSHnAyFW9x6$c~%Wi7=HfpUf7$sKO99tD=DzuKre~k_FX|Vq%E)cnWP2cFM)5!D4=}K z2kw4#)Gn~Bm?Q;C;(39Wvw#)V{$l9Ip<)~cE=j1L-=iw&v&&*D{U=Z;6wq<|R|9MU zd038EM#skT(w3%5g=7CxyS-ty0&ju<79g1z0g{P~qFSa1 z=LNG&ACH6Z*<7D~MtfCGUi_E3-E(3l_(a_*r zA4<2HbGldsok;hmwREH<<#C;>+-7D3u0#&vvKlB2}(M z56_N-4aJa0m>r{&(*s9F9HHh79(NqM@s(ZL)#a@RPQ3p#QW!A zf_9`uYbF%^n2@(l9JjSv@CcU%Ha|$nNqR*L9dTn>juq4wL#jHWzBe0D8g<81A)%ED z+h-vtK0%B%X2ZX~$G#aGL7IYmAPdmajg=;6Ln#^QHX0j4Nb(-wg-1YuzAh#e<=Zrx zSb7}HB6N0S;p5%_I=L$Cm&A#?1!?{xCXd5zYL=h!?_9}#X@isRwW_M7f9+TADX0lO z9hwO~?h7%EWSU=P*OM?rchBSji`$Y4xQdY5}ysJVXm-5 zkiK~J*!!vC2*|R`s;TjZt%VqTrYqI~zI~NXpFX`#>ZO~_b;PGpyO7={fCsw)5Cggd zs0P&@zy2dfJwsiq)GQbzB>!FJZV=Ph{}>>s4L=^|de#VJZ}L?b zEY%w}hxc|r^W2>C3=hksC@Ni+pQ%9;eF<(C<5_9h?AEfKA#a#Mh_ORQ!ldZ*+n(U4 zLPN-z3Gj%6jv)l1dQ?#nRGvbF+r1^J2sta_s5zHK(5ZR>Oyt=Y7~IxyT_Su~M;&6X znVGS&v$H=#GV_awB|*fzwqsmtcR@Cf`|6RQp&^s$06vk^023#mfS@k_bo~N@A$^Pl zF{}lTm!1p^a{fTMT;14+>Ofhv{tPFiBBbi(FzlZo?Yw?^`;6=Tt>Mq}Km zR%mbYn|hg+BqQ4_Xhm}?cI}CJRWTu|3zmUX@5I(Sk36^@BdpW{r&!Q%t;Hy)3r4L> zeq@Kgl$6Ftc$@Za2!@|EBO^30Fn}4B$A5k`@^1KRN#O^sE1F?ovC2}%R5_lIpKCy_ z3qytX;CNH(i_uR50r>DN-cwDb>y%Mf3f{I0w*J(pY1Yu-R5nNbSHFms>VzM!m<5bbbg$-8qB+9MJhw-G3 z(iK1+0N|M1@@=HmTTDwiu-STkxd2SE1*4FY_4EL{Hr*T<^fX*^vvn|s4+X?y!STlP znVrLK!l9eB$KbVi(g3ekgAPg}moY`JFfbL4?DkIJc021@Jq2c`c8kLFg&YZOcxaiY z2N|Gd)5bKR^!>JJ%UC|bSHB9xNYUiaX4ip< zbEnl%nkM=Dj43Y)9X&BXFk!v8cpF;eBTVIP8UR@wjgry%--TgM#~;JuUbh(7xVR8g zDXIRir&Cq33HNCD7{%3^{Y??ezqb2iPQ^wUbXR)h1)ZH)ArMHV^|ZX$tc=nNtU4N{ z@=2TUPjxO)J7%V)hL?vQTd3_}!eO?<^Vi5m1WDK_%HWvut@r>_ewF#}Li&l1Gqo1$ zv-?S#+*$IbMV*&2)#0yToM3JMp*P1 zwu%IXNJ!)-B2U!EEkRi`Z}m(~6iH(1%SA;U2zCi<^rf)Igs}PhdwNpIi^nD8hK0IE zbf(b9Ix5QHOoSaVIhnASa#xsWe8`)rja4M3F88`;&>STK_3^*2yKouF}T%Kqd- zD2?1%%`{FY6nf`2l^E!~0E<}e4$jrd@{w*nag?qdI)@}^eRJ3!ne z2I1R5xu1YY;+NN6;;>zO!u0X*53b8qSAgmgI0yCPAAliv2`~g%`)ftt&o=g;CGANw zfmR{%`wk^$CkBmlm-#%;F<0E;AAU6dh(tu#Yj|0Z2Na3Wz z_x7R+w0&|e)7OJjiE-!^(MY6~%I~~3B~Xd6D#-1v1N(Wo&;GiziX>);C z?v)U<&&J6S$L_Q!*AyR1IFjS%iYrHaVq)ADd`~t4kx_cxUk8&ti^WV%-KH9CGm^L| zZDu`1vXo3nHGcNe(rQj;kT{?pYXn%DWY2z(AD;}jnU9klxUyMKDF~0G#l;~;YJKm! zwSISHy2UkHBK6nqD~k_Y^ET*OO6Sq9e<>r;JRq@XhKGcxyh;0bY+ce9s=Aeyrt8$= zzm#3H*oHE$J(2C)WtbNqPc|xm5nm<#p?A~ZkPQ7EQY~dnA|ZTy%{q3Kkh^%Pg-WC< z41=gL;LDB+Gm%@8ilGzx`vZt-y^t>S%xrgPE>Me+Fo!IvXMilKqjak#^ic6ug|z5D zs^$PhCjqOv_E)+w)QJVNtBJ!FtBKnwYb-q&Iz0h zAON&<{&vdv1zrAlTr%o{*GXodLm%{xq9kjYft8+K6|+1ihqTiDI}9J5VpMzxRQ$7o zarV4xIiv+CUDc;VcTwpoUGBM?cx=?}Vfg=Myn$eV4! z%KU)sz0j6kzx9WGrQ^l4{X_vwCH8xr1?Iu3;_oB*p899xESpu>*5wbMu zVuRH_fowQ~n3QTo=6uLe`rY6HN#6z%Q!Y5pn3jk z`%m9{Ld&immiFrwI?u*TH$A7c-vBEAWSH;5Ze@M(-nB40M_yve^5X#^!saJ8Z$r`o z&wG|enhb0za=~FP^eRS21WGUV=XwxLDkSwyZeKRm%eRka8 zLOcp1WLn-hsj~AxsyYa$+%nNrHCq4LaodA}8x_3o60R3-ei0&V_vPu8|L>Zj*mEU1 z#IdAwHcdrU#qgGRwkeZ}z{R&{Lb-c~R6@D`V?|L;X@8&mY|1DqKp;)6R6}y4dS(2o zy>*V_4NOhM>@ibyG7U&cLyeV!iHVd&ytQOex8BC3a<72XAl9RrCOO?!BVZtsx5`+m z9ZO7o+t-QQZ&4fGbTB38+qZV9ksIJJgJ`FVDhy&R_V-(!F&pe_3)qEcc`)1BE)oZT zx`Q4<_R6!`pUE`}N^`h8&cwdARbFAfw<`u`OHSahFwnvV-tchh;1YES`m*Xq__#%= z>($mq#52+&69Gms-R0--zj5P4WRaDnS-A4;ni^}Pxf@8hL|r5*io_+qq7#^D8@x0L z(#MEVNx;YATB&Bg)}UJ`dZU**`Jp4s`SlF<^FnmKCy8k;)RC`G;Oc6OW7lo3foBfg zZT^fy)vGV|Kr2YaaXhk#yc0(#op<^@=3^b`K5r)H+pw@&TqPBj_InU6iKn^-ZWb{n zc1E=bK;>`xcHA#eXC7@7{rMAXs`+6A7|NxnjH7?(48i;yLASxuw6UGcNgLpJ!8cIX63kTDbooW z3Ts|NzrGjG$5t^ycQ4@>sQTg7jN`xC)Vca~U%A!CKD+IibKJ#1cR7 zDp0;7-%S6r!BGdckd1r@wbM5cpYlj<-cM~=Kxfx?lMJB^;I>IYXmTYkO-#5*&cemB zBA31A6X4@ZpD5y5e$=CV2LNTE#=||wYd^8842$W-+20l7&?Xq&->yHpw&_ybvktIi z=h+MiTO4&@dCD!+0wR1C(i8H7mG~R$Y_lyqm_|L3Z2QUbxG4j|xb)Xw2Iz;>>*u}M z2WDT)j9j9`B5ssmw8Q}Ms;L_Zc zLdb^Pbw+~5H&y>pKyNp+x-#~?9F8F&=I{UH9Z8GE-UiW7jI+VAj(~Hz8zyrbEr+Et z3lGRklneqF&pL@Q3&*NPJ}x?Fe&5lPTWT=%Xr)!eDXXA3^Shg^L4 z=e5d4!k_Q=bk8X)Oogc6ZLI3`<|efo>rT!{r9t^v8ql75HYkZaR3GZ zHR6xaRmOewBFw`UuCV85HFT~p4_E~?X0c(rife05jM&M1KxmbWDli!X<*%;@j*b1QL&O`BXDF;?$5fv;E$I7xm^zedeIZG9>gaLr-&*okBEw*!cz9j zmu^$fxRgmrL)f;X9T>}gT_jT-j0%D%#PXlqYP4EB%9yB5LRY-FnkRsIC{ysLeX7v~ z1vYG%;iG9U8qtK0CuHT3VybEaM>+(xTUo@vh5WaUp+vyh&>-x*aY_XjDl-3#b&O>O z$Fs{FeLK~qzVm(AJmQ~^&ArTuJxwiabaaS<=B{4>ea&K*+-2Tn65@CZ+APpPBa>+y zaw~2?|62*zGD#lnHMgk)l-frBlCPqFhwx7S|7IE8leGhdF(F8nOiJe_Zv(XW>X8@z z2kKQ)Z+uh6%@FP`_^L36V04W({jmqB&>CC{GLC*dj@j1(eRt5W0<0^Sr&+};$lF8d zJmUD#wo^(Rc~bRW$nzYM}q5&ycX z1)e9|0bueQnMLW+i0!|Swd@AptEV1V5c{5W%`7`I#8UPeZfu0T2rWYPuwGkHNIRoo z_YE@5ba{ddnO#=Z9R~CF@DOu)$-3L61H8uq6>mFx}zM*r*{_!{$V-s(4 zN;kMXxfzyt6bpIdL`D~54CJWE%Dll{#lPG$f9D;!hTbCjYZMlKeFtas{(d=}v6ja1YE3^wNomwo1>FZ@P2$@6w)e$@3pGmaua*|87ndbtx-of#SP(e|U6$CSkd4nf>yiww4tPTWAR-)z0e8QWezq&O2{`Pk(p1hOl|f%Gnu} z>x-lkx$et0QvI_8%62Wrarf0vj@jv{~_)u>bqEzZ}haoq1j$ znh8XmU=8knMHUZOv7G1WaqpkMmWzMCzUc`be|w%*3@rajP2k5_;$Sfj6=#e>mHS7Z zfK3-$gTdL~TEEWc(+wD@mM9V=n_sDwF<-oJlIWSUxwB%QK_7pnEz4~!x??eX6vAxEKRRJY@6g7 z0b)OX&Z6To+9f9S{a0X=19r?g%1jxPr58_^C$rd8AGvV-qH%54s{D)u5x{W5ZT>;o zF)Q#%f<{;RUxDoU5$uqECw*nByz2z7S|dz0-l~>~Ua>7=ZZi9U0;g@A_%Z$YV~rn$ z9ZidmKHfYfww0z{`S&lz{Rw>Q=k1j7jadGz17z2iO_hd2q(2B-R_jgD}KnyVp{qb z*Zjz)Q5or$1q0oplrbol(WRs_N&Qef zhpa*s!wSVn(N%_rGF+OI7CB*HI1x1m24gLmAX`sTqz--t5$fI9dOXjIeFS}UVs2~) zhd?Hu+mC?O=ccyYO+vg{=T2#t{KsZdY+7uAPVgp2YhU6ErBwq_84`sOwSo)>wz$KkNw0 zwGMQ=2~dku=0MrN?TdJSg$IWJHXiY^Jm>mQv>ug0_`OKg*ToHUCOfu?+Sx!>VncTUB8!v@r!7*D2i9h z$41jQ_9wB$De_ykVJa7t(ZmSj#Hla~s*>Xfkzoss-y*{C--WJV`I{)i)!9I!pWw#m z9r(d{>;;lc9|cf^fzXPQ2_xt^tu+1}pH5vOy6AO+#tWL4z5z@`P!r#H5tZC=IJNK2Fq6kz^whxD5es_gfq{hi|*Necq0 zYOm`ps!QNdk@RR*oloU-z$%bQ4zMb3!1ebxmY?%q4SC7Yes_ppZ!MXX_z7veXOQEe zVLXYb$?5~-(`F}BqT&(;~MY5yY*tBX*+h(Whjm7 zy3Cb$mdDn1?!}y1nO5lDZ2bzTfmB*CE)>ucc1q!Pp^@WU5{d8HiAhZ@(VHr7y(Wn7 z8Rio}1U24BNJt8`NTncM)S|Nk26YAWnHgg|P7YNqaB|mbrUcUkzYk9-))r@VQiAYzp&}dm$l*g9{ zZ!g$@5H&7mXh;gJLgNJlwcwQjmSIc9dNQlI9Jq$fQ6x?*mHQa$m{PSS%2(}w6!@Qj z+NT+iTpJG_MmJfUQ#U(XoKh$pSH&@BbKimX>w-Pd4#OycZ(81TYebIxH`51p6>sas zPZr%9v+w$?uBv`RZ6v>$>S7hM(Z9@NV<66EqZ5!S(e+MHYdA73^O_Za_P5ws#rI`G zQE0FIO^?d1y^i||_aIh!FRDe^W~SQ&G(AB};uouyJ0O|No3~Z{-md+kmk?E$?%J4; zo^Cbv`vx{()`r@Y_iUUB7w6~YL5p}iPB#N5Zh$q6ej9{Mm?LCJbS75VIc#t9MTx!B z5P4FVjG9BRzwMfV8HvvM?-(XjLV&t6%VF8ovu1 zOh0flp3@nAF=yMb#@PLhIP>LQ%FoS}Og5_onqezt9UaKL^XOpNHVeOpu8-RG4q?Q# z2hTOY+Uqm--){&!Y*eS|EqLiPo+9QlJfIDv^Gtr5xS5PX7q|`iSr-@kyjHW`_u+m9 z0D=}Ftqs18BO{kHN6Bjs@&iWun*^z|(I>5ge7N*8IY;91xcu3O^AhaZ;nHOKa-dk| zJ?sXF!;ZZ&Cf6h~y%TOwAqUrw^+);kNwej7dye8Ibp+_I&a?PDpb{!Ct3G(4`le0} zs^CeKMDqx36TM_uP~&dJ0Qrmho1*614h-&NUe%2c`gEemNQcT@o8rj%`D=0%35Zs~ z2LiW;0;mVRbp|HI1xBO+VIV#yKyw3%+dcyU?O}}T!W$N(+d`QHTB7Jwn{QiVkJ1p( zx*(#;)_R8nEb=A1=RaP7dQnMv;h4vH_1{U{`#5@vl z3MO+i4JYapm~70OpYpRhf_n%xo9jfJ<8l3<#Gp>l-@)!=ou0mu>EhrSN`l0}3{)Gs z)JH%V7#+tS3u-tSYO~1nK5s}6#NtkdChd1ds9^vg;@$)pS1(=VNtg7Bc`i4?=ve0Q7Q#Ec2D`!O7B6(@Q5)i*M}q|TmV zbJz-J;<+EybNT27KoZURZpor}AxA6{@Nzd`mkI^y-{7qd=9be8r9h7d&*}R=wO?ol zI2Y;KS6wwaDnVy!S#e*%jA0*rvJt*_bi~IJ{@(7nZ*As^RyN`8By`zqQ9V_@Bu|3U zMl}NNe=;J^0C+95E4)q7g;&?esm+lAOQi;0Rps_H)Bje{nel0QzTv?px2wm4tgM!i zE_6bpQmbnSPMvTKEs>4|znZ2K|At>b5qC zpNp3vYPC1sWvng@YBBZ7CDenzwrNi0eOxtdN*_K{_t)oYIPkGpd~i%oPTs5LyNBEG zN$zAucABsg6H8#K1JUFjie z1M1$^*v>y)(bJ}UWXggRdrV-HbhFW5J5xLTZG#h6esZdcuVH^-ab>@AQL&2=KK}m6 z&JaROE6?!L+FXrocwj$LooV%!luG%jq$=JADY2>{mx=I4vV0+_SSCs?YAvLo8>3t; zdnfBS^Nmxd~bemYavz{x{JeM#npDJP0L@YLi=;ROf_-M(uFNv%Sc!lCC8z% zA=PGsn-q?<-i{KDPLX+$C9`I)Snhdma=!^zdB+G1gS4ej;+h6l??~yx-2wfc{)5MR zqvGGd8q>bHQq@CZr#Pt_(C_WIh!}^FV#75^KFn*TzOnzI&TLrEh=I<4t$u9_KlyUU zs(r+{#YUIg}k6E5kRn^-wIbeDsz)xSECh`9N#YYtk~Bgnxv|Gd)eGYr09of++<&@*gohijIvGK ze9g7Td{cCaNa2gbhw?;x*{x_&{2;TBI!?uP%5VhoVlq${_~m00hE-t(1Qrl#i&D2=Y4m_2@okO z;1w^apq?bywq&cG9xrVxzMks}3r)Wd?1FH+?Qqdv~vY^tJijT4=;7odO)peB_+jti~rFw?^6a zxrJ6=iSi#Xl+ID)MSg-J2-#GR4CPa#lsPw7F1b3OV{wp{oE8v98cI`TDN%f_8uQmR-MJySa&XH!6i zSWz+c#x0oD-n~wF^v3z3SHRUnzf{e4GrO(cGH`s%THF&bzNk~BTJ|DAamm8z^&VH9 z$wXGvqL(uwi(1vT(YqI8L-=H~JKHupBfG%kFT7UO8BOtH9q(CsCv&&X@N{^fyU)-N zkI`JlpMogKOgA$u728ybLXX)-P54xiO(ofGC_SUEx7SeQK9jPIsQusZ|c-May0CzAdqhcyN(5Noih!XaOy?#4GPeAiuf9Ui|SX zDWU#MO%Zw4*Ej7VEd0dK@a;E#_am!Xo8o-_;DEEy=Q8=JAEMN#Rr; zsQ>9EzJ9~TyAUD6AwQ5YF5>l9&XkR7fBCogu*$`hQ|6B~PI|MURgJjQj`C_?z!ha8 zNp0EX3PgGmG(!_@=2NB1_~Ot`CAIb0JwutAQJ;JLzoQ;9-XgKo079mp6Tc4_{d1dVqJMXksmt zDnrG4%Y^fsLb4o_kgzO=HTngSsPe~&!D)89oi7fa0jc~NZcom3^Z=DAztC)ZT$co7 zcKsYyx{Gdzi2eAMxDvKuHPpxWjNN5qeY>LaG(KTJ?2AWDKdN&s5JzUtcXoPdX>UVhd%WDWZ=AWf8YwbC2 z^tiF6G>BB!QczfRssVdeg_{8yMSr)r4~uU5%}$D^1rq-O&H3MJaiG9`NMpVf|NF~`z| zD2hyjk?xO3sbjQ<`AfD3;k$@OvW)t+KkkS3>3fbZH$Fk1bVK#dt6#(wTC?Z8j$#cC z9ogX|8C>$1c@}%1QNcI4|6u|bRI@OFhVzN#V~Ra=?LalG8?YIc)hfD_by{Vg_pnqhvd;4)2gKwM~^uSlE>zXjcZ)nmn zabS`;A+6Aa?xrT8Vc&t?Z1$nHS@)Is)vW&SFn0c|ct!#3k}IFEiAv+5i9=abNrlj? zd#@C=s*^=>Azg8-u>=QUK3x=+tv|0+o{O(QWPJ?2-Cq-qp%e4?Y_83{LGzdfiNEic z*~S6C)HX9J+Vo0WfFn;#pwaE!!>^RRmD9TE@>nC8ZGlb@1+E#5F~TQlLE}&H{gPY> z70uH;{&+FJhZ5A~{Vh-vc*Iz`&7Z%_H(KBHA2MQ-hHD^t!NH=p$93U6m$BS!G#*OU zMt=0bR^Gjc32Lqj=p4q6#-ixFUB{z%u1x11SJ)<5O}SZ~R#Gc(jfywdq^wc< zrQ-YGR(HYEY<_YPVyVb&qfDF?7;WRXS<}(gq&+ z0+?fKC$(XF@|N*0X=|@tJGosp8rY?Y&R!`eoL4?eHzIcYA{QAU$(~E^^9O|gr<4geQZW$S4eP7df*6YGqNA`ffeQ^amiki&k_c1=F zzk9~S9)oQ$6r_1n5%?#WR(hYV*Mawyv}*R>o(z|;RwIrltvV)0a-zCC{k{E#Db~g! z+@0G~h^getz17+>du1#pmuh7nb?&3nV{eethMDm*=K^4-FpLS|CzFGgF8|<(#O{8;kY2-W@kf7@mj5{`qO)n zaV7ke#rMK&Y?@HYFe5Gfm|RtpvXOq*)~xu7t6a4z=jYP}k)t#|oI)x6h8;zGfZY4(xHyLM0D6=D}j+cRYx!Ej@6U|6IZ~Vu>0(O54be8lJyD zJI*MrTKG%^u2UhL0LxpdG39$GDj_%#3_ZcP7fu@Zc%^?0tLWYuVRVOmEL^ z|5|i~Ug^y7I));bD4@SNep}$-ssh*LC8JvVG0~~VdTy&~ZY1qPmM=KhK1)sMBn&sm z-?y8Y;kQIKiMzcs;*oEWXHf*3@h$wpNco|GMDq+ zc^l@*UmF9A%6rL~T(#I2it3ZU%CCp60no;zyXJe{%22<3M!CEBPJSpGSr5r%kLs@Bmh+%Yh&FucpBn z!RNuQQ)LmA8gz%p$XOUl{LcH_*qDivyJ{LcVFo2qqRLwgtT;BGOmpk5qk`=^jZXR96C?#^`7~C--4w}R8+Z=t}Zbs zlt50Td*+E-+%2&xTvk@X9nAe;kDtpT(`Yq!?Ua$3DgS2jR)w<$?g=mYQl0%$@V9M< z0HoOQ8-v@AVy=#SK(JP$WoBWCNl1|L<$>EyUjL=U&)*iDxl_vIJW1d-ahadKFZ7*h z;48-1z9!<<_$NX6&_GK9r6zfBK$E#aXGMIU42G*8* zZbZq}hz}dC^95{jNLmW3vRgg_tH3%8*UQ*dR@^%rp$N=?ZOrdVni!h|@UYPb-{@OY#Gk+s8P`B=WeY$$bq1iv!*V^Vjp!Yd?$Y=NxH!kBZDFV-*qn z`Tf9W}xW1Op(8hQee~_x%=+Nuczd9rZ5%qp(@%u#v%YXOH3K#EHgWWq^f+Mt9elRqi*8Z%gU?+PnO;NXz0W zR1aM*+KVnl(f~%_Lo5*q$#XnBJWd{-k`lb{USHmIFso)0{Brs-BOw#@|^1|eu3c+FOqD}*5b#!$HMaF$F z6XO5PJGQ{8&suK0u2;9^5QPQ-Q8o$?W%t%Lm|QPk4o0u=20jK6`h`Tw$g0|YN%^4JYiJZ4jfpnTEg^uj3!3ryA9RaEoPQ&S7A zS2^eHKH#)999qL)-u$s&cet%|MP#l%R@Bx;WRxfFjwA>PebH?w@%}OIoXe(wIkqkt zh`iZQf)2o@kAFsV|B>F!fwOZA*ROXkSv-penTAKWN`#%78dE-4AI~G=4{B35Yuy^(PfXYh!?zP&$LcGbSFfPka1RE-W$zX)-_FDV< zAji#z`1l}4_sOTUUYH8u*iJv*@WB;7tjNTwiBaJP$K~?Sb3Ht?!vAvC4GDgCku0J3 z%|0U1>*1FCmac9@PLhSdn-aojVcJi9H&AgXc;w{Oc{y&|@()IahNMkQzB5@3t5^gC z1Ylxg3$LZ+JpasXRTqv*NJbXEu+YNY#1_=ye>ftB|9h%b^EWULPubt|YqxS!wzjr5 zKZp$kIJdclMbWaSt7}d8%V%y|P~ZUiS>-cl)K~M9qSMpm+kb!+rdzSyTGkyY(Exa6 z*=Q5S-z-MG@PM6RtE`$G_VUWj)rLVY&_)}Zo(kq*%5vYS^?v+Nuf6f@xOqrO6)A6K z%4zqOAOz>06hw}o71+_zq(*r0@Il3m^umAY2+ApoM7^D!eJFIIA3^B{)Ot3CH$KX+ z8prQGZ!UM}N^kH$h$fI4wRZvI`+$xhjQY9Z$3{o=fft?Fe%)Zo!18cJ(2B1Ou*Qy? zYr2oYS>m6C-ToMw#ORbsVq)U`^%O-;pNk{Qk@Jw-he<-mtQB!jKLMXR6+r?R`T5=Z zorx%}bCJeyNZr#fHXe9~-7vX2!nJI9%Ja5{225+~(8=nChBrWxr)Sp(JNEbY*SI09 z)0eiEk8uuW?tlIdzZq|f$U=paEKw}J6}2E6w)LYvH4VM!te|X84=-x^h^XLpZQQpl zsRR=0&%~&x8k&LGZGqPp2oeh61Uy@xx=82je8aIjx|Kj9f8x{atB7Wjyxi0m%fXb1x-Xa5tvUj zeV;^`ubFh6pq%ahG9s0yS0~#Nkk z=a-j)fe%r;=1kkw0d@pgf}EcePUT#FW~RS7HvcTnbgX-T*-ahmb_B2W7;3eMjn{=5 z$Y;*9;BNeDtv`;SW%0O1#zzwr`8;Nb?4U zMaYDPX4YgY#7uW*RnlVdWQJhg$Ce7k$D^qZw#m(19X3rP8>M~; z90>I^vx5_TYA%OO`wlA&=!9Js-yX8j&N37U6@969SXLQZmQ;`svw)Mt@-10T#&>H4 zUL216-r#Q+Ph*Q7%x3}L(;bNR$v;lqHSeW@DmQoa5Ye~cs7K`U%eH2^;vUEH^ecqHVgV`;wb0~ukeM0mE3YG7>*tMyiw#6`E_@C z4S#?b_D0P~J9BdZl~e)om#NC?@MEpZ>f~z#y?LudjK(2I_=(NC6{ zSxr(gV=rRko9+aXC;Jk)rC+5c+n66#9~HWk%dScjK6G@aHN^GqVCO59zIcV#v@wJ@8IghFC9zT9}NB5yX!JvcM*(UJxgK@ndYH8DJrMS4KbO-E-jcTj0N%MVEBgF~k!`Iej1!rw~u>W6K~ zzR-&B@+yDN=G|p>CljCS9dAp*d_YRdTb%}sUk>G(F5;%7e1N`J2R8V4FIoB5pYL4> z-SK(TvYYs+;3YAFPbFhq{5Dz!F(-}=)s=RQ=PN;{OhTP@uuUL)U4o%5CRPfJ&qeYZ zIvDP$im~;zc+z88zrN1!+LCWM8vC$ye6rJS3i$7(ya~VVdIDF3;Ra=(BAEvUa>0j8 zGBPrVp(BO0Fn@N*A4ams__lc3LKC2ioSb||Ta+LtoEQ|5;r#7Q!+m>RH^$8j?DCk7 z_j2#0-`Y~>_peWm^nJ+9-dz>Y48j%0TX|`M`#jK$fRa$MQoTzKcHf4+5HPUGC!z|^ z0Ob7WIf#0_H%D&YKoJK_2HTIGOt`7ziEn{J21QX?L$f7qhVcTAI z!a7ldfEpvS;3TWztw&o3zN9GjqjUNBAqVt(Si^9@awt9(3<_6z0Ww@m`8{m(8==h}76rKj=(C2^z>=yDIL$T%oYeT;hEeOF5t2FDg8P|{socfvB zb~wBo=6YjT>$4goyAO1fyq5+Q*1+SAn*_^pEIrX(>N@Ic&^)AZJ-JxE>hhh9j-lb~ zwuhOd2Z)U^l};QVAOGry`3w&bpqXPPm+OR4`=luO?IUbXJFz*&1h0*neR2ctPG=zK z0Cn1< zrUmFlxY7nTkV}3<-j5bQe&8U6dXDoY^S#s&Hs;fjn-|iMK_Hi$G;LEI=&<|P*=aYMCdKRW%hUuqlZ-Bv=kVVD-u1@6OmVT-0yG$7w zbz9`P6)p1N{5=>m&Cd8ljY!}{7ydGfGknXQUGbA|U~zey%%l-;UVnb_Ic%cDur&m8 zUT~{%4Wl>~_zgy`uA0+jnaNXr+Wn$JQy3vaEG62WxCWA+I`;hhqP-TzrmA=Yb)}13 zb8=`%E7JsB?t`X(aXb2+9UlEBC9XzS`h3PX@2L1Mv5L44>}>VgYL}y?5}n@MUgP)I z9lhOAOIc>6v&2RDR7ZqTBly1M&LHLs;(%1@PaW-bKOhk`!H)m@QJ;)mvEx^blbK)c z6lj@QS%wyEk2s%9m7J88l+gYv779kc$l-INV)k1M{=qxwSd&YVv}?#19U*ZW9N-9K zmEp0@=8r|gYmB0@Wwh^&e4oUOET=xO32y7fz)e6I6*H$LLdTI|1ZJ^3g<^a9A5fCy z3*GsiJbyz^AC(?Z-K(k=#iRt`z0}a_Qqt)y*Kav{^c>iOX+2#bkWk8RsIe`Gi5Q;A zH1y0PCNwP8sJr-B+b~~GKD5UM%wUUVr2?>YEiLn%Eytk?3jt|?fT!}>Wf|DDMZBNo zn*23WsdRXlNJ{@+iKLN-=V5%2jE8XnA=J?2^Dbf>U1Mg-bSL1L^#!e1z2F%l00<`e$Ow%}y-yz|rTq2ZG-B~-zC|Mbm9 zgojge+`L>P9kLVrA~ugVOgG=YW%nA==p+d9xDI3?t?)wxj4y$THZ|I}#etYf3SRPf}>Oii7-C)SaQsA!lJPhT=Z_h4kY2|3hBK3?6 zX%qe4{W1&`DX&L4A4^%=&EjdXloCRtdL2QFZ!=_jVc6hEcym-BHb0R_&ifGyJ0;!G z6Bzdnbo}Pk+}p;O@2MK-2FLx}5Mzx9i@`Qt*_l^%`nW+SsW9E&93ywc|B4WxzkFTT zU;S8m#g$+}khT@}^0c&R3xD@1$J@*(9!bv7LkzhgWUARg#I7mpW|W68dUl()a~$L>5}Ya;tJb$~~&*9R-rDK;|E{eZO&D zy5L|=<9DHJDE6k=>XT-1@7Kogq6K*39DFvD;JE^Fum32#^9_NQepnGkr%^ynV zCN#xz^Dwqz5ufB-ccW)0_&hyMChqeyvi%3JqlfG)dHymeuB%-aSJ9f8c$XtSqbmRp zz!&`E+z7xON@?F|C#a?zZVaj&sTaBxui3B~^dS{7jHO z+bkq}>L%%E`1QQOy~FL{LtzNvL{#u+Q;cjycAd<+Ti^os1!OGPlit&6@9o3a+M5}U z+aayZjwz^vmXs1sIQ>k04}C>5doqMtTQOP~`@k`JmlM99Myb-A!_fkJ6UwFQaY%LD0qtT>GJuQh&yBN1TFCTv@a zL4ur?Jltz4Yh5wi>j1-e{I#F?}zV9*Z{9KXgjYq8cpkOXLXjpuR!ENz5To~CXQ^gRsNEs4R zaMAT#B{-P&#rQ-c?+70Z)^HOf3yYk5NT&At2fE0+_k(gLX=V&b{Ka>Poz$MsW)8PX6KjRwPUQVZYPp-e~&EfdMx`CP**N&C|Sg+W83am+Dt0w zI|eZ263#mT+tV^F4L4^pb@vEFa^584Vt|1+YC`LFBd(u|pz8)FIzFF#)p;8zTHQOT zE|%(F=ZqR2^^p7A2g!x;u=*?G!^rw&LkT9;0#|{qY0#I*sSjpMP%)sPN!!I5N9n)^ zkak;7MV*-=UN_>nEpu5T-*$9avXqkEm_1{+|LC;{iqw>B`rVsnj17vEow)p*D+_X+ z+>80-QOiI@T1_KqlL8>{Z2f5ky>3FPwZ%4mZ@&IhZcA|jv^+1(OuKR%lX=7&C;?Z- z6glXC{{mdn_jK1lVY0Nxp*92rBqa1z$NxDH>5~Kr%@{EsIi;>ms{C$66Kcb%#rLVG z07BR0=$6a+@A#&v<}7DKCW(>cWI^vXxFEU_Vep;T{Dnka2@Lt{I+iy=7c@-+J*b z_1#P+;lqbK1fol#>%8?%pZN@dJBnH9dcbtkvyStN-wrA|vf~#X7fWs!LzPR=EhfHVkLC8zp zjHxzZNr;BJI^*G#Bd@u4zyTW;h@~A(=T<|=G&PUz?IhJY47CI=Yieuo@$qYn`o6YX z`gt42Kv(@Srp+G<0rkcaZf2BTN|75v9rS!cq2rtmsq0%Yu3{vo23mi+_k$XL$xU;Wrz2{7*a& zez69@&?kJ(tl3?%)L%HrkZ$%d|J)1sG+#6us;eifH=?8I4a|#Q(j{+aUH|Edu7P!~ zJ>RNdbpIe|kjIDboyMVaz;_lMD7?qB#;{mp&0Q2XGM4Omp3*uw`#NnfUF1?lUejg} z^(wUgfzj0`==Tqrmbr;OpN*Hje%mplOoHL5Zkv|P?y#|yJVbD)rK1u&$pnk=y)$~Cs}X>zAkUYqw+a&sy=nTOJ97Ujqt@IJ<4?` zAOKlYeE}$!Oe+^o2Oq@}K01dm4oh{vbD96`YH#WMWrw%O=FJ;{o+%2+$|qfRx}o9T zFaU5=Q5?TJFB}#P+=}4g`H1zx>ELPZo=C94nniyU)xGP?hrv=!G_*$oc`~>!%r^+S zgCh%YG@XE`70V-yL*KyFAU3(K?iD?cygUXp{US>;l*wCMk4vLcnZCFipHe|h%Khu- zN6fW*XV;qOY_E&#gt`6zRoHty`$iqN?^2i}qL=#3i|2ku zw%UUat5Jo8gk*Z2t=+QC26C%r&bB-I^hKq`N4c|V|AoIs!CXgt=l(;Bk5Ny)s61sI z`u<0RY;OU(HJ=FG5oiz< z{$~BCQQ$sPio}um`SNWWt@Vk+1PPm@!|`eh7a~dUh!TPGq*d3Yq}_k;pg2CSWd*3WpWSe=)MJQ14OclhSdAQgCA?R>=-V9xSnOi_3RzG^iO^WUw#^0 zt8E{iL*;nJR%iBDa4h~?u{QfeuXH5}wXmm?2}YMmSIF$lc%3ECYVpiR;y>cboqUf} z7fD}w2QIv#1ea54M&mF{0Jg6Yfgm#TXltSl!A4L58ug&HDgvH2zA4Giq$Q1F2essm;-SwCM z2A_`pzx(3NVnt!!D}j^k+0r^O%dan`q@+@{7`>c*bG~7!JQ}cO0(qlA&h;T8!c4$< z6*D$2Zc~^NKyI&q!|U6(&rQuRfJ@nTkhR_Ak5u_SDk>x+gX-v-15g0SKuuA=0Fn)MO9HuN=XRRFsbzV9J+BoW*(1dOt8X6Sf`Oe5F5YX8vL8oakzzkA%)#2K5a+raEfe9qM^z`T; zw=&b~xd^s;E=FKk_!ECwxsy>3))zO}%cKbh3|O2)IOnWddl33)|t zE5|2RI-EW~GeZZeLKtn4lK$f2;yjte-+>2WLArw^5NNX?tgU)99a8Cm+Pa&XF<=D@ z2|c&0p70(M)Y;949RK#CPZ>wf+p@A^q%Q#Ha{8jTPS7CV>x&qe9~qETMt~PEF7);v zIs*&jLAwhH6MdZ@U!zP7=zalr*nT)%eFn%QndXc=!<-^P|+_!A7PsQ=LHayHoQL4PO$8IX;4tt;(P72 z;CCwlWYy(5x1g|7AgF`YRw7P0JKsSvNEh(Rogmhz5nSJ0Y}Ta3vgh$U(1AZKAHqAh zGa?8W4+d<5anu?mGhyV#Qqy`LOO3(Zv;ZGET4$&9|Syo?oKS5|pZCQN1HEuevV+)M88r69vMyY2{hF|L5v zz>VRZftPnR$Q2Qiofe`ZbV7o>C`};T+y<`FPIXpT47ewY-L~L?gm0PN${e`@0*xhm znX{&6&v-jum`}XehN^0d2<}hwRluqKj0$!{UZv}YWi@fB(RCDJ8<4uG6xusVeDx35 zQ0=(10)A9U+*U7R` zsRHTmAXHXT7jdnOVG87tD&eU%sI^T?pe0*OU2%%dY$A|%bK+vgvN3EVJWl}L&cQSS zJVe#QNkM`x>#?%85K{hxE|ueV*)h$-1kk8lPT#ASXyb9JqVKHIJx?NDt86jQ>aZyAtw$GEAB=O|3k}3=XT~qjppU32xyDEET5b(S_x#QU>Q( zIQQIpK0+SEMpf}G%gd{gicg{_LC80Y9>_yP^yR(atMPNslGdCzf{|oD;5r`Qgrul) zT7FFq0wyD>f{JM9=**WB!@G;=7uKs~+^EOEk%*proMpmYyWCJxeZytAf2vj_l_}6m zhL0`ou6!D!AX>72ED9l}1g$c0)N$ZXdwu)5Pwx9tszBd=&>FZTw4 zNyf2oi*MPNgruZ-TUWraRmn!!@Etlpr`URm7lS}Kc*?;MJzOn!jYL2$453qM*lqef ze|+|frw(WxlR6m$1;esArC<<~X?+(q_NG^D&PP=;kVaK|d-k*FC~!Na<%QZWw){w7 zw%B=HLl89zfr%La?U{&v0;VYyc5E3x+kCtcU7p~#{l}%(>}MqcM~^-M@LpLu5W;`d z@%siG#-Q~PPGJ88JP*Bhi&Ld~U-+iBQ$3C+wTlm@F9z!GjtYwiR?_YZwcZUa)TR$l z+}+g{dBs3L6GMXg8G+W#8Rb;j+5MX`Ud#ziGpS(mUYTYVVGZpEC;nUmva@R8X}O;> zt6Vi(e?{Y#ohDUnafb! zAG`fYmBDZr(gRafP=E>P+4*Z0YavdN+V#=T4;X#VEr<=;UzMl$a2Q_Uqx{&6zD$GPkwn+Ft&AUXC2V2FH3mZ2%2SdOQh2IW0FHRsH>0f&qS6A1|k zHcW;60L;;*mq#Nq>1k;{PPm|Uc6E`?njhpJTg5h+^$lCDM)g(l(5!gVCsQ;h{;YH6 z2?g+zZ;65)s^;q)pA5Gt9UFVax1P3kA`A8a1YHsP$odN*x}Ed3leQ6 zjVs52&ZUsXxmDuw?65_V)AR^cI`H!g*W3!Y_qXhKu)*#y;!4-eg76w^vx=N)5NlIX zHigMd+yE?KtCJr6qX-4*L+rdbDM;IMwX)E@ zR&x-^e*;Tz2l5OO)ngRP9+WkW&D-%x>7 z0li!ivjrte|2YRd$|~%PFob(vZ== z$v@M!&VqyI-dh2&l0t2uriaLyJOc#c4+zO@EMzQiDD)5oO?F>j2WxtzELm_CQR%Q9zsb;&F5 zS06GDJRggu`i6U@_k~67IM8>nX&%izKm28snR;~AR#7pdWO%-$6$n?u6PObp?3}Gf z$D_!6Y~=c_XUk)>DstiP^#2iJ`j5`LIi7>*`apbpo4WRV7CU1+932f!QX{3hl>SrQ zZmq8pWVVw2ctzCq>E>p+6eRRrvnj2?^;-ji^Vq5j#*}A%3=qx~OEG zp@Z@Oe#}@h5tkGHm}&J}2Is!Mk{YU8wyuLLCbKYKB|Jq@mex2C^%&UA(dvzOOgv;0 zvu``6kB#@uef(=JjWe!WdZM92Y zS|p?%Tmli0mc`z3dxk^^r5en&j*Xp(sRPgj@gJ+mM*&as(ygnGSmi`VXF)HXpCni% zUgA`9kAcJew{PE8a}$c(tWSK-*FLG;FSXdx(bSBbj4w|lS_4-8ngU#Q1bSFoeN-H1 z!frY&bC1vP1AQ*>UcROt`OCCJ1f>Y$B)M)_|2;3b*&J5)@y)9{yXQ9u#4+tr2?|e0)|N2vLte$ zmp_=7Nww83CTvhikvJrq-_|7pFiUUYQIRcqa!Sf{OJz@5T_`|V2F3mX1oV=Shu*;8f{`#l z{-V)pL^LmZI&qW|H9`3i;O{Y+zCfOB$$up|_;<%PKsY9ST8SGL3GkO8@Z9E(c_g3G zUW}^g5-Sv&9Bef0^P!bI@#)h-!mdl+&XKN1NQUer%MaFrA@NLffD^vvuk8ADYtMKnAjWS%ZMtw)|_7`;Xzs5c#19tZQf^2@&0)A4kPLt zuj4jFM4A&JIzBnD-s;$p`^a>M%HR?=>VuBZ`s#Z`5S?K)28Kf5E%RL`J0N_s6>qL2pnx@KgB@!uiT&i z)In!9Z3h$WVD>wb^FaV--stB>=o|(SgSf$hWyRAnLMg+gB-%oQv<$jR+k($=PN?2| zkz5EEbb-QhL_xfz;k&qch{!5D4 zF(sdi-!xG7<*VQiVV6le{EZ#ssvKH%3DXAC<_xpF9zc6&2x%LThWwJJ zO>`<{Am=`&KjcV%6cuP*QH$3;$1OsXKpN0BPsXT>i=Si{&3Fo1srM{To(rzi3u~^e znVam@xd~Lb@gkE|5kft1I?Vm%M*5`Xr3E?tq|*q|G$RY?Vikrj!fTyh(Rm#F!QZEM z`A1d7Qz1B^y9g}-og^l?y_*-Eu8FZbGA*oopnB8~A`!YTRKaF*t%m!TjyH_W&pw=5?sD_axAVeO>+HZqOD{hn(OUK(CtbHx&8CJ2gG*twyeq&AmXZ;Q^O9p zc31{^!BNxRWX1>&eJ~>LjMaCRLWyz_nj3qQKvpLUVKeJ;&d;x3(#^&#Z#%aYjD+3) zHL2b+g3Eg8GI|Sm?U_1F+P&8x2}awZ`NxR_GXB;9T2DOg>$H0z;=!B>09L)t(0U|eCOl)x> zXxzq7<$Tf1%uJJF8n7$X2-%0B=4=o@2b#hb!YFZgrCcMY{9RcHsoCL=~OTfqz9PT6FeXp2fUi-^JwJ9l9;fN z+`pK9laf~!8J-O;BK#gr+xCuyTsZ;!EGm&8glQL#F|XO4 znqVL(etMa8y07#$~tZMcUG6v+qbI}hjiivK0Ytdvj8YC2si|eUK-rCGZk1G1uDQt zlkc_h*v*ulL;69~0xY=iwT2Y(_W4WvwS<+=P>470N6H>=u_s z^hK#M@o7!0gI|-Zh>LEd^U{=+m8;)clvRfz6~wQN>1N)5V~^^a)tFGtlwS2ylCV6u-L| z?N386!Fo@jyi7qG7B2=h>XR7!s1Posk)~MvZ z7YNiqQJE^*hux!6d>!$eb7TX~7be$u$PebFU|atF&~K{}jB#W#A4cq>+K32IL=A?3AYD zHB$78g3$zR!#B7Ij3(>L9J$fb-D!5^J=me#x;1JKMFa!GZ-b)6P=q@<H5YD{BOv|FMzql8#Ir;rfk|7~fHH~TBI&$fV@_V^tMKs=VneQvd zWAP#vOn6$*cSZ9Fu_pvbH#dJy_d_@gN`6dlx;C7LOqu!5osUQ+{;RVa#Xy__Fz{xV z>NYS@kIUXge>VA5sCJxNY*l{MgkGgs>fm2ihgrtUkXg(U>}`Mq8<=lz$TqBXap!`a z6|#!BWo2fFuTrl4UW*bs^)2+k4qRfv@rou;=-5K%*M89OJN3JaOfjq5B)r+71*W;C z_rICBFk)uD7$bNSNGaaqw-?8uLqYOP)=K+fnm$AoHG#v&4GTw8`h^=|s?9w$4V@@; z^{3O5Q<;@nQR6ZlI=}GJni=Hfu2+=tcx6U>UC}xx8Bog%#p6{pFepL9=Ep1>nlQcd zOLNcP(b3kL=l}B?-Npl*m%E2~RJ*b4lS2HKnN^1w^<}=P!x>Il&Gth|W-7YmQy5 zQ8S7TxzODjCpo?uiC+GBCPp%w^)H~*MGbasljtd5{&h^|o7>AlS!IkDkI#qM%SZ|r z6FTLbY&FzRr=dCdO+=Ayny*Sq{at{ES0t_AqrRC*0A9B+#(BY>#_*5QNsFzJ$U3r8m=-^Pau@!}$gMDv+ zueK!_vyer4%i~)|T5hEfKXnO-GhF^rdTb?gZ(MlA{I$DJfqUIyrc8DF;CktGaVeLi-)CNvHZqi zWYE4@=)6agIQj8WF?p)K8*@|vi;wWLO%Xv>MSZrx52yO}o-A&6oit*IT!t7TYxmK8 zsC|I?*mFF-qrb+G_=Bq{UlDE5>adiJZyS!33hpWi>5sk006_1?+%FhZMOzg!d>Pg9 z!BUX_U(4H7IRHZ^%XsY*&qIs0?@qjc@P%g9D{(*OOYCB$!XV4(k9i;epD zYS4;pO8)4GR&dQBZ;Qcswve{y81v8m3s*5esdwn6j<=2#hvP9NZ_U?8X$mqUXbUH$ zRNTxxY+_Sw%&dRb#An`Y`i2F~{rG29>+h5L5{3AF*-$#gS}N50txL~Cg^3j+p~-E^ z&Lc8#F7r(Pn{<0%jOrw-^pZe^9>+gr80}Jn+mW^4A3DwB!jeg1K{rh&HD$)na_rM7 zayG=Gem)yb`Q%0a10dZIG)!S(PMtEJCl!Bc^M>wwF^luI@_DY1GmeU`C?lPkbp~_OQ2Yoa`;RXJ|`STbx zN~)H>IoE%GNhYwD4xH=yXYdcD>=#1yG~IdLI1T#rw?KvVR7@-b(*`f5o`E$lKrXCs6SQ}hB&wu@$jYq({ zSo>?-WwcgU0ydr~nij0z3`gcWoZl1@AVsL zYlpV9JU6$pG6N>3GgTJY@`~K?sI^s9>hfBRX%^q(^X={J6?EZ56NQDZl#;m6z#v|O z*^kff&(RTyTRYt=^*hnk3xW!7M9sb?6k0;3PzG`G)lE%gd3kxXyvo$hP1qRtkD=~$ zbaZrEg2mU3l#04+*orcO0%AsB)~R3$cW<=)B;?NO7yY8$7gW!+Jldi}pF9LT@2*_T zuzyx8GAS6Gxcp>gw^(gvoQZFzdme7TNGIXj=## zrNT*JkmJd$RUD5Sv%EUS6HZQo-Q8W&=s6;Rze+K1(Ta$RUaJ&5$)=RJ#Lt5?(d&0ox>OkB8y<4txrYRN+@k{&h z2lo{7k`}6S9>yJ(#m~*@0>vuRc4ud2eC}N0{@GOn#{)2k7Y%ASp5&44nF|PdRcAXQxYUflek0%ur#o+^_j> zFQ&!rvhcKlCvUHgRoZ`&eQ-e=PY|OY%+EY~o_9S3Umh}}jDLL4z)Z6T zzP_+yUh zYv#~w)6hHQ6?BB`dMCIbINrG!!e(%Rg|Lw=-eaY@0Tj0{028S9ssXWdN@+rq2elLb zE?6OiKY$7{!=e`+lI+vM?XzwoQ9Qa@aPTY9ZzK|&O%jkfDe!%)^5;}QUWq&`l}OPp zvpBuq+D)YR3W>>s~;faC(NyB$z8OY|!#@}xZ(1!IEb#H_keW5U_$Hc_zi_ocl=CJhKIh_pM&(DuE7RE4A zP#>{K8rbBqXBa^xre(JV@)|lpMAUqd9hUeGiS5{3U{8QMqByZjjjg!StT2M<$uT{i4vHs1C7ux*Lz%l@59|rGRh8? z()>F)vQ+!KrKAE$9pl+?WY%K6MJo2az)SB{c$0PM-VP!3y(y=GTuSjOH4hNr!ef(3#$K+&K=La-Y zRBArH`v3yy>UqEcVX_;Flb8PY)CD?tO<&B`zl-{bCIsT&Rm3Ev(%#dwHb}6o77A&S z32rvg_rrg)k(x=v+jb9Ens!18S|lM|bkx|1A4Xew7@uCYsN*I_9hj__C+XBGOs|p= z+W5;TA|}jCbJUlLifVT?q38PBc=2|WQ z`n^3}JY}YcuRTrk0p45|>Yl)=@CV3aN+C-pCNI&gl}UPWc2>h?;`=Y^SLA!82NIWr zzna&T0{frBZQ4FOC@_HBt840TZsQ||E8bPP3k0j`a@1sgPz%&ofF7BpJr<3Rs0HXz z$r+hi8+!NIW(>hrR7}jSWgtBLf|ZWW1nw@yZ7dGgOG%b&)VTv; zt>bMv3Ip<30w={<2&usW$km;*tA7imhg2Y1^9n$pYKN}?SmIdu6A(%?;$28Ga6f?- zvxwDTD@61@yM8c;A{6f_OyjYZs3w3?$N+M_VNWGOv0VD$!d@Pd;k~Q#Cy$hVi`8!U z>sKfixxgCRClF*v!qIjXJEhe2Z#6@x4-dFE+<;lN_z*B1pUa}9E?71m+$!f}?8m}- z`UHcC5A_p49W^`gnSR226LxG(0@gyoOOf zJN;a}mk6H5kn!O^y1&(0S{j(O1qQc2hl!(q|7KuGL%H5r&@%_;#@Oszc z;WNuvaI$z}$CkPnuDPVY+kT7G0+3BUx7r%>M)QHH} zo*wCNW9Jp`I^osWME93I^=>2Smk;zgsgxjxhleq~8~@am-jI1u`2}TNr^Y-K7rziO zAlO*TZaGT9QchVMh1&XiRXHY<|F98(+u+CzJ9Kv-)1XJEgbo07k6vY?BHV9tEZS*Y zxm}a{EfD!3m?5>Bb60fL z&aBRKuez?mCoQ>b?XFHRw@#P+LKQh$rQEKk+ixNPccf>Ivs3}n2&_x|@Rxk*!y2kl zPk{EdQ^0f%q!w2(5&BQc|7%d<^A9KkJ}V!0>^^{jCNIa0nKee`>+92*X5U9YkdGe{ zK~E`!fD%S%v0hsdwGgQa+tvCHq#3L3)nyHFlTx}CNnKIa$(xBw^R!XZq)~w3_RBKfBa~sj z(UE)p8V?=k@x3}RKpL&^Y!$mXL%Gk|@UqsZYSnJR=XB3@YhE)@$Uc=={=Qu@eBnKo zjY(F_wt#XpE7lgki0BJ)v&{cL&fYqzs;>JVRl1Ro?go+W?v8V4kdP8VP#S6JkPcDu zNFI=oZcs$JQ@Xp6&bxS?_x=8Ek2~&Pj)CGnXYIY$oNIn6+p(nH_eFb!c%a=E+oDP~ zzrQlgd@tW#Z`Y^-m7nE2%CCbr^crAHwOI_72O33uBlsY2owV|s@NCcbr zrQ(G!efx}IyzZy`b$v1@#8xU~l19f9S8n!mWxUXly&Nt{?nwH!YyP1^K6Lu7$`!>z z_ismZ>u2%3ne8cn@+Bi<+#^Bwn9?vTWtMa!f(7^|(YE`(RCc}aFY)>ra0yxp+;xSW z$#*(aIeoYqdeijqhfM0idFH|iK+b$BalQNZlPvuDi~+7EIxMTf@IWpUZUgr#KEbbc z!t`Hl($M6?By&<@7UygS^u^i^$EJ}VF`Qlw;xOz@M}{`ta;@G(DkY$to%33US!`_` zMJiCR^1uRIZ|u{6X{eUg3a>IH;cg_0zYR#&&F<6wvZg@@%No1?nzM*6fq|Yg*oNjD zhY=g4Wz|5RxvZAm8BH#`?Vi|j8-#lo1T_CgNoMGZobSP5)Deh53JEhz7~utKLlLNC z(ixKXGCtQO%4FTY9xMXvN{nr`7&?V19c-Ia250EuH(~NRI>CU&U|Co3H`&_U*?-2N z_A>#gf!EOi{SlXFSo!na504Sq8^7#;8vDD!jmg49M<=_&_=}m!KNTlHA_knHB<>J5 zqh~w_pGvBB|3N9Qsv>0VM*Z$TSjHk*L%>)_&i$hdFX;AECC?0MBd1pwu$;P`+#ngr zkk64jF!=n99Hp{;SXcv{Ko_##{=nf^64;h?sgT}2!og#LC1O!3S=PI)!=;>|SgrVm zgn)eB83b3D$7FRcI6R`b-G{`P>g#30KnTk6b!yQ6MOE2>Jvx8z@jPGIuu@* zqd3C4wk4e|)IeQd*lO`XAA8y78|y$qfRbH~)&X@k>>3P9Lld^M(Cs9Ybx&O-bF-dZ zq1MGkF66FjmK}GLtKcHxQUrbf89|cH6*ZE8qhMua73Kh`ruW~ZNq6v< zyulamwMi!FRE&X;|%j(7s)Cna+j~>qEM*p{$s`R`H^O(nBh2SmZpSZ(fU+_+ndUk>Hg;Pc||-zDuKjT zd-eZffi!4JMcS9xCo&Hj7QgcqjJ$c97yT8H7)eQ=a=yb!80DEEaamzB1^CCCoWUEIBD9Ap{Vk zh))sxno#bs(n14pL6X@Taae?T3T(H`?}2IC9yyE++}b;KU*fR_W@0F%|X;m`;S zg69rzynA2ar+xXNOq<`u8>Irm^eikal4M_a`>r+rQ!IU-g5K|JJn`W7wL6%5XPl>2 zka73P@j?~tZbW+I2lXAAsTz#v3ivOF#)*ICls+1lvxsCP*J0QBl*uE_53$!FK3>K> z8~!;tie0^b3ppT)@*3pgdmjwZ@bakJF6W;piJ({v}W^m#Vh;*FWbUTgd+9`^zvHRA=4#O+mpLcZso9(KV-#aym%dy{bcybmJ zmVzsMT?dcT>QKPY%zH=k_1P3sI(wPK`%1n4&?g@T-1`p`dk@9+3(SYRo#=m^^;($(V>dU&py8*Cx?VbC@fcbA zOUnv11(}3#3mIr-f4hq{6_USnS?$@Sp2eOUn{&7Rx2;BceEoox`)2588I*u~%zSsI z`?1mjm5C0{yeD_caI{Kur+{c8r*+#rhex`L=+8+h#;VO4HeL4i5u4qqkf}~Y+p&>Q z+0RU1@Lk$5op%rOfa9SAXliusJ3n zr>*kAqpf&*iacdy#bs`qo{*D99lkURM!wX7`Pr-z>%(^p-r^m@2Ly^a zSkwcjPj=p)wtP!{oBMycfK~ljz>gsR%i`ZMnnjmetf~@*2|fBb0Tx;K(%An8IHfM( z>P|^dqT)C*UKb>X3J8H4hTpZ{58y>f@~ar^|aN54R6yG=2jr zdUlFv>|VEtufA0?BpXknS<~mO@@<|Ty1GciVnr?50=an1ABDs^|GXQ+qUdF%As_S7 zNhn$f;i0LII~mhS?L$sgvKvkM|A?oo4?)reGcQ=1+y=tYaog(foY-2nN^@N)x(5_> zgW?fxwG*`I3e+IgjsP3>3P6 zwWC4@H-)e>Qg?UvNk$By$UkkDl#rk*FGu9|xo~X%{oDM<2Lm}p#b1MixDpZ)J?1@x zc#BnS^ojoiIEg=WCRAYtOq(nSF>%U0)0tn=ozGZWfSqa_F#JX0M^%iak_S#Obos)< zQ$?i(L)y33=ZaQVgrDKgzKcHse_!1B|q!i1cA-P7fFEamgfj_(t59#Fz zh3g*p-;36UUnh)4f>M#3j7KV7%#cq?N~)x(sVMyuosfu#t&k1G=k@d?Xtl`5$UGq= zEY5{OaSL-yfk)@oA@C7VYW3fJ`OYp zxKmS8f2!XwKLjCv ziHpn6y+cp^@7#Nr>fsjq2glStR@6S?-6}3ERj{>XRaQ?7Pv36?y0hdA2W905uK_#% zx19-ky=~jxI0J+FQc@ohK3AA<%;d#T_Aby5m6=Jt_w-~{F0wZJhaUD%5ju+mFrT-$ zFsf;74q#uR@#0x;d;^YMFXtNE82H5lladI5lFrRf)nfYi{TFxzUve2x)+UH=)1>>J zO);ovs3eR%M#I7iZftCXU%fzJKL5`P+bJDTqUkkPwxSD-U-Y=`Mupm-kH8%iZy7uu;sS~Vg={8(RCZT{#Is=AkBTAl_@7p_Jx`np`~a3}D!(c}Um+yX zV*Cyy*2Otf;HpyX%GfHWQDz!g=wl&3lkUW4b$( zAT<9LPz%R5K>Ax72%MV!dgs7DU*|-xS8Dt&jE;=fVmDw*!N-3VU@xDJc2lr^UypO|$8X z``bwR7WqEhhHKxdI>IAGXm}bVvo}Qmzn9DVjDmrIfo0rPe|*kncTrTxNgs_(QHO+w z!Bk#n(KgG^iyPRBe$}}FF@&EbZtdxuA}Eca=lr$$fgo|TY!RqUw54`uJfwvG05is690I8iMxEf54y zP0vj00On(`=inpOgv2z7(xVAsNL#aJD3hh_A@y>TMUugcby{L|L(HKFtYhlcvZ)Y z1sFjAPdNUm&!%5rg2Z#|SN$Rd`qB@f9NRJ>AVyhw>wyAP@SsB|K(zjnBa0>k7ApfL zlxI7=q*H8ghp2aZLMaxVd?fa8pO)GzC4S`(cTpw!G>G}d}PB8YwU}KohXGIrK}qx z!^0VLFP><5YBFmFPQAL;bH6jHSbe^>`n%{5i1yf+zdvPQoNsV@Rya^eXr3wR!2x0o zC#ale?P6gSVfPP8^a__Fs?OM~M>UgcZj~hri8>q~iRLuXpJeM~NDhd+iNrwdaAUdw z(;-a#7tiepdZt?cR4r$E`@MTx>%z=z`KP!o!YMGcscD66!okro+}XZiJ@pN@c^i_8 zcP~)b@Pk-Skeanobm_T~u~0;ok#X#IbA)O?-$a@&<1qyLX(thr^=)e2s8V{buR%Dw z4Fs3TrUvT1A|LxycN}=ou(Pjy_u=Yt!;S4^8mLK~cK<-1&UgTYFVIpY=$&_XPuDnn zYg+_*0-bmqAtMykj;VmCLBHeG%FVvcZvw}(;0B$Af&KPclsC+*98g}}7H#}Q9b|OMNd8q%lorbg1R(E~ zliwAes&}T{9O^LH_#;Q8Q$tNoO2RRTsVa6xC8QD(u1lvwfMb1q(Zbp(+5r{Fq5NPZQM@kMxrhyF&z;VjSJ%{9DhU@4o@vmujpt9U>@l zJmh%j4d-AidBujJop1aIlPI^_5hB5hkc+>$&|BAl5qt2`!(Sq~2#K~WK?=A;77Pkrtyp7M@mOsK!=siqLsnXwD zNSdj?H}35g#;Up^Wu&W)mAFE?xn6kZy*jKp4=g(B{th&f`B6_}M>;p zGmxM`$ozFI4p)UHY7i`;K*CmenBr;T4SnZKpxno*LbOpn0E|@|#ML4Xgrq-Tk+xZg=tr+m; zYTr@YVWp5>?zdc1y$3YlXcrN*5SYZpBBH^j*GTcu)G#|~5#(7k6 z4LB8{feM)%6QENoSn9eLMolEGqJlx$ww7{FG%`Zg76g4EH(@)B&La((WTlp8g}p}h z8bN3CrP%V-y8H}dV|YJ^R;7vb8CEms^zn5eeFSV|Y`;ZZG(LSG#7*_pFBl;v)*j9# z%~MRoMnScs&X+>0bnteFts;gtT_KT(h>XVCNo()(JssRnA~XekkH0X!6*9o#x;epI zN-t~;TFU9{Hh`a0;4%y+o%^2O>JojeE8=~1GbwASWVHv%YFwIRpb8#RxD{Txu6e0a zj@L$pf5K@3Dd2s)z$$+=h;nhPirLY`&%y8cLGKA5!6Uq#6e^VryaMwVWy3-lIvdqb z?1}9r?-qehIaGB2HQXNHG9$s#t(xU;w6z<%Rpmb5Q1&yzY*6v)kAPYz%I==8pUl%mW?~)!u4iia#PCVYmuIY zZ=&t5aecw|_owm@+4z~_#Icb))tB32DD@z1?4!}@6g)tDI4&{&5C9Gw0*Ax=Wl74+ za90iAyuv%cQ6NCUA_>PdCzMU$P<|{L2Q^72d8`0)p!tDR?GS~i`jz$xtM(0Fh%%Df zyAF4Q%GWsd1_G#l)CKfQwNrP}v{GFuyi->fAo8ccc*lZcgnd$H@6#lX{ z^blQ*KPIbz&717}t~bbBOKs0ywzIB$1)}K3C4q8Klm<6d0kRV&gbr-6heTIC+Rc%? zk6|dMZI}hw;v1Anody5(0%%fTi0Z+i6lovI6`|nRrESb{wCJSs%{szXXehA-DWCIDrR^+;<3 zMn$Sp{SJ~R@ERJQpS=*4zRy|eE>k#;E{d5hGOP`o-uNBz0`m_Kovp#xlvuL$=Oj7?1`rx|3O;sR#0*pomq z`0Oh*wl7KTor15E3J1qL%p%mR@CnE%?wbB?A@M)kfrXuo>znvQz=0VC?r!-jPe~_?(sy=J`3#8dVcKM%9dBf;we7f@dm4RJQ}Ggx5=_~JQ~)C&dm4z z4nVdCxjBh_xwlSBDi&6lS3rMBW@NQj(`hb*#uh(MB|hYbG>R>FBMGz%gJRPV=6<{} z$f|%Wgq7p4%#Yt7(q+=bAH_NNI0d}s^eJESSZ|JxRp`kHbPzGX^G8SYmqUy-k_*v@Su1&vlQ45%G}VvhB%@2=OV2ScB#nJQAiy zBV1Cka^mO7zFQU^AZ=Ojqt1mhi1t^fQuNo6eJ`Em4Y@4*f~`YvK)dYT@|>kJbJC6Pjqa3;yr!iUO*oR<$!knICSRS|cE;mdHihW&k?bpaxX$k=QnR1@lg2x> z0+mSB+1UvE<=Cbhd=4!x8*dGnLq7HN^(Bp7U7u6G=1aZ<;nws}Kb7^o!h2#fAM}hS zj=$lLRlXL#Z9XOX!c2kWHkz+aV!kw4A#v=*eBfbL$Qnpi1YWcvjty``jKnb?yu{Zw zO%wA>h%!`VcK2>xf_ET|b6WWX;f0fcLaWdRQP5DF#*k)|vt=_2`HfC!K7y2p>SH<} z{iotB`mS*+TEj=WP1a)u;k_7lxSS$4@H3degjZqKj}?w3EmIny@DoMYYBeF_JL<9? zTQO%E*}2JjmSAFhMNN{@Okb8HR>*RaIH4B95>II)F=FC9-j0y~2BhyuT}IUEA?VwG z%8Ak&_(w;E#pEEWDo6=GL*Ix<=W#&*KTDP%WG4zi9q(-=QZieP5)xa-PEWF=viFk9 zfbff&m0rxuw`!?;!$UEkQ#bSa+lw%rsS@d6xA_@OdqISDAA_e?a1G zuE=jWx#XrBZ;yz;eROC-ae_egcLgb@Xv`u}Y=k#$QY1XD=%T13@vcs(8TefR0Ehkb z^TjvRRLPYnUdW5;{GaCEzEph0A4{kBQTXCVa&oHeW|u=7(ywoH=;Enncw@?m1M=@~ zt&dTV*Y%H7w-E4DB73(p5NP48H^(2N2vpsMiVRkV6xLWTBfX?7=kru;JhSM~0f$wV z%KIK&P&&_`z8w3_M$dPnsVQLzV#UJ(Y3#6BD;HHK1J)A5%7J&EnfcwpxiO!*MNe`j z)Qrn2NF{paHqmZ~DVvsF|S z$TL6P-Xoq!J1j<+kOdwjp7FI#V;kmiI4)91PUR<@RUs4{Mdada6CwI0X6F)B6O@X% z0eQ~jE2pd0PL}X}evHseXOt)@)Iw9=D-|Bf5}ha}s>gK0atPs75V}sXkrq$pNIfpf zg5r1eYkESLtBK-mYW!=z4+c@j8}D8YJng1sF1-9pOrpCvIwtplWuVZ5Bu5I3O}9AR zElS~VvFKarL%O{G6{Dxx3Kg-(SXysNm}JOq!(PpcsI47GwIl5ned8n1c8koUAi8Hm ze>NkkQh*9hFzDqD*`i~Yxc6DDLe%(!6H)1UZf#l2X$ax#$gKRU)73W4lsBdI(`a8# zTkrdWpOx8%d!cKh`aH~o_@Xk60KeNGOO&5=p0e)U%bC@##R9Z@EtFRwpgL);wc zlWgvgZX4^&9TT)Qw)7{_y9yo6jkOEX_YXdjjlNDF82sicOKGPcb{-z^n00t4PnOWN zg9LW{%yRLiE+4}QHLeLtRFFBzz3asxG%oV-8mp2Y;S>T=91BZBYDK<9RjA1CPZV4) zKVU`3^(rMWOQ_RcV~i~TFNf2BPt7{2ukn@DH5XV?UgvoyAuz(PvJtWQ;}R$F>$w6% zCeIsOaBUsSn$JWoPRlxf1t1!RFB#ES1h5fs1Qv;^K<9A9`LHPy20B9?ZClL_gJb+J zG(XLAw?LH*@G5c=N}U3X5sQT1jt|l_H~!5Z!HEB3RUYA%MOU13C_4kQZGooH5)w^` z1RiAV<+^GmU?vW&wWG-ifOdf1+h@l5fGz~aMm~ms#qUP*Mv}v`fjkn&KCGz^d#E)L zJCtF7X+iw4xsAaj>UOFuFdx5LJbs_Z;>YL@S zGe5Y8Tn=B8h@DtfIZ?19CZpN~6;Z`)IMr(y)l}Ax0fnLM;@i3<+{4q!N~@GEXheSc z_1WIDK}1IQJSJJ3pak;d`8hXCQ&TXEbq<$UI)G zLY;2C?@P4N=CkI?_vxc`&kYVK6K0`QlV4z7KYlVtNy*XuK;owhtM>I^)5^c-&M$k? zZHt3qQ}AeS3KjRq*IVz!ADIp#iT;kA7~$1Iv>3BW3f%TO5vpE)Jr07kZuWdA1W57w>IfeA{KeKPeD}zPOCZoD-VRr|cQz1bKrCEKhy}q%Pn0zvD=L zX6Q-GSh57T;ldqqx6pYyZ;10O?Q`De8=im!(X#`b3l+#mLqFWiyKQcGEZo`vqx?{0 zbW^{}r-il?2j0}$LU}XqT1%iQKJ}7t54%Ts(u!6 zQpplK8%BCs{5nmAO8d5<1E#HuC6p~1#M?lSWY8e{MJcp&&Rg2KmTIW^1qOqMdSIyu zK6XK=D(4rn6Bn5aZ7w&Xe12hJLyc3^3K88QY{i$-blp}9jlil_Sm5?5;}NjP<5~+R zVxw?xq|{HG#+jNzUCK=iRh}`Y+jylVv|8G+A%UrH32R75NO*a;_*3CC%RAC8tWe;N zEE;tg+7*sPDe8VQ(6JHqh~ANc_6O3b5ZUh8$hgwy<<^z?93$4;FOaa&3%5EVafdT6 z=Jx6M^l1#*nij(4oyf05DQ@f~PF+CHBF-4N-S!7Qy!m^f#D$%~Jqpn~Oa~sjgK|pg z9Z26ITB^M8SOhldF7|eHk2=IkFAsN~r`D>lXV4ogGB^@}bLDez@#^Q%D7|!e;YfjA zgY<(WIm$@m4z{1O%M=5R4qOA^&k<{@k=Sdr!Yh(L^c!J6)#ZnT8F4PPttC6APT&)u zmOD{Gc&82R7K|yif6mb&XX9(r7FlA1K8XwvnzdlB!b!$tUp@9`XufS*7^giTef;mm z1Kh*FdCXnVDxTAkLG4KLaCSx!wFe)WyPT4SOprN2JGG;BTt~{mO<2gT=SPU#xSlS` z_*2H0WrcxW9{I7^_Bf1OYh8Rh+MGItH3#^osR01x78I&QG+__2Q=q002 zR0PUW9k0_P@3H@fYd;xlZ9XpKh7kS{7ZD-Kc66aVa$TBjo_m#Sq@B`CW?aK&yg?{_ zMXBdFIrGE1Hk&tz+(LvwO2?SlSfj}NDeH=&T&jVF|0H3gL1Pkc}r znxKm54oG0h<|Rdb-|uGmmsJmj{m&JzWxy4$$;wt_rj=;mv8}u_Z;HDD(9yT?M4`-f zV%@!Fb&j$LsYyeRuUvPqlrt>8(wFK)`e{LS9>HrwX-VS|xL3g62+%9zsg&62PuMP6dgM8?;`b8Gq&WEw5A&%Jo410T+ z$?U3k*qS!hbdCOho>||AS%@#_r=|v;yg%eW;Gd3F`)etw^jA4mXL^<+$~O|J`pw4s z&6HFmUvGwAiv-@%SQ-m9YcJ#O19^mujnNsCtCb*@jM5H6=>l*KUGb|E3F*_G+sPW< zb_3)8US^R6e3w{@pNdgZf1cDGtd)svk0>)zK9kw%U=%jdV0MlA7`i$@xfq*&C3T=EMvy|5or z_jO&Y0P}_`_8DM%>zN^)M%(%yzRuG8&s_kcj^Kw;2cHr9vwt7Df1kb1#}D5qNP3-v z2jRaD$0Pco%qK4cr!y6HgyQ)nC8+@l%kC}us;_XU(c^$<&+}U~Cl^Z557_lY&?1{@ zkZ(*Nd@SNgGS_1GWQ(F&A<^$(a?AhTej|Kv#(f?kP-~45pcEctSCljVWwy?^uo6YC zU&8Te35t0{06cRefYBUnI;$gqQAJqElX&%E$Ny(DqNxC%gv@Y-6t6iVSO^|~ixisS ztb_0eCkQ@^GSH^01aVq}&!@=fOb*wz+Y&Prz8{GA?^+7sfZz3^z;gE9S$0x{gpi9L zXVB~-Khdqkl)GedTqbM{-$%$EOn#|Mg*r^B&5dIx<4vyeDdoSvkA?w0y7bSEkQhdU z&Kbg1$CcFlQX}ITK1>)^gzXfHqyFwA4`W=%^A-&Dxq%OVg8iO6O?l65zR~bM``4-JMjDGyE7lOTynZaj%GV$LhSAfbV&BJhkyuQSA@!8T z{K86*>kpNkYmepzg6m3UX+>JdU#+)4>=h5UO-|yW$MTPwF~Oxbk6du*SC}RLBv@_0 zRVVTG)24xIU+k}5?k?4w@ciYm7IJpC%STVserVOBpSM1O5w|wZW0cnUz0{PzMc+1j zk|ly;fqzxiSZ);nJ~fRi((GHou?Yd66L$coynu3?G}NOgz)C>NQ(Y3%=ftkh@I=RE zn2iC(@f~I(!J#rOrIE8DE%%j@b^j>P7*A!roDz)kyuRx=Aj7AErpM@>yro4iD*3ym z1Ywr)IdGwAaPik^13b|`j7H;Zz$=r7$Nd*L6Rxr8171Ry->t@nrC(vP&d$f>Z_?kq z0*_G^8oNmYQocqrWIm019$r zKFcG*AduJ4C^s3tEF{3!Iq523_4g2$8-Ge8{JXAf0`XCd78ZX?=rNl#pGeSG-v3k=oI~13=iO4WpJ1x2Eld*@ z76zX62dZB<8h2}f=jDX}BQ@qI51Lxm9idQ$2I!p$jeSq~pO3x{FJU)rLgQ$;pfl`E zF&p>*Y`{6%$?ApZht9w;cKWPyvo4W~4sE+7_Gh3KZxK^YKrRA4G<}(v+XNCcjqdp> zjGj!Vpbu5gHLmSuu}Icgt3SjrqCD)A^p>PX?mq4c-F zP6IGy1!eV!dS3FVXWj7udwBvTm)dB1fKf6+7A0z1*;{N zT>WT;dUm!;Zm(`hoUXu?qss-uV;CJSzxR0PlHp`kk^t7L^n}tWRkHLNkN0sAGhaf3 z!;AolsC$%s?A^)cFycc1DT(0zBo|Ql()6>bpB~KCBLb<>!gpJO>28awPRY!qG%;Id ze}Fh728eW6@JNeyJaRdWlKT9xMKICSrykNiK}Q<5eTLxSKvmZ(2>Uxq6kgPUjsAx3 z59B<8OiNhGv#&<|Yrz{H3&3+7Qd*iqa@O6g2GE1q^IU6&4w_=m3DIs$G zAu~cwnN_4B*vQ<8Il@wE)@r)meBATx1K-EHT{T;y6JWdep_9s+@Ie&91n;NoBb}yu zsCCQm?`ly}mf*-O&=Fi##e)#f_4`1f1m4(!pUxj9rQ?7Ktst`~Zlsxr#~sd9<~P{H z`yOAQ5*Rrd{UVoAKGr{KBsTxCP&M@ovSy-G9OWB(jJI>cSTND>y0`CJzx5GMx+H83 zUl00A{IuPlvAP3B!C&)TapS@qU0A_x9r^L2IapAhXSPiKcl80QBUPRo0~tT$h%L7z$5)m1@2k8sZgZ`1jF<1yP5 zOiR?O;bf%uWmg>S6(b8LXV@3sdsN`xtGIWh;Q4N~3kr-`N$LP%2-9Y+V#cBKv{cZA zh%&5%VsBl<$I;Dz*}bG-LU&`ml=aPeT3NuZ6YHG!ff<>(eBD4QzxI6VQAZjLBcnXk zH_4Oho83yyHP+~zV0419k`HGAJ?hC}fisa$d(8o%o6BKZR!hVADu;V)w6Gu(V)h8n%or5 z+32@F&Rk}mnL@@~NBpu;Y}TqF!W%=zPnJ8KeMHPDhfvTpQd2I%cSt?%- zTLduS`t?FHb|!9jp$gqov!wzkO0$8Uk?hwL2S zH#rLD8+~8i%mT`^CfVG((gRmXlKMhpmby7Gf)1UXAB++y5L3D19T1XTFDPeaWhHn> z?#Ve0j%8CFjGQxlm!y9RzXj&94y(SWS=|KnZ1!~>!FS!i?HjpgZs_|NQ*Me%O}#K{IZ=!qD3HwV`T@5g z-k2j+dqsqr3!xLVHlLSM{=AIR7A(bIt4aCL_)1dBQ=~oV<`HxP>pL2jB%>oTtC|dn zh<2gG_yE~{ubNec-Ono)E?u!PX*wZGuMd^K9({KuqmhNkyKQ19%a+Djr(Vk%C0$$y zeZe+U0qzA$+Llws;;#4I%=hN+?-Q|~+447o()J!Osn*uQsJxz-`rq<_M*7m?MgS3TajYw2JZsHkgYdI(5VJ#SV+B(1v2Al|7U;~1ICV}G~_`2Nc8jgV~) zJyxgTGV$Ky*ZP}B@l#2|=Vy=i_TWd(7NkVxEN0D({_mDLz@fFEye_5n-C3Lb>*CpQ?|nk5xwWGD>99*S z^N5V-H%LD|nS;`i)*8-Ck_w_wPJEbz4`@ zvGP)B-O1OQt<)py@1`n{ZSaetUjY4b3K?_-fhvy3bqMyjgOTh7LxVHXhgYHxS-C6o zoUQhUKNQ|AP!r|G&(}DF71Jki3j{9)tx!FlfK`P4S@~A`+^2kEVmgl~k?)J^>Yt?w@BaawcaK(AIsgB_lqyy4Ia>CGBY?7ZFKx{%^`{5o8k$!Y1;2yZhO8?vhXe zk2)3=QT^51_ZeN+TX^xUM+@0}E&=c^Q(LlU3}T@uuSRlR)KmWQ6E)~z-YY)M4S5KJ z`wh@b`VpwC;`ApVqwE$CaG18J0(n=+*)UjF&fd1&HxMDZK<-JzX}atLq92I6y;N0u z#Y+>7l`6!mWap>*0Vjm~G`qwh=eX#dt}cJ5JDORC1#tF@KBoJ^zbzA1u5hkva(6cW z8MFqsbj%yyp_-^n!Ns?U zt!VJMi;;~_+s1k-SR{Lj*?f_fWM&J|^&9DvJRNhD9;Cq+0uBq6@_G}}UnTXGu6!nx z2g{34CDDA=kHSbzCiy?>;P!I?29T~01&1NA?b~6BU#}4z+R3W}1lBulfn)h#&E_o) zb_qwU$29|DXgWcz^!??AYq`&*3XuEz7&47U2FyA`->ER zzV|-<`gT0~<(zi*`_7GQ_BRpmz6G{o>!~(9-IrHWdA63PZMm!qFUzx?MQmxDJvSkx z3s;-S8hiK=jQH!{=5}`}WNU0k@78%^%bZ=+4^qxgD(?{9M#3cSZ!i_E0RiE3%FiT2 zmW2R)tnIRIMN^@n)Uw8PizjOh;F~>hh}DBso-)bMZVe>kc#4GH6wlC@oN+r|D~$De zblrW3Q;tN@hQyOV6>3_3{%R^qSZvuHcRY$YZ1B0nh>tHQVZpEf-4(LJ605Bg!Ef4uW0L7rajM zl5;VVH@l^DAm}yUq{o~) z2MIRJv{i#lDJOSfG`9OpCmzu?|2QqSC$1*)c$u$t!6z4;!C?aA#;|94?`H*8DWsU) ziRMHD#ZpI3v0~E&}a31_4eM{+SSKZo? z7zvOl94e4n<+d$ho2OgXfPD2EAGULCAmbmI5Kv5AHJM|;-nZeT zximd%${cQmxXmf)dl64De+IMqTeSLSTd>HVaCkS&uG9WHNpg%^&*3<;9u2IU^bzh? z2lGYs8zV2D2L@k6Zo)63cs+UJG*PqfH2r_S6xE^^Jgp9?#|##|#cexXfh^r+=3kJf z=em~I{>cI#8ctEq368~3o3KZ<-IH{78w?>T{+-Qbw=U5|pu{Y?nGavY;->gfQz zw(qNQI*S5R13q1wn)EWCS4xP|qMEFw-he@Fcf-~%mD6{7)2A{X+h1+6zWalDY?N3_`X3*0 z>Z@wV8qQO}1o>0$^aq0*qX7)aoE*Mw>WkAfiATC=ueBYF_0Riv`|;)0u#~);P0esj zRhay}dCVbhpB=J}!$dlY)aPqU&Yj;xp*}29HOk>^zW?k~>D&}L%3315SLlU;=BG4p z9OhDEBQ|5}w2(LV-fhiZMUK7;sLdCR=o?K8OP|viwm00L#(0_xPY^n2#8>rT$5Q@n z{5b8&9Nr_JC~te^3a#<~3NPuBS7)6dU3O75B0ROgcok{%ZUM^{c4JkLKh4)zkdk5d zF@HSkJut1>hS}Ox5Hv3!0ZS>s*QxC7exCD_U4$fa?g_YUs}Oum`Hq zCFvzPI`s6Kb#J_R_lbs08}VJB2q}N9ia@2eiR{~&TgRyKvb(?h_XoX79UW<~3S!AS zFX3tq1VS69g_dS5wBwPpm|uUiMm!Y>VD4}1xI$T(B2SgOCp}F}C{OmIf1VD1G+V65 zBf2)nnuvYIm0W_VI;HYt0`Yw>GDiXVVb;lVY+GExFccw0_V@4nu4rmA=C`U8LUM|Z zj97>^wU{()YkZqSZY1rlJk(KU7+Wi`9Ln3hZz3mFr`pUMSMphEC(t}G zOjzc~^t*cR87p?qZ5%V`b0r_iAHnJFX}i|*lw_s+XKyA4&12;BS7C4G8c5}V4-hIq zh?6&5@5?)>1oxp>{Vu77+d7@dX2)FqeyPxwLPUm~1R*-bmUnsnbJ(3~-Xm zMQlUwI;(U(Te@PyN(HYan{2^5#uQ_$k3_dDooiY5KBhH!$B*iDs)L6xYCC zuQBd18k|<#{;-UH;ou(BD-zyR)zy2EP z7|<82KlBA>%eYX2r`=|pCF6qc`mNt|H=AUi199OC7d@&VhXR`<0&PbOi*517I@}2A$V0Rw&Yp)fh@bNzO03 ztuAwpTnXWLrk4&e8n)Znkc!OZFAfyf2Rn zRnhF%Wd)uhzXW}6ZJuYm_#-|7$(pT-XAMPuJc&aq$wWj%X{Cx~i81|lT(`E6?tFu8 z`FOsjop<}Q_SZU^aLd_rcAxu;;e4+*kSS#h|Ccw2uT8LCr-m!pz0o`hyP+5xM^hY^ zhGvPH{SlmfZby{CsM12oetb7$w%RA6OOYz5yUN}mPhskw(q-lo#B#YL1Lc1Q|30WL zpO6|DaOsWqVpgtRqYX4Qg){P;?vCm-Ye4$qP(m2hJGEcP-63QU z>Enp$%!{7H7qtRL>XPG_YHFKYA38--wdsq#D*eJ3 zeuuW*NrI!&Efa9pUsbrlJtL8f?iO|Gep%x;q0*Ti$e9CqBbHq|5Zi#_9Db@A6@OtlV7yZ1CN;i`0nJ)1BJH%itl(a9E4!#rz#U;(-`gyYo#_Zm54FM??rm*54rhJ`y7kTJhHX4#@IlWM{XLrw*b_dsheuH!$RS*oN=Zx5jKJv>Hl2!a!) zEyNX5*nIpQK43`OQ`^GIrgsa~;Yj}gf^9$cP!Bv^+tQ5aDGq51^=xw>R_3(vy)tfY zN}Imlkjx?*j3ym{Nz(I;mnM$oPY>fU;bB9({1R%$*sRJb?(;BzIHjR8@^Hbt5z|L8bRiAAdXz5e~hXM zDfIVhZqakla`-%#23|)#_!!P@Yk(?_cUOMzmap0^@cT@08}#7tM~0G}_@{E+^~ls; z--cPY9iR={IM9kkHE6nkGGUpoPLj<4UX61Vfw+wQFJV(TwJr_y=EWv6Jy(tMp~lAH zBtctkUB62A;_U&z`?vr!RrNrm&ItmUeVo3VH!&(bc@^kNk&rw4r7pHaJFx@jWN$r&_V zg}I~d$>YyO&wW$PVvh>9WY6K!5xbzi>WzOMEN?B4OB4b=thi|1`&Z4HI)eKlprqY{6(Cw3NB zR?>34K-La#NUM%U$;S^K?+fbc>L#ADgin|Zh`0*52F)1a5`9F@wpiv4*1@8>#+8@5 z44FaKc!6G5RQUs1gH7>!N2>07Y5UTXG#)aMGZI{G=5gR`;(DIH&9dKvtTJu`}1Mp&%=L0Al9jydHo7)1}mp$tSs ztvIYD;LNhcc>a{Yh403=&gyjuH%`ipvE~lVBIT<{bi17>#M&a-A-!do9UZcdl9Pt= znshmY)sX9lt@f(Ut2W7m+=gAiZ9=d)ef<4tUeGT+6gmM?3j$ObnZfd*uP#}ZDv)IM zCL2Ig{_zBcoA0!ukzB4+Xk}{pcqj~u86ae66kzTgVA;VK!;KIx1(6Nh3}>n?6(KGT zA&0fppv^w{m^vyE$AWJ64!rM=`$9+qEQ3ILZ?Abz(qHSf2jLEEWw_in{EanI3?dj; zQ=taU&Nq;NIsYEE%Re}njG~lTIeNxpXqpJei3&i17KP+Lpl>^g96Hp`fKm7H=68Dl zNiAXqL`7kd2s_s`h2TAUBgPVYvWUjyLK694%lpz8tmwu)vx5B)F7_do-8f1rW8 zO9sbJ2Hf2E01MB`-9MkX3shqN5N-W$y`6Pb6mO%)0coU5x1Q(=B;Ldvez3;t$+&|yTKXc9;&hE_f49v{)`Nj+H zMFTxOZ&S+1s>kG#OazchS}p-w9M!%TU_n7{LaDBQs2uAKfNtd%O2Q?-Tp8^zJz6d} z9%iPJIDcnY&m7H5h=4yM%8BNpqG#jFz2h0>{YK*--m3T!3$m7C>n|Rm0@_Xph}C(+ zF(UE(p5O0U#NanvBNT6=L$svEZctdJmoLd+XZ{Zx4X2h~!+zx&mEW}p?$ITD!zQKg z6CJM^6=6d{RI7#W5}?1iTgc);#*w^1tg4T6Vm7`+E4Fr>{(~ohnIHzHoe-CqQKpf& z{s2InayS+ZI1Q#ajv6`xlHsj(L`}=^@YZ8Pn;(IMA8#E*p_)G0&-uJ6{^tm6@Uc^T zs^sEF9353k%15K8!$2k@xu_N##2Ro=BuYGAG>MWQx~4s(7d~!?^K|aLVOA7SG9Vpn zK{1NaiQkf?LoByKNc8?03_$#n3?MOhGVa>uHFZu_=x;A~NlA|k{7Jh6wcv4=*Q&h; z`zNecsY+JN;Cg!G(N~+w0V32F{G5K>rYi!R_LHxNM&8|r*Mj$gH1tOzPbPe*vPSuS z4SSOSU?zSN1*4Vt9b6mt{RIE>^`D#qDuABor)zR39X zhj8W&5CBHz^o%zwfjbN2{tKO9VH?vs_%}cy(l`0|I9hv}oq&V-mGJJr-5_ME?Mz}F zk$@m^${E!03AnHpvBHp(*DD2G(TdW*eJWTXoc}F7VsmVl1fwlTcPp`|$gUN!59M>H z*vNPQz1)V!qwgsCCi)mx6XCGFxZy@B!K-2Q^-X)Jkga%pHVM_-IbOUTYow$8KK!}{ zddMjX=;C7s)>CF~LE08$uZRE~LR;iFT+Z{xv~X~t!fS11yQ3Q<3)>d1#G9(<%7~}!<@04Dh7paY0H?+qP#2-J3|Mt=#)13Wuln$W8IEWn+ z4>|CEG(!?WJz4^2NvCr?a9*z?)GviK3?3=h%M(eUB|hD`cLMSf?@kNz_T!;#SdKl8 zFB+E_y0EADe`1``fWAdSnNT#dg_8=ms=*kJVJ1xD#$6Kh#wac4EovDd8WT}^&N(A8SsSh&DX9+( zUle}LS|)I%o361I-pBSDC>DUj0xQG?&j82uJNqSAlpXA(=d$)E-Pzf49Xa zslIGuHw|(&CXRzVvTyzFN<&<0pQ8J|TCM=spNM*zeCN^A( zOsJ=9>yQ97HNx^2g6XF~*fCyZrM%6`rwkFFCDoIQ9iIq1rksJYc>nKa9U)9Vzr49d z!2!As27~o2EeSL=Eo}jro_8N_?)RfGD%z+f*B?p3Aa$m&SiqiVY{kn0b5nnS?KHd2 zB&ynp4+J`h_^n;p0FqOb`~v?@3abohPcqXr>}}S6Gy3SG(#?m1C{njLhxylBYzj06 z4lIwp9Pwc5N7 z;oL7e+?v*O?tzr4mF-VR==LjO#^ToAetU9_ManDtF_8H1E}ojlhb7`@RjN$Ip;OI{ zP1au{=Q+#4x$KYfEC>14KunjcB<`W-XsOb#!fzIv5XroIN2qYXsWMeLPXmbmEkyaM%uJmX=GbUIm zbKYXVmDJvRl)fg&OX&Wi7rbQ7W>Sk9TemkEDHsB@^=KRJ2-6#GZPU;fKBG5mRiHLJ z@1W2y3Q@{BGxEAR|27!jznNDmh=x3HS_AC@d7jMc=*!N_Lr~e}85}usUqBcm+_GT@ zv^zUzLogSZhm=xib7A$~69gUL_V~pw=f5%PG%y6bwUiAaz)1uJ_fG`X174XQ*Qqn{ zI{O8)iFJ`_Mtln#AMe8U6$*O>>BS5x|FLFl{kcL09~ z#A>qa=wbU|W5zKMD79bsV0HSKjPcSY`^C3+*lg;es-wwEAm(__{P>xCaN*s;ygYtv z+MC+y;nA3;_Gt65nD$l4hA5F-51cJzaOZL=gwSbdmeU2=r%ZIBB9=L@>f>gyeogJW z2^UrB?I*WcdZYuE1t4C*Bu(x|*Rqi+I(?K>jzc&}?|wn?jMKYrMn4yOx(UU+T7k4Ag9L#2zcmyv{WGEXSo3gO%-DJ=u6pvN93k4&tWH#7f0H&KHTCuNas1ZVhk!V6lL?{f2nx1Qe7w&M(^fnZ z*8SAUD<2tOwjnRuPL{Mqg7$*;{1@7qQQh*1t3Y2+*~IoNCeWlKM8<2t0fgog^DCKP zu7VH#3>ZB4T^@sweQK1tol(TZly6{_La3YCj|NG*k9|FLmKGM9)7fgd>TFxguz-}KgL5v= z%N#*-?_1Ajn;HVP0xPK{gudgtDiM)0+gKppfDw0`aa{lxj&P^Q_Ql=+A*IK`(S@xN z^AFFtz)!NuO!g|ofFI3_=^w<|D$$t(n`>wYR4RbZZkSk723kLSOB(E$iW+#vvpH=k zY>^a8a{Q>B*;R|hRd1c|xs!yZG~|Ps6tW6c{M8aRw9VJQM!^VnT~BP|sG$u~kmuf$ zx-`#r5~8A?xuZLf7~MPiPN%^C)eqkek*x0AwmrWW|=4NKwKE*4_nV9EndsAMo z%o=7PmM!?+JbxaDkq{0=8Yci*^GTJA&j!g5-l~GdvA|>eggfnj50EDDe%2L zQhYro7SHr4gPJ>ZOqyc4%c^rg7aRs6?D`Bab04$wh^M3nrAr5APpU}xfB^FSnRCg_U_qAyFC9U01V{zeGK#|wqliD6Bn0(v_-XU^z2?%PN<6{z8DdHqQ z8&N=G zAYqBEB&qf#FG4h|>UEAInYm%a59hdwlu5FziV$+ssK=N7-3RkIxksL(c5hs~ZIi!aF~lF9_!8ltM308IzB4@0xDbU9`x?>EEJ3#q8(z zmL&UI_ImsncLWWLSu+PkkDTn0jIK4B-|Me)8%x=PjB2dh z=iU496{VsS1#2L23!uY*i!~*`9^NT^YZ~DL7$X=~7r;H38`D7E7>W)L*>W zJ6aBRH@Ya^DiBGyM*|~rgA{k8zz3YD%TKpwE7-@1rbe_GrkX>+ee)UI3K->#)&n7* zlXYX&zJ(aX{fBX=+at7+?oUxQRr{RGLn+l>a*WA@`Zd;k?zaF9>Iw}+r{{7lKMvNRCGi2U&bC9^VsITVle0FSrJkg2;$FC;55YvR!@f=Io+ z1JJpgWYo-XacfFPdaPm19T-!>N!1%p&la?~t2(vG;(&{PcdLz47CZS#l0rnf~4*3%Np5lLVA08)zGTe;vVLffPQOGJPg*a4Km!5 zIAobrNOU<;X|Qh$?dRCMQ6(9)bAIu$sh(9xM}L=Sh|*%NOOg5kH&WF=vk+bJJ75US zUAu71cvoYe^)tNC+YDl!*Q(g``HIs*fr5T}$2GC@y{6W5fh4OG6|A?7&bDw)8x|^M zL|4-Urt=Ij%yz!uM3X%taqqUZeQOjiYhJBbXu5b`bkh0A^gqNmi~loxb7@za9Xmv! z_bEbxH|iAdHgz@HN92jo9}@25=8ziCI4#azJ@c-4CSdXHSV{QOt4l^$Q+n-I!dbIr zjJ=g{y#%-rdb8U1gMIJsZA9P#3Bq^G0a5_6%*I&ryWR1HKobLEPv+AZ!0maF`G~1G zDHUdZg_+7q$)W8Zj>uVr>mlE>li)I0mx6+yE;X&&a93#MCPi%NcyGdg5^ScbDH`J7 zT&K}gRf7GWkaLZsdiVNcTG$aF(2$pIAjfZOKh;DRFelq4CfJ1<>;+gE8xyq$+k1x| zEHO5DRCYhP5p}pss^bW}b2rjNAL1Yx2?Ro~~$ZQteI>4Z5N zB8o9;3z84-W-xg1S~BFa{%nNziU*07bCrSQhn_Fxz`H{aTSx{o`%Vuyi>Sp}g2q~U z_akj+PI*%jvIJzcz%vqhJ$G5GxfV#9vXxM!AUQzfZQ)sHl)U zASV$}13gxmVi#iK(=8x&pL&^Lb&|i464uAd_yGY{==V7VR?BleEAP{t(@0E@0^V4r z7r4dWMGCq)b&eXj%%xW-2&8yl&M02=CzU+w1SFW1OHYo09FG`4qo}!n+`w5OdGH2y z^($^`RiZ1&o9xyPs{`roG{}ut`=;d8r0P{4#_C$#jbk&`_Xfi5*i(Ea@P8#rzti-f z1f*7EU5AOYPbPnU3M`a3;(tj}P}MbY4>9yETAyJm*mR<%UF!?u zv%4?-48Vs!K?vVrPKc~?G=H(27HpV9$Zd_B<|s%Wl2vebxm@-$Jbtzw7Xd%*M%c}5 zA!HvFqpC|Td$r2!CJQ2$MjVh zdq2iV3dT#v4;s+Z!T(^*g@98zsi=Gfa)C)E0L;&*r4Y$%qwMK@B4)>sr&3{o|@%0Ex_@vHq6>bJwubKAeDO#=0^J59m+$!l)>s21i$lq~Iv^pO}?uS2-y=&#!k}33OAEL zLp9tYRIzkTR;wfq9DnYqwPN0)n(aR5-d5Q1HZ54}o#$`n%*IA|fJO?5#%k#>(Y zJ2M9FqRJg=0ExVj4P>esDnx-Q)e-DQg?`EJZ z{N!jxE4hU|(Vz5Ml^ujH>!g8LAD_pc)w#pw7!fx6a)`%Y?Gbi;j$LOLHz2uF))PZJ zDa^2&r~x6Gr{>m5HX9xRr70LYHd)#Uo+@~rAxLW|IaKLu|0l*6fm-Sq>IJUb%y(G;^=!uH%A zy40@Y_w@=HO!)7*efT?AsJLW3h^ZpLa=Dq+!h}-6;-+A2UFipPa@^ ze!r)J)!ySxsp^7aG|zw5u!&6v%opq}9joj2;p)wFW$G;K#sn~JET=tDUtN6~JLoir zgdeo^ZXTBn4D{-DCfz9czH1wqsNnJ>oSQPLW!BeLu#f6Ruv0?hL9Xg>qAR!aY8m&# z4{`{XV~^|TPBYl*Lq-YSbFi*!4oYa27hRVdzb9A&WQciDPm(>LmDnfxUavqi!3$Mg zU0Vkm9vRqDa!ys|uWL<9qjPV&2D^|J+p!rW>m{ZnNS3h+H`$N~1W9dKb@=Oej@9!J zB=Dv1QfvFpa|a##(xTJS>eILxzL&v}-mmYW4rfB2*B{?Pl`~CPj{}hqf{Zj8fX^7) z`@wW#VXKxwe$c|-$fFyYl@l~mOOJ<9BFM1lr%nE#FCA|r?VvhmkoM&4OcD4itn74f zd+tr@#F03^_%4NkPv2gc#(!7IMt$8X7Y5`v zn9b*}HH1jB04ra=4l)_ zV3-urai|MnFoQbhuB> z4mz0YJUkciyZXN^5eS6&odZcB`!6M41l^k1h*C{yK7NKbdFM2W7d4>(2&bwfDH(VN)2QaW`?Wtt|D2d08$NdgulrNBx3cI4Wl0*YO1bx%rDzvq zW~IKJf=;S@em!!3|K*pr!UNZk?ZL-nX55CW(BSc817d;D+mk?n)^OR~MKJXB1d*ZM zx2hM+^sf$-uQsc$n4w*8E7=OkA2APxMbODJ?M#E8hM^6Wv;plY`i>K9B_V=om9yi> z)59Ajn@>v5ZB{85z39>=rt741#isQ`E7B?z&yaCB2uY8|mhk>_H}^3_cTb&S<8sH| zsD#A+=!81$P_jy@ANYkaD4etmIEAx1zL-*tI${%+A*@p!vZln&zS>sxA=-){|pM0jH2 zGBfS2+fNwBR%&T!?U@@9<)HGh3qP*NcOO*RG-F~Y^N89=#rRZ5#dBcj)NRW~eZmdO8*5aT6RE2U; z(!M9xdpRX6+wz6CrBhesY1gWWwV!OU_r@rfv^OVNnB4AOe#NN4y?a2!Y>am76!Wro z-^d|r3Gw5&e7i_^2nbk_bx-uu5}-_s(dvuD)hpyiiqc+Y+?;eIGPb0buA&UD=4WGV z6s3C8M^z|IMFUTbp(s9Qg+`(s7Uco28h$KJs7MOSBXlxYix)6_hl3oX?*W$Ab1d07 zXA#ReG2!u6%`!7CCY$Oa*S9vu_lgG(xpHU#4SG_v6ZZ0i779F6_;`1W?#A7Q4(IY> zS49+i%Q)Q@xv^-00qay`P>XQ`+d$h;~nFi@%_nwl||;tT65m>YB#~J)Rjo?(cZgp;|7U}vizGHH}H@* zZrq|L#0QQz%hER7xbg9Ziv07xJg2u(2|Tslj-#%hEQn6Lp}HC1in<124Y!ub8ey9A+&VuP-f+YZvC&|2_=77<`Cs$L#ug zK=+oCKPvuvew)HCZfx!?ihqB{KKb|jWzGM5B>czRfRLtAHFCjG;t&9Yhqzap5NS*P!_hb5mMBN9Cc| z_M7hQlsta1Cw7A-h3y@T<@X=+rk&*LIR9KIv!8kVNo?nvHEV({! zWN%);Kz1Yj?9BX5)r79EF;vKk_xQF1%iAvub?y zzD8J;DFc^o+^(834{q`6=u(TPO;K%O!R6&H&p=YV^kr^v5CzvWZ9aGvR*ex~*i+DKXlhBrT%zK(6 zE{}?MeD7nu`i1Q;yci_pr=h#yE~a9BSEQ03erNT6rL>iT78VyZrdjEhekh|CKhqDT z3bmW9dMV;KPns+xIbP#o>>%z+>W)p=*X`SE;}Z9U4Oh1Y6;%cjdFa6|hAgnb#cR7~ zN0>AoZZt%7Od+RNjC<31rDsa21i*=-T~X{|gXpPD&u+Z+puv%?Xe z0@GG62%j)_CT@YrGMtvD_~KMaFI!bJ;LxF5+|^7fGE#beCa`fj>)(mkC_$b;m^D{R zHWS6hVc#1sKU0SJkt*TFPX5=-R+N(We>VO=ew(_THSy3 zH3ndi#r4q0Y5zNtTh*8|{ZxrEyNSY9Ugn8{8LJu8V{g4Ay0amrm1tzUtit7a5vnyv z1OHTP=io*4ufugAUtdm$V^w-RQprd>VfX%n?rWQCddi9!_bo9C4)v6~5y;||PK}wN z%p8OK&j*sBASTD5p>wG@LYoMdy_mFqVHI4~Z1+f_0NwUdP~+R$hyR&;%M+bJOcAIG z+Z7%`mxTI*0jJuHpX0n~_dtxc{a<-X2^fDTaYHEHP(GEf@*wj*(pzUO_CBIjo8B|Mr1B?Fb*pS3Txcq3T`)QS_7!RZFu&jij<$FiJYpB}w z&QcI`T2tewgwD~<(eGTJ2xk!O(Ds;dSaNr3*%Y`8^u62brgXwjr=?>0DC^h1laA+( z2>KbRV#Q6GXh9*FN=mg&>~NIzkTc5LtuA!zb*9KOC@=`q|-Z_ z3qp~5@XOwVj}y(p@PNa?eJC>F$gBXx1^-WdI8kT<%gJg|NM)!3-Yi-=lCV%x^bS#kdwSyZfo|cfh3)i*bSO8+ zi%AO&@X&ew=@)qZ@|gT1L2V(o6Mp^g;B&i1naS|uS4%IG?_WSX9|~DHII<}@>}@W< zT&-QMhV`5{A0oN!;CsZ#=1Yo9Ztue$F1(n?1#ep=I!X6T9wT}yw6rv{AvTy<(etzG zyX%wA4n{~AM_imURx!`#9?K(0AW%!Od7q?&mBMr!=|tIY%f25J2hrSXx5`$v3PrG9o4(U5&l;f64+%RzLF5@E9*L$GPf4BI1CaY6Ii55IX9qv}5b3M|v-P08{(3UM$N8!5n9vCr@xMA`yrJUUJP4w9k2j?nL41@dh7@y}E#gL<+R>6Pc0w z$b5Jx0ac{Mc>Y|>uGen;+=Y1h$*QDQzGa~PFJ09?Mf{&#!IynwEO|TqXZ}_QM|8Ub zp?UpUd_=?Ly-=(H;$+pkZ6-TGL=AM@_oBL3z2{C)VO?njkqFfdy_#nOMo{}#`&5r? zf;Hf?8)HyBY^6w-9B%a#sSq0Bc9Skdqb01HBkx$S@_v+(5k)Rx=jC~%%Ku~Jdy_@c zaavPPExMz{HfP0q&W;V&(yKg4bgPeK+c1$y2T3k@l(#w0-AhUCLETG3c+G@)u-zeb zn&0h?;%t&erivEcH?p%VRiV#`+c_o@o(d1ic~5;0yeOfjKwH`-jp`TteH;JzqP+JJ zkB(=zX1$VvQcE$9>?VsB-j61lCJ9!Q30ks4b!?|fV|;95_NEQ0KcB?2Lnq5PX`yS=zoV>!_L$wF4OISdrRGLN$o$E<=# z^mlK?xl*{l{rSSxxj&wxPsmadM8&d9jaxgl%Ns73aRHTV3DACjuxk^^$kpJH;-k`d z>7L!6LUVxRv7o&p>m9}?^H<*Z3*#?{15PeDSBumv9VO(PyCpK=iO_ofr3SEq{=p`V z5)?gDOqFxvQ*!nc?oYHEr6yFX=%pt-KxY@_I}aGq%6jA-@HxTC1Ey>1BP989IT~}$ zty^>I&ewPPVzcfb`w3g8kT?2p|M97|qZ`$~Jy2bbUyrZ#3@O0BSc?PJdWsTSMff!-S+M4AME%#m?hV8GmdNWMd ziN2Ec08pF9uhvlP2|jSBD@ncFcC?blO}zfj<1c8x>s9+@le03f$YHy20lX)KJ9xL%9^r;QBfw z3fIN9FkNn=U!W2b=#X`l2sQm(VPD(!Yhccys6k@#GpV5!P_T>7cQ&sA!o1}-m6*aS zd*X7Y3M$=QC|s^e?cen$^Oe#Fq5f<<1-fN{$4z)rcqJ2~_o(R2k-ie`f>t|w^_%lB z*B??>o{o)IW7-6|;j}_q1Cq5DKlWt|d@ql{(95Idg}j;b-Cfg{$-IYF?;aU1$uuVz z50LB&jE8UTos^-E%Xa3pbxO=uE|U1_pAB9&ocNi+qEm&2LG^tD2}J<%oy^xQ(Q3GO2r5`l4gGStRfbsfsG6CXMqkp^{n=iB3|)My z?-08%3ZbN9LTrhE)~{B5jAx)Z2z#ZV51 zhU&~vWDwKUcsqSsTC&4?M_|cy@6=c7Gq2WEi?Th7rA}`=9De6ZALR<*{@Ifj8LL$! zdctUCTdeS+*UwS!-7>!3_&u@OCq6mv3-xsJ9j+%=0%O(^2+pvz zyE_|5*VW&c4#PqNIfFsd-?*Lnp7EjuE3bWGBKd6*&;!DB01JCF@_!WA>o#tHv0X5F z8p`cbeRcqT#%nEdWTu5qu6FC&wSK8}N6O0*G&0_auif3IlwE1#! zkUJ~uXBg?3$)kzNgF2R!A9QJQ;;$S52q}2lKxmUTQ-AKlrRyTQFVKVksr$ehuX16& z8yV!J*u?e)sEdx-Y8oz4G{2Hu-JXMvZVEWgQ>1~eI2Lrv+;KPY zrrWnGJxHgQUxCPyMVa=_zxWQ{%nHBmzCJ+Xa1x7CMfDy%mjudYY=&?J7YWKyFey-6sUGdZ-hJ*#Efr_!$IY+L3%5r8DT)^C7SZqIsk z9q&rN3nYp>T6l`bu^LzIys&WH5LGEWy(76xjB{`H@g!aMJsiq{z1bmtwO2b;bM%pD z3*bvT_8|+bZY{O!ZsmAhKKtGCpU9aoYcG>C7zTO0#`PUZa8?KE>9d*>kI`B6F2>W( zcJT=pcw+C`2f8#K3=9}G#EN$=_;|n@jekJ*+f1mBnsz@QpDqSST^iuCiFKSuyO5$; zQfDJwerh|SDj&~Fm0L}lr-9|_)lUs`d?UZ?Y)zfxv-cfrX}A-1#&`!eHFH<5o`M*Tg=+V|BL+QSLDz7!gB9(~?>VQW$-D2_tX`!H5PamQsTMh}(-_F`WwPZd9K6n!VKO0GyfML~wZWBRUWYLM|@v!Y( zusuIs#dY9N`P~O1UJxq2`SpyL>xuke4~iZWncn!&dhqubQ)YCcJCy+M_Vgu(5aJcy zktfCF8%eESr7ulow6ls1W0hI`XDakJEXAPiVbTF-iNahRn=zPZZQ{ZAW8Y^+bM-H0 zy$(H#>LZi+GWqe2a8^XF5b+`f zo5&x9punhpVrJ~CFjUHKB**bcqRj*;=3G`e^jK}Vj+;X352j80G(wbs?0heJX+>D4K-<;r|NuM$5cIUf*EWw2^E( z_&6rfv*qhE-9@)jD>Q{8TRB@H6q8DUGHH(Z#*=nZDaX62f;o}w&!KgoD9-Sv&>Ebuwc=GC%ZxKMmzyHR2{ z)&1Pa>Z}@Ip2y{`5dX6GW9wa<1D?6`1H3o}*l9PVWA;2jd%Y|#RhSnCP!|4R-dR_ zi)0w8^!=ETqrQwUu)r<$&J7r2*Pk>>?>?U=+ML*}H1AX=NZE%T%+!$Ymj6Q{1#h#h zQS-xR%?4RSXx?_pG!yv`g?)ls<$E0jj%Rk>0|gV362GeRrmjK|*3ly}KH*JN{ch4( zy?!1rj*sat0XC@R&q9o&c2hNejyu|%klGKrzcL8%$kRXb&zC=G9+B5uUWxSjiX~pY z(=^yp-2Na)SB_WVat zx#&FgmeEg$kJcSDax0_A3Qg&-#dh(2B5i$wHLS3)p#T%O|AGfXCz`gqobYV_h5W-b z^Nn1s0^Lu}jbpu(8c=i^*IcU{bP?7@hgp97OKko2Gz%VWEKOPifUkYf=V3~Bmp*=z zndN`gyhyn1f7~kdgN)b@-*B&k)q(4;#AxDMH~DlqArv>McUCF+obt3n@k*k8vx0WH z&`XuiYh^f@jjU@COIfG0;Kz$@LHFNX3ItH1{CW=9qzA zgV{GAQ?HS$z3BbgY=hH?o3{tD`>M#yQbj)VTim!?#MC$u>!s+qyq!r3NPxkeQvKzA z_|KFd_=jVJsG9|Rg^1rU!#L@N0Y%O-+#~VBE3FH4nhzNaSQ@O#%(uBWs0&_-3qr;o zNXm>dp_p5@l+8$;@g9uznYcPs-hz#n$*(Q}stiatep(IIo1UCc$mBVUX78%N? z>d)jEzgT4mQXi@%InEP#rrIRbT|>_8eonBU&74AyyBAgi7WOAg=;|H35;T>vlAT-u zdhWDM*Rpu6Xw=NfG>d0J#l}d6U^N-*zvKw zX>-OSF7!#E95XNp?};ADW+oMD$;)jN7rug-ePO%LuYQ-PgSk~mz@+Itu8DXj7KIA&?$UK9>{uQw?AEuV~$xN z?7^E5o!;Ne0#DjGGLq4RE@7JRhv`v-Vs-ba3#l_ajVb)#V^P=X z{5j%E6}s5uWw9zg2G*D_^qk}D#Iq%|4C+(+%y#6=}5 z_2u{#Y}vVOraeVY_TiHW61wO%p0!BAjBo%BwkjxODiVSFJ&m8(?!TmgFF$C#IzZ>t zD21J~>5)5>>koexQ+@*RqB`pJAs<7$Xpyoh8htzYjzYaW?y;J?m#>W#z0$WKcJfMu z20rLVLabMZni}0APK^Oun@LY&kP%@m2hV4F#jY{G6~K((zfz)KVd1!lEj9m$?<|+Z z&n$oPbiyS}P#(5FlM%KzzFc8B`04n?<*N?($2Zb_6FUoj;m}zdvaA@dkvcqTIBWgI z70qAbxx!_IsotrEo}tYcCZ+U005vf(4-yIQ*0cA)oTPzRL7rM=^}q(&=;RXJtr z`JuM2#GsWc*uRY>?&Y;z!jMONF6l~n1i$t9 zJ|hQMn~;_`KXy50$UE!<*cEfHw*59A8FoGqBv#qw$c7j6mGxql$O#aqqmKMa`>y{Dz4#n{4MWY94p&ZXFPgbhi zIM!Q#%lA3W0qU+4l90S7MnQ*PEQw8#mfS0gF6uLeR3IeX4|QUDt^V`9Y&_vNNJ9iJU1q*{CAJCOl>&=(Q>+rX+yiqZfl5#J|2qYlyNf#1Zd^ViIA zI1o{tVd+oNpi}tkzWY~T(Y=zz2IFjwHV)f4F!_ebk090VV?U+RK>MA$@C8CvGBVc2 z2m8$nvkA}clgOk}=tU-~CRxdxEIlS}b+92KzAqs2Va7gHikQKXX*+3wY&+7udpCT6 z(2^YF(FHnH?PcLqWZChNiv#f{M z{nwrJO8lSgznrZ~#S3Z>Kit#LoXsWMr-X#wWS(a1yer9m`>XrQ>LEy#=ys6PGVtsd z)K#(FKEV7)ObkeK+(;WVz)w;Jx%Icm#geQkLs@w0$hx?^GOnmC02!>}B8}$RVtxB1 z1uhHp34N3m=;7KK5oNVTR|F2QD<|nmta)y?@4Ir@vKxk8n)S_iWSvQzw#f3%Nn=^_ zZ;9?ih54{pw@kqy{{gAW?@6A@52b!rWd%WXWr zL*O?uFA!m-t>e`QHoHiSSt3^SGiQg?^1Y$J^zK_vJ-f(jslUT1SidrP|JDc5fI&lg zIRkdar-Mh)f!gUl&2saBG_zt57xsB=8?p6JU{9X(H4 zd1;V^Notm`pCErcDU`yTfx$FM{H#^P-L)JynJ~7HPS0=d@FdV-6hfY^Y=J zikXnGs6DgOhoTsq0DIF(c(0HpR-})Jr7@On3FTSvq&9Z>K|1`m1s$4!+$fm8DN_U5Oov{)%hG{(I8E=51mMPGq;XZXOt|yKzupM zNrr>J&^)tF%?W_QDF_zO9>W=?<*$7?xFNAFui2&_x7;0))6c%L4)r`a0l1cY*qa=9 zIqL^<>sXRT!=4b#NC)=YLBqGXVbbdO71%G>{LOM(**=PT!e_(i%ho%|C&^B3x1VAt zbiZh&DNF1BT2#Oo!08)#+8!OL`987z_0wa!X0|sP6SN)ftuXn6Wd)Q(4C&7%d+sBR|A0jbqB!18`O?{Ir{Of3XsSN|su9C9jiI3hyc3gaH$AfEEWEM0vm3O%3qIfWo zJ=OF~?j{B8yWEkaeb1`)JF@p*Q!`>32$Q9+PiqC2Bzjog#Irl6I+k#~B%V}Wj~JH3 z!5r%cQ)^K*7yPRfTArDEGHYn*mXW@SSQQ` zr^LPDZV>d*?5GW)cEiim1lJ0yX+<66f+ImV-?#aJOOM2yV%Qrdj((MGq04iFu7&&> zRZjNwUSb3cCu!rYrB5<5=y5bECYP6xR%GC%_@?$fY+TZRL3L7bZ<-ZMq1*RF!^>gg zn7&Y=uR{JNb2Ry?>C8QC9re>%Qa|LAg_ktl+C5f2jdqRa^o55Pozg}+b1Z4yqIkUd zI?4N$ZiTQIGWWUYDj_f{3q6GsM%&~1L-_7YhC=5V>`mRz7rG`N zm!_=F^Bf=kBL$1m{qplUS)wLWdX$yuqyLt-(TM!Moh2NHOQ@m5Pp|J|dNDmBvNA6O z7uHY9GD2+m-2pdyHk@9|)_t}kh#eo-lm>a4Cw0DDy=kOZmx-BCR3-dd3SSmg^`3vq za;0zo=JaX-8uVL=^&dxzMeqjK%>A9jDE>Yq9$442oOd)&p^M-3de7m$Z*C3czs|V@ z`7ygi6sMN7(M-LJ1A zzQ$J?N$y(jNh+&N-o8PNo18PCY@U-F`MA+(5TQ*d^}+D~aW4<2!<|Ql>aA||+w>^ee{R1l;-E=H z&@QhT5)FG-ONjC`(I+~#wagMU3U)&QM&0;;33vjd4ISIY&`? zQng+x=^kdw1!Xt%6XRBOHpfGKb``WJEjPn>4KrYtZ+BV+P*77k(6IlP7izHOTm|}u zJy}1E89*{ITy)_(Hn;FoJ`S~;a0qs+aNb{~0p)tWoQi)7YE|CY$jQqol?;Px`#*lXEAzF zhfGJBkL_jivgbO!ZhenTFrM$JkI%(eeO``{Vx0;)9M_kuQJyPZ z`?yOIO!&@G9?n1idcd;ibsKL>tdBOu3=l&g9GEf<4(0%VNbs?qT8XYVr>J97D#X>> z%3-_bD-=S)T$lO}CX-_e)JG%!$1?&kL#B#~EqmK}OP^|`Y~0!hJcIKEV;|uO1;Bz` zxp0&gfL$w*_ll)OPU~)r!eGOG z4>O&V#Pl6rbQ`ogLuTnJBDXS$u$^OGJxv9{@9&CT7Srh57{fL+vN87Y8pi7aN{bX3 zLJux9{|1bd^k6I%Fwd|DG;m%{aRRJ3?8Lh_!BKv1uA{7tLpH?HFdo9^6^%cJRnGp>bxoOfZK>#&S-d^oa<`EGYYG+@nMrgoy0e^-^09&;n3V57B zOWz+N9UG-)4}zQ+o>_ihpGY4uv1T>-RG(&%4|o@x}`2)*GK5|SPf`{h~%5_3i{XBp;>ob!wq z`Q^Q;&3$xhH5|y;|M9(LEfAx575hoAw3Thk&PV;&?qgk+n=e+Fk{|gY_rbSmnMqq$ zfN?Xg!I@Y;h^RUQV_>7^m9iOqa^*FfT<+8ui^+PSKa5+LTd7?Mzm6FwD^l}P@7aG% z_dnI~g4n>6-s8yRD2qkVCXxjv2^sjcm}WHnrLWyL>uA)=YoyGq7TNS5T4G%9`($ ztd6o!$s%D87{BMI*Lg1?_nl@Ay0kSY@@n<2wAX%Edpko}e=?b_*>ZQN`@%{mdh&Q% zX?s#2@chrbk*1Qz6q~jJp6;56NfR?D$+9=T0+>gDaZ!S@(x`J=A0BgA>#=MPp;S8# zxtc7VxjfgHZ1CZzGuD>M66XB!m*U<6cP1WzI^Zk?H|AtqQAY^9798uR-o@#T)UfQB04YDA@O0-nnT?n1%&Ac584`1$^jxe z!B_Oc_kpjp95hm5&XM;jz0PM}MI}$G;A=QFq;F%az}^^!4eU>o>O8|SS+|EK6w?a7 zpB~K}vD=;Z>0YW@FY(xQ-kfkurhHO5XyoS;@3Yr@%XZkpaL|v*Ngy!wb>+^}&L7-*W+=zkLSR} z0D(O{^;L`Cs&v~V#a}?yUOCa1zprS^wK)=q@&m@R( z%<(0{IN-#BRB;C-pwL_AozjZ88M-ov!yC3Iokt5B zAu1mnCY`#BA)w9nel;P@?*b^hDc^qprc%qpREdgBodCW@!rMxI$s+b4N9%JV5MHg( zdmvu=!%Kw%=N0x(Uvy)Z#tt9cS3hZT8_$oq^}4oA;jiHPYFmZ1>^hl>w)W_>6|LMi zv2k1=8{6?mS9V^8DDLJvdnw{rAOVV~6kSL$mx4N+7ERJ2+JC-H02W>^pU$_Hf~*VM zF+CgoO7{N#$M3f?BdPAJH4aD(U~1ea3RlJ(E*0qnAB}I8IIp-pXW(^P@=o`nmUPdd zLywS{r3D)~E^`5eTOc^qH8!bj)_5av%A&G_C$j z@A8*nzW2=1@$0Flj3H16_OuBvranN%ZhzSF;nrumj!BfgQnWEMkcd5|D0%ueUVous z1_lpXS%8&|7uLCC3ENeTd*kLe_^MxLx=)@R1zof+H2Q^wzA?H0A_hbQYP6RrBK96G zIs|NPE1kRLe2oU%3mRV^VmikQUlPN&t^Ly7Hp;u-j~kfAaO}PjLjYw1i`NvdQ*Ny? zh#W5^gPb(&uk~8RJ@s{H5B0Ot0At~lPygzAhfdqfn|pVd77E%e0~sYc^nWezpu16f zQ{TUNeR7hGH=i6y_@<4)pIj18!;te{iNg1nGb>QU$X-<-CX{WN7lnS;KVHoPH_3Vt!T56D zsp0b2pf}DICG6NRV9&l)LNES(rgnFLXdoPwB!s&yGWPu1?{pvjjb!WKK&ueEc*;yR z8(Pl7tU`A*_5Ecz^m(_?ynS8QY*1-XSJ&lp-S*n>$+}bT-ZY<|K4&&rN`oxFt2xpJ zp9h!)2pX(eHuzq8Ot|i1d*>#s%h%Vb-c=jW&!Q8(+-<_yMfKCI*)KNi9X=c}F6O)Ux!6Hs3 zVQ!nKDThX%I-d)y852!Cwxi@ZNBNks;L&E$y#WTRJ4C$2mGfU$GP4Qarkz(dlHkt4 zxLIQ8*}4ty2R2ss^|eR9#&;oela`^r`!gAnO{%0v#hYx^JF<_1>Z15Fm<61j8S1l{fT7z!wEmc#wdq&Oas zblo1)2K@R+g_A|$mbFV9NN0PRYc5&TPAA_l=%b~BS!YD@EMtFfTlR7?PFQU)z0I){8+Vip@JB+p6lPTX~XRQ^g9sRcKY zA7uGB@&IXYeu{bBTv0Zwl|igbw(LDwynU4RnUxE6e}S|hnjzq=4qX;A&E>YJhg+Y3pL`BgV!#6B9L|4#G! zmdlXJe6G@l`|rVR# z;|f;Fuzj=CXEq5?Q7-|kKcLlyf{d4!s={PgUnPN@w<|JzZaXct_*|8m8WH$^NdVz` zk$y(ZjAUn=kJGC>=Ea+pZqVFW0oSDfnW&Lnuj|X0%fQ~yuw4-c@Kz@lX5@3ki7PMt z@)~yG?AI(}U933&CxEw1(3BxN2LghE>n?U=xE#BCtnx~@BnoqMCKyfdiq<3@@eLi4uYg@&E8=c+ZzqKs1D z%1Mbyjmej@0pz-AFA-epvan?m_OIMh*kF4&!$TuUvo?27kYTL@X`z%2N=B8}ak7wZc)u0b=ey#N?dHX)G8sO8iD}nk0oJs0sA~|NgQ#16WO*4EV@nVVc zF~ca^0AAWluU89*_xlRoDg+TE!_R44iHEwyC%+O-)OlgNPhEC)<|adxM(FE+g$Zio zU}(yEGEy*^Q^9TZNyBb%kOK8gu!pvC+a~TS8R~s1YrbkuHvp+Pp%tD!(DPOeyTe51 z1|1o1GLm-8TkY^e(Anbz;sXlKh#<^jeccMFV)OS?!m$_)^@?6zI;y%!59n`vB9f)- z)ip(>)=OZ=irz{!sCm|0SY;-^ugp9P-F?LLL_TppqhUED>Ui3=>_XwCRcl4xsRiUo zW@KHWr}IH6$03L!Pw@}`u%Nf|-;wgxJ$+hHpb|7co`3Gd^(rHy;{Aj;xjsVy5W_oz z4VGG}>I2Gy(ALdtzxm=N6XvItlQ~GOC(9Oz;xc)L?`uOf9o2)p6;A2&8_n|H;DlygzfZZcc<#!-uqd-XU zG<5D0`PR@%tvJ$C0ecH_ zFQkwASEz1Ly?gA820|Qv;!l;B$(zt3bNn^ESx9G@U?kBe_lcsAu!&Y!D@7RdAd=0r z&va_hRDn>_A>H+62`FBT6QVhAx(Z3hB)Lc=oMaj0O4t4H%*j>i36yADi+A1`dr`{7 zHk%ickXYJup3F0o)kJEr?5aS4{mS?Ej>7(OL)y9w!&{u@gFl_o9u@Dj_>D)0zRro( z4K<-ETDG+tTOoQczH&J3{mjSbaz5GmTHXDK6N>>3z8LQ#t?E~g=viSm%c6Ps$XoQN z>+dZEb{IsKw{h@QzJdvQtbDaqJPl174Bzu^5g?DsGHv<@1i5^Er*}UO5*|jcqydgD z&Rjksq3mxe=xq97V|J`Z`=?P2A(Pls;1W6ccR9aWtKMjyM&v)?i|h{qJS z|4PYcG%NKDR63?Aw(y{c*1tsN(;eQeH+*7n>P%@R*zs;-f6fsLD!&>8*ktETV5lpH)*6;B&ZNRl~1N0kTC3T64Z*B8|giy~twC)@^X z+J11tiM$ERq%slf*FDYg`lfRUKi|59*NSZ%UXS#MKLt-jd&S4ngi0CxIN6%PNuF;3 z!6>q)Hjn7z!LN+KLTt-1A6{cd**aVHTZzIFPP(ErckWt#ytVt(bV>|Vu2)Fj$c#;T zR^vG=3VnC29xpBJy#?n9HZXn6ztq58PC4CrF~x4!Xmq7)D?2t*Trh|O7^|i zr@dtsb!qyjTkK&6Exy#W_4H*!1vs#03iI~;REC0@PgJ_k`F)rpns38z>D=!RK`p*Rm0f#- z!VGcK;(HJL5;CveMicc?ULYIjA7JYXu$vO>4hZfH6AwkGZQb4p{8F=1Gt`j5)p94Q z4JKc>a#lX<#yHjZO5nQUfvlv~#$6ZqHz!Pg_CgsIMWA`RsBq>63 zoC=F)VwZ&s+7RR^+QzACuFn%|fuN;|E9CC_W8%Pp&)t|Lp-8u)AK*WYY;EnC_O%gO z=^YbVbuMzy?YYQ;S@K_w`icC>+PNRljkA@4vxw89y8Y-; z+#Scg4;1db-lXt1!^SxrkPx z?U;Uby=yxN);`J2`R<)Y;R-J-on$kuj3v0%{5AR3Z6kjlA@u8Gsm!ATo20Vf-+hRa zN7E$w;dKx0tDRv-m%A;TSsFTtdJlLTVelYIHpr(l=xP)pmyT2V1P`NLOO6VG8+KgZ zRq8f~0FUd+h3qz0hKN3@o6#r8Y5dPaNIU^gY`BH#3_rJc24+vmY3>+Y;?(v8v;X?h z*hl?Z{sil9_V!u)$$;}Qir)=dMV(Z%dldX%r+qIyzvxw^vdDS5&&AN{IQ zX&n1jJh`TpqrzWiLFDQ^vO$C%`uq$d=Q;&v~C4-3ah@1xAdJG&Vwt#h= z(~lVfusMQhcmav+`tgN`CV$`uk8@!IIP((fEz%u0jb}4OOY^ezbl9!%JR27_ij!El z9Ogn2y*#hpDjQwM(T)VMG0=$f!cXEt|Nr(^{72uDmRj)mj;q~%4|d~@XDe(YiC)Jc$pQOFVrf2YbKJfdfv^Eua&H4Qs6vtZkE9mG4W24< zZTk4>cs*yWz@XYitI^lTcDAZS`2A>C!_}GXIgozLci*1=baK&mkMgO-9U`i7l>H3; zal3b=@Lv%CyQX`H43pWJt3_)S=$QlZU@0ksgx*A<;r5IpRJZJ1f1QxcLPLOplH*^W z{wR?xKxo>;=j^Z|Lm_k;gYfki zx8SyqCXC4%Y;E*Wb_cHvqJBLn9YdM%c8% zQ|fLbiJar+Xzl~V=!RCcizV0FpRx6q$1{*`{STSqfUM6&Pdf$>634&4)aTOto(~Y# zPR3iU*GSlYu+Q0g&iw1XWKlGrd~RPC>6En4ir7(qc$)h7?~a;aw2ag7ejuE%QUR8R z-c*^i2PDV>yQ$LS9kgHt^og>5J_nVvP6qWADy0lLcUoM%BYoY;|G_$+$FOEWJ>^S|E>Jr8 zG+@U7Ue>O*pRcRdnCnJNJSfr2kiQGv@8*!&_-PSrrd9psw27ByRlhhzO5u0d_LS=d z)aL-uuC@kQ?8jK)Q;VC4jBPZ#;(l9c!BNZ8Ch|zkd^)% zUqiXJF|?o2@50%*z+rPd@gM{Zl-#KY8ZRp79H`AFj3lQEtKa?Q?t0_1&O(2_QWz24it zVx`j$!g4aIsR{HExw)S>oiT8)$xP+z#d*$y|11EI8W1X+L5G0&c2Kv7NP#{1X=QGG z8sG06pAi@$J@*5vVc9*mlu1wU0ELhX-Etj zUS4~&8vi@j37hUTL)qd&k#5-&TT(d>2wUD8Pe4e8kcSnj$hgwum%Y;yN05>d^UwOS zvS#~2d)`z}%LjYn!^>?(+@Z$Ahhyis>$+P`*HoBy~9W5NIiiI$jDQx`f!=Rf%~1;gF?vzb8t>ZNmZdVW}EuNiPRz)6^wS z1J#$*sk1ZdTF3TCLo;Wmq;er`Gqb#M0W$AUZJAQ>zJld9Omr$UQXP9v$;mH$I)#UC zcYtmW;VJdIv`s-S0J>t(^>-?ykk!r+I_zY*+h-+w3T3D35A_FP@M)K)=+>=yC`U~K z4H=It?WgNm*O7pIYV$}bswLC9*lgcF-W>1eldZA5N+?7Zi&6}yh2+HW>mL(vgoF@2 zm31lMbNSV0qkAiv)%91OJ8sTHvOVNZONHHYy5a0Bx6`LN6^=%|BKETvQdr$TCPlc^ z*I6YzA2y$NfB)Y`)f=Aejf0tSHPj9|{p%jr) z3h_Zrhw=^VK@wf}z7PBD%t2=XA$nc5%=?Hko@-)ju`bEMcrXWYu@}229_3*EgNKks z9>0wv6`!l`k8>6r99(j8;(6`Y|5X@RbTDHWBF?clmdEOJ-n)~r3l=IBzXmbRC&a2) zzfjg&szfN?9>ODg;m)G+gXiFxEK4VhL?R$fsBC9ZMMV(v0t&cW(>thxr zCCGn;q8u0)2z#Q&>(8k`sJ=Vf^FCz@d6vB-yowY*jeROQ0++HANIfVzT$MZBCc^g* zMu^hqs<3;y%R*qIoB>rbI!2*)IXrsh=y@+dL{wKa2_l_y&^8cgnTI<1GIN{fzsX*6 zpR#PdyeKpjJuRb%sE0bb4NcY@;rrpU)dUc9dItr+`u<=o=}9|gx&7R*O+BfUi+tUA zUiTMT8jTrY6})T3F7Gk=44DkUL9hX_awh*A=RB3;tb-7|Cw zl2Q@_N_XebNW;+GHFON!&*r+npTFSw5tzMSdk<%<^xLQNCE8&)LF(APwaI$0lh~jsdhsV2wGJp?ESJv!gTkb^;qo zc6j#g&k4OM_On^5yK5BRY1fCTf`1dQIn1FN+p27#FpbJ@uQpV@Akg(Lp1G?Y^D)(T zl@`Tl%tqTB7+eLX_>a?z$yWBZ1?3S(aGQUcdV&)qC5 zv@e8o<@y$A*X+e>eNyL!?jsm}Hw^$)idBnBr=6N19M%!fjn0r&108}&96J9l?{h{Y za$=?*HjS)9jc`i25oYPUX3fsG7!Yc?0?%sI3PSEo+RQc4*-QT zk23DHcYmyaVq2Wxk@^hcqQommU_VyPMB@S-wa53UA%E7-Rxef5>lRGmh_C3cmHFxO zraLCkbspR-y!YIO&%EGZCD=?PDZ`^J(2w)glbIxbYBZ`?&x?DbMyi&CaZcoF$}}4f z%QrS}CeImdqhZWtn6YCV>a(gp!_lKu z1yqmB?)jlz>cHo}RaeQ0PZ*qCHIM(^7j9N4sJ1Le8nJAH_J|DBwxu{~geSOeoTuz`#$$E@|K6=@p-1Fm+=&aUyc6o(0e=D;Le6Q)+GRz1iAcAS5Qi z&-iP`88y)Rf-XSD;8*leXVa}yjY@9WtRyuZufP9O`d%#Iuy^wSSWFUeiznkzF4uyh;FD{5-G68sPCrd5_P zup+ii`rTlO^<4im*P9a!)yl0Ofa}Tge;zNu@t-vi`B3;5DACJj+ebp>rttN(NM4j> z{eGkDJWmW~D(S!lqaM_2#%e_bmJu^FXPTP0o@(%4m`mXY~-jJA>*<0=CJW; zj~v&`ibmPAFcR?%4pVOj_uu)bc%ETzEB!5UvY8y!oVXbN(U?3!Q_o*M2fa`^?Z_{l z^2YRIXEhJlM+Q*5U3=){%`9I_ue}lVv4-c5Oi&A9>IJDQ1Ht39wFqfqU?@rW0A?fu ziKP1zuSh=Fg_h*$co-ktB$lVf$DK3&S`PxOCM=$~`R~xZ zEC}pUqy;+l-yvGeU{X@ZMa~`w&VHyE>2b1AIwkG4neb#O*iNKX-yNUOARYA4Ys+y9 z4~X)X4M=F47AQE{uP(YlaMwu=4}S)U1=yL6p73%mh_=#tcWZJzbC<(Y!C|Jl%1oSa zhT^)x)J=5e%_cSF`M+J&cM#R>!N$Vf>B_5Q2k^+Jw&>SaFp>n%NKCb??7@Xhz_0^q z;3W@loayC4Lf7H1aqTkPdB!QRpf#He zFm-s+`2HB!Np|o~qzbH!1)}3aL25@upuBf#^#z|-@|p)!E*Ib5_`LbwQ@B#iL96(& zf-^D4@>3fIYBGkxz6O9Txh=p*VZeZabC-p>#Edz~S}=nNDCk85Z02jhK~5cEqNkVJ z3vS>|lHz*n3O@6S@wTuRQ9$li=*iWSXrFye@Os&+Fc|Q9SvC-FABp3bfi9)fOa3@# zy>J!Pn2Qq?lZ(G>H&?yvVmc}OPMP(!B4LxP(a`+G%v;W;esg%gxtC*7EXSespq}E9 zOy1}+>5%m5z-+At^}6F5bpIy5Wac^z;Vt4X4xW z#MN^ZnZ8n= zwhyF)H}Ty#kr$m}(W)hqP$Ek5ZMxdhQrTr*0JRmTb>dsN5=)tCu+u$*XT*;k)zC`B z3a04SrMjDIqQP+g*GD1)hWf81ewCXjJcTFsnnN?<(Z;lIsshZ$Ep=XrcV0LZpnETV z`Tf^w6Urj~!aJ2)KU$?odkp9MJi-ljRYj5NHINFswr0CH-5qZ_Rj4ZI=c~$?-k_vcoP5k%mp9lo|mL)HH^Xi5#b=Z~&ggsF(Bfik{2l{B3-duzG5GV(`iv70# zOgC=p3Y4Qgx%@f*s9K2w;ja=j5X%w0if=Jr5TL@WGu}hNW}P|jIRW-OHp{o|yir{* z3Svjj5l_cd&l?Lmh}am*K@AGEDysnP$pb7Kg#&xV^Z8`RgXbxj`lVs?Sgoulo=H$e zmf#wq2-6;tp^ROPM&Y2Nsj>${FKAF+A9u$KgGAezl1Za4b(f$~M`W5?+h4K*P~4CQ z#fAx|+)XS<1?sKe=&4{xYry8}foj=~M~|YwTJ5aiLgUIFor27}B{R7T_JI$!_V7Wi zKAv`=RCS>dhc)SYs8CuGxipYs2Y4(!)f+5P&gOhCHZcuIs!Xjk`O1GA>y{3X@oEIw ztEqQU>tuDU7@!h`ty(9{rI`Xa84=g zTA$8iyL9Jtcur$C1*Kc@n~Y5>KJCK`0c!-;+Y*z0Aw9=nGMkg9jog5r(#Ew@hCL~; z+w|gSVLXo{0x(3{&*%JItnseh==GZEhwEPb0B^ETW|E!^JQ?yy6NV011y`)!JL#O` zgdl%WrJMWf~v8hgtvM5_kM(Xoh_q_|%uIu~rS6~Xz+f@PbJ3Y%qZML}|$8^U* zf+d>)clSAd6D~>G2Rz~u0f)x#mFB9|3Q1Lrgk$h!H`lk);j{XmKND>3ZF2xiQWHB^ z8M!7NOwUbBEfjq%_V?E{tmsBmvICKTHoAX~LhoJgjoDI$fi}l6B=C#>fBMFIb0leG z>M7tM2PhjvO(5WlRSl8T^A*(+Te_JN{l5?Y^Y}wC@*GCq>k$hztIJv?A8Lj?rPT_F zrqwDEaM1KQTPO#JAD|#Abq44{Y&`JKQvGKdo2Rnd3s9Dgjqfu+5}@%>N=nlQ3&(P) z_22Z!|LzKO`gVkset|=cBp;&6$rZMy7jH!^yB6oiYaIyL)Utxt22P??@-?T(IW#S$ z!>N>O3Fz8wK0{Rt)Vl!%qv_|~zm}KBn^hv_wf}a*$}{ESr{nsy0778^WN8xrV|>sE zpf`JRRW_!;DL;_k;JY*>I45PS@Fce(@rul2t&-~0?4or%OT}t?J~Mr+SgU1gBA;yX zd6e_@x$Hfoy(a&M^2WrrybRkMFZL3nNTd8KFx?(P3i!S8`JA(xJD>)tNkNKJ-7(qJ z1Veh9*^2u3$)|TJH1{0C{OQxDz?ZN!)$EzVVd9Ws6{2gT%tTaGRoGN^dBUb1!=z#< z-n7o|X{ok7_BW~_1@(G+B)ghg#PuAsM~r+>)th*y>E()E^*Xx%#%(AW{O0Pcy40|9 z`rt{M)!eibpyVLTe@1l&{Qq{+gJ{ZH0|@VRoj|tNbL!LQ8b?t`IIWFBQW2rhjk4HZ zefwd4E1{h~>P~=BWE1D4s>kEY){xjFAMK_-fh}o}JJf;2CMx{PH;iQnhy zZ4Sf3kdF2M8SIJUkdsk{5>eO9&AVF^5st&zeq!UctA|sKSRJjm<+%V8HP$EC@>t;m zn{r-crOj1re=2yoN|LLLS}T6)ckGd6-$vtj-53QROw;eZ&?NF$TSH+F@iEQ0!GTV0 zV#}ZaXCThm4WKY_rM2(nSlMa81L3tgIRsvo$i_Hp_+TAbwFgsgK2-HrFVtkiPOqEA zv-XmC5k^(p20s7h^OLrTw-#zZ;erP8YSuJ_Wx2%^~*XaV>Tod9)$D0pUS3F+3j zj`2M;aaR8`T?8yXj9{_i?>c~J$`f{}F~e_F=-F`D(u+2nc~L#Gyt3j)aoxC>37aLN zdPjm_Ck1RDPEW_w^s?E&ZY=;E*Y-GH>fQ@6Y=1)69;`J}HB{wf5sfb^^G@HeW2eHV zY0e;D4aC$`au~Uk{`V*m42y`M3G|H}Qj+3Tb{3)1D>G_pY94tiK&1ubcqdzxd?XXX z$d`#9Ne(TC5%$J^nj)1$`5U!rY~cVNVV6N#18o}lR#W!x-t8}NqTNqtEz3>!Me`jP zh#l5++X;`7?nVKR2b6hVCc;!nrl7K{okF8d2PwdVV}20~AMD_`fU3+j~`d z-4X12T%OFV!%QYS0WGHKeuGQZc?L0!sC&?38mbi-^Ud?lPruZcC4i4wRXJ|nt_IUL z0v!uM(sn6q_MsI{8zn=3!-Ls>^MdBDG}~VT-LHVr6R%9?>7u9fP2(!{jGrfWA0CVv zb)S~P1kXg(E*3K-wRvko72b>W*&%+M8x2o2kq6i|nGEQ>*DV z(kloruJQSmPh)(eP-aT&B0o|ki9+J~JJNIk4D+M7p)s8t)K@Li7CiIiw;CVStTbO^ zTOy+39?XIy(ICDFC#ylx!$3Ei)O1(WOcQ9e6^VFG3kZTe_Uu;^)_p?;U+V7I*-7uh z@2HILvH0ytu^kcIEedT9-6_SVZ6Fl(>FRpW`^zkhaBLL0@_M0U=_Sy=!2`B;N2QRm zdz_lJ9K}4~ZrueC=k(tQsY!smRY5P-UpKXX*dQTsb6F4_vTkrnzJne08|r*JIDShmQX04KM@c1>+Gx>uGlL3+OqDJ=&LSZ5J zd_%Q+C$;k%ViE2s>A1r$M+J3GYFQWTLO@j`B{7+EPb54S~Zi?CA@_Mmuj6A_tD}pVD{-Go98 z9rS(#haHBpt;VXM$tDLg^ljzR8ko|1EAHRUD<{w=Hfdq*swz&b>>cf+-!;9}nIrKwymh^!ni7K( z7w6scm3lwH67dt8YfaYs8iZ;Osbk1u9+L{YE#a8FemmN;x7Z?FLHtSX=7zuEO^iTE zXgq1N=gAn9?@?YpaaXZdgYHZy*@mD)kK?k*Nvwz2f;4UaaJS8HhCv~vhq2U8)-Q(M zkybrze=te&1Gaz5GmT_xQ7N6H**+K@CkPlXXDrQMU8}g6ZLFXpl5o47CbSvVbS|VJ zUeScNu2o@FeA;;y<`INoVPWF!KRgSi!B^)iQx741I(^ly$Lb$V_Kc7@evozZR)YoC zzv5Pp)^*qKuJ)0GUDU%ym=sAq7kK+il@r!u+lQz6dbXlfayg>OuFnAzG)d8T>r{pv z@&ksghe*14)!Pm&g0J%qNasqu;2nA$L~-BJsNZ)EavQ(Do-%m*uTMHi<%RYe>*XjA z8k0EcKAok8F8K{lX!Sr8Iu#mL?0YzUiC($bW`+#2?iO{)9@f6TY$qVBM-d#xf94Y4 zHuW4jyIIYR+==p8E568|N&LNwsMHudTBr=)_dzl=((87_@5k3f9>YL)Q3rc_Mt-Jo zk0)`ik^H5QbH{Q7 zcdcaN2bW1uJp7Fh!U1EqIl^7(rPX9G8JI{_=`qV~y|DoZxcYCer#JNFq-Qn)UX>R5)ds_z9OjgdevVhrjy2??Kg<-J5!#RF8bj$&GiI1&Z&YK*;E+6 zniaNqB(y{_Ap$Ap^;b7k{p-J#u5tJxnp00V*DVUNn2MaSS;(3(Kc^J$nCXgpxz2|N z7iS_Io_y1n0*JPUB&U>~i1qDGQha2yi^E+*H3uq;(tc+-2`f67A$0(R0z9}69#It74X+L5gB^5&LC>_T z4EZ^xL?r?DoADKTvx(KZgLE=Buz3`UTM&i?w_aeg`uJPkR(g^5J!n!Kh@}Ylh>lmk zD8BMM-k^WnX8fn}CKVVQ$D3!+#)DC-i7{e8&Ewo3X21 z9cIR8c2Yn<2K>(YeAQuH4dKP^YVVzj%`YJEM7IY@x^bb6sF48d6@Shr!wVgvliEs@ zOK5$UVlG~Ay(S#>aiAe=aV5MWg!dg1fe%f-I4{QhGr@!R{T&VErB5)OYHUrG->|lw z zbYb}V=R^vS_68BaF&OE%3)+Psv?uy{uf_kJKm$>O3&bxAvsVSbQ@&-E1<|I3q3K&g z+o&IWoMb22?-3(8&#*ZUL-;HwS)*s(jk5UuikD5TtFh;avZGy+jarP6rOhD{>0@~Y ztqVEHh`Daa+u6K$2U+7w1Qz?l+_bbok76;#vw4>wU>=hsirM6`>+x&px}CgmyG*=V z8>laef3J3}F(A6nZo^6S4*JFhJ+;_U>#qBNup(Ko`C3Yb*#Vxk5+ZJ3y_~H9jOV#J zNJE_X^G#b0XKV-l&?fO04n+FJt4KkDzRf;V--iKmx?QCso~5e3xyg3}iW^)|tl(cE z7YQB&*=u!5`b8h{KZC?ye9zSGt1lV=p5Hwc+RNsr(zQFqug5*PK$z6 z0E;y#K6qt$yxXdJfhi!MAet}d-ASC+)YZkbMR9kDzRl@{G8^K2G9TZ+R4GTBKXGK+Bz18kfJMA zjX3(~?m)Qq&Syq+&`sOA=}4&dc0a!RU%c)s)4Nl78=^)z;>S=~W_MaJ?*Q?P#pTWgW2?z>`%_Ub zOcF!NhYp+*hQjCixfeq5WreuGk2tv;IFDEy80jkde$I~2o-=x_yKi-A_sz;y4At1x zM@%`lA_iWN`9D$?SRbw5o6ZXDWS^AwMUIctB)-l4NX(Bld2xb?=uBTEJ)}l&u+wl1fig|-XISBbse>BVtry*vzdd>~&s;Ty}*A+l@rZZv+O17)%0O;bCt6SJ4`SiR64a zRG5!;FZ-0!tJIk~z2{HmzY*P&cpT#8q<(5qFOZh^)Nm5ZK@X?QRDCx66$K# z&}_%4vQIk4>zdwNoJFb>vWZs-9}=?@_G_y%GiUr}e*7&$J(vTg>sm9@xAgco1$ufD zSG*>B2a-J>UAdot`#Sx54g9!+%KGskAk(+sD0ob9+tNsnmOw-A|<`D)=_?K(~hmanR>R#P09Vh_gBQTp&@NmH>(stD}SG zMEjlD$=UgA^W@P30t(!fXZZZr3ox3EF^2;JMs(SuMq(Zw=*{-$%NdPy5#P>M<(fBC zduKO3XE=AeTQBph(|h*CdB4uLoJq0j*;3Xu`SorMw&xzS}HV#HGdH8ct~H;{Th?PwZ@) z)Qyukw(3qRHOeZe`Ht9VKEe^E=N6b0;kPZ>AgJsIgL~)xv;sDfs1{WA`vNSiR|O`4 z9+*cn2~;#B0}S6UEq^Hg6qNUAU_U)#y$_|{z^>`h8$h7P=l&Bru|NS>oKY{qn2JQ( zAr-_i6n_avD#LHDgBM<}ykZny8V4R!J_{oCF@=YszAf(mKCZJ7?38x@67v7u@&yzK z=4x{_hX>*J48LpU&lqT}E9axx8MB-Tm8yZJDNeqL1{tUYMrlW>0BgC*5D| zXb>9nxfFy(KQ!t~D78Q87w8S3&}9aSMSSSX?KY#U(?@0&Gh%5m)(XI8x^UtmO#J7tZ6_=jsCXXL2+5dZ@8EbGW0qnHYcT@- zBO@b&HAge)ejg-w1aA_&vScaF`IWb&nOl$-Rdqu>{B?o3Hk6`!FO1R5+&XT3oZrmc zEM~e6H&N8I=z7OgOyKS8MHXX9!^*kjT zlKA-e%DnD8E6EN#trr?~KFP^t78NN1QrTDgjaNm_$oF0e4JS3gRyH2gB zJaHA8yb?~ow%)KPUhDlMxh5TZF+$&=Dc9RV>TC(jVm2uM+w+53r)|{~=HJ`fncs)# zS#)b9rhor7(o+ttsH&8WIlH@UHudm`NcMC`Bty~Wg4+cr^CuQ-a(bF9Hcbt^7^D9U zb7T}Qv8N)SXXW_$^XJy)0|`PxLcqv?qb^5BRh5ZNwIEWzZGM zmJy>WXJuvDOotQ1$mawX2>B|js2F;NJ{GgF5@mLCE2P<>`L((#b@HdopySiah4MH5 zV4pvaJtbA%Rj{OPSSan0(kv_#Epv15E6@V!CdG1U_!rQ%9#)$#mcm=3qD z=!DCbi-N-3rHq1!ney`#FV)8xL51M zUX#pR4ZpIjls*s95t9Gvb(*jm^C~sX!P_OVUh=xT{qRL;kjY|VoVCONB*>l7aJIKQ zC^YDtAqlRKOuPB$HeQ%Nbn1Ar4i?`V*BTj9uD4K2I>kN^v{d)0I-IWLi%y(^J`0Wp z?JByJENyMoxzBvxpT9BxV4ys#cD?Z4C9UL62HyAwseSn?$vG1YRfKJ@Z8g7ZHlYTh z^DKFm!w$>Pbp?+V;|?0*StYgUUgVVwFD6By+$)$ z3`H2Moi#yz-QDhwy$o*&H3gD(!HZSCEzz5GfxoL_w}t`9&eK9LOxyhe4NuJiZ_j-X z3xvmCG9|Z-YD=?78yK6W=gszG_kN0|8VS#{`Uka}S#S4`m@m-rYFj7T(o+dJfJ!e3 zdUwU6EBJI(ctN8u{|5qLiSgfh_e_K8?eReyF`MP`&1xFm?Z2YQ3bUAxl9F!T$7Ov9 zJj!|b7FV%MB>ve)l@kx$F&S+wh^sL8F;hS91OvHcEbT4#c)9RHvSsfuN^6;u9kK<* zZ+oDJ+dXVCYZOiDAiay8PZyUHYApCsU?m*a>w_R3`(fGJ6S1o)O^wFcvy!K*?gN69 ztG|>D-ilfV0{ud4mP;%QbAZey#4i`7jEPJh+m&IWp7oAoxcx@ zqfW9I&7mj0ts8Tu5-gKpSRZ)Dplc<9s1fH7f7qvM+ah(7ija!n6ng0YSyr~biWnwe z4;;&8hi)YlCVMAfnG?fSBr|>};SnWfw&a>d%vJZj9J)lVSLD<>Yg4=_=6JKV ze#8PB5U=SRaka0bMTBb;dhoo10GRl(iqi=u4rlZBVQ2YRzVx*CW7}3=A^l=+hc93J zd`WF_AFZ%lp~R|tV<77}6udQ@AA)|FWAfd#3|EY%7VHDjt*L^-U7?9V0jFhU9ld>pGNrz*SGzOE^%lhnL$N*5G>5%*cQ=W3bpl?V zwT0jQTh&H`QeBq`+<@k_6Vz84j~$*9e*?Bh)Iy_4Ha1a&TnHIYz!R*OB|Dj3O~^i2>U1$5a4}+ThBeu%q6Jn7_ z7Km8G2Tb2>9~C^-X3)Vq7i*1TQ!--O1#Id`Y6sNb7&EISg(am(N;CBV!GmRL9E{qD z_pjD4ztVb%Nbiy@KC~q)Lbe91UC#O97;7rNdfdEpbhX#Jb22Y@F0W{P;9a26D`GXB z`WHY>F5XmY80?q_YI^-@--(Qip9td4E|WB~g=CXPa2?1}u6+I{Eax?pT0Iw6WEE&i zuKxG2Oel`mV#+1fqW7sXWOpOLsu~sJoOyTt$o4PT)#FfNMJMZLY3Fx5k%Vj7nMi0Y zg_3iXQJVUzSJ6M6v-)cyDoSWUitI!D=~f$td)cD12^eu81=gWUq2P8pOviaIufSDQ z^_FOGRkognIz}W5#XwxMl`&IHi|K=Nk*ggC1YXtj)g7j2X1MK(Q&0P^LU&B4*S!v* zsWFv_7MXQf?&7IPP-<6PUmw#P2}A}jKV&c9{bbLW+Eq+@&gXiS=GQzou3#UCuDUic zBl^vfB;L2D?(e_%bw$-Pf*Tdvj4o11H1XhjuX_m-2T5B!spZl3%f|2P#Cf>1Rj;%K znU$@r^WDJrX^hd<2c*bR*xqJePY?RhRc$IAxZN*W%gN5;V6laUO5rT*c6+U2L{SX` zu*ZwU!^$7Se#xou&HrMm#qi*)@6a0uRF6dsm3q#Y%Ki!$^5TG?z)sA$yN%e?tR}-R zJy-dRIRU3NJG5lkqgCjFrhYjy-r45$$_K+5s2$TNfapTpS zw*{k9cV`$PI2{ST$IiNk=Ntch}!s(jOfVz0SB#yEkOgz&v)I*g|tcsA4+FLvx+ z>+FD9<7+91Szb}&!-=$OX@VKNro)gIVl)~q>$stq09VR{2lyeyxpoqGBvTct6)?TJ zB2(%fhgLnV=zRKgYfR4VYIoBdPssK$`2{!Acdia^IqaNv<(_$E3^>?XS8qoe&G3nf z3W}ApbK-b`F*S?rdc?K+({#*IDkc|x;I^JnwwSaIdzg2qcAvV?aq=`=V zPN&|v5OL5-NOOKuvfu%B3pv7K*ohkhp>7bX(fxI_e)0Ik>;`;<;zkah?|`oRelUi3 z?3mK9*U1=SB@m)|6};fGM5&FG;~D*w|6h=s_4i~{8RAC5BlSgDStXge)PC&~^1GLK z9B?R0ZLP5AqN{XK?fOf>eZ_@`k#cdb4Eqi;5b>iK@KQbFyB>2h|49Gw+S zv*Fgj>bvuVe0<8l5h*$|_7^v!^o-;RI2NIZ&>w=R|LBeBzxOS}rx~=1-uOH9o6GF8 z6p^=)mxMgQ|rEEOq!meq7VDQ=1XU)h@fQww$pncxq6$uwB z5sCX+tjJtglY^EI`;PVYbO&6k@>}qngj1v z9@*%EyLlJYq~s~ozb*Y%l5bU9fK@B$N44Qk^-6!=zChU=zk2)OJwC>RKn&TPAfHxH z5H@E0@a zKdQt1d`muHFzk?6(*Ehh*!y;FM9jKo$^*YC4heD6oWE@a*-Fan-WN_k7z=9SY5k}> z!2=8GJWnvR;m}IYS-_!SG|%DQRgmGB*Aq$eXHm#DRPBTlwj1BZf~oxf3rj;g;tS zAtBU};{_p6PTS+sv-v&~k@1f~6}8-2w`>1gSALqg`|}gCN;@1ymbP)E!>4b^~;yP5)?s)N-jjJbj066^zaXS5UN(s z??5Z_BRDS2&$+fM%rfgrkfPRlEN=Sy7%}Os@q%OtgT`CoIsqL27WPcPdzpq9fP;Sl+1Di80%O7k$?6B&`#a>PyNb#KqM&vEdVx zWg3>>g5F!O`>n~m$?bamVr^q_?Sjrqt93{;`bh9pa~LIT3aatI9uahox+?+XTcv9B z9OglvKwlEEdnGRi#y8o1E{d?k6Dm9|Q1dzxn+_KqU&kh&Gw`yVlE_3YILPcfSdr)c zY#U=4%p#1Jvc1vvs;%?45bhvE#UXA^i{=;NfTGfkKjeSNG3$2AR=$8L6};k*Ih?*? z)M}F&e|!}rha7zYufK%lRhk`{nqOmAx#}O*I7o#wkjgXp{l80Taa;%VUZooAzk#`4 z>fLSg;-tAs5VWoNYahA)mdAzP@6Z6LWj%*3N#X>a;p(K{2_%Ap=Y{v7)DTzk-HSJg zkN&rhzex=Df%xIX`~(4){2u`Q)?%~*+yK_GSdNOMvMm0UI$&ZU^S`I2)7Re^j6be! z=BnR$1BuVS-!Kw^bDKxU$IrI?p}>tSh+{S%1R+zyH8)wQKq)GenW%5od|ChPK)8gR z&8;gDVss2rVUZOTZ@c^Yz8>BIV%1NMjumg;?(kyp-9uSixMI*)Z|)t9`(5>$dSV%f zQ<$So?H8ek*6J<22UaGwCvR5vL=`OE0!yT5W}PpEyvaH6)+fy#QQ^;nZKP@nclrPa*tih^O-d2%JAeM z>o@i}izJ`K|KK(9F@ZvxXz411aE!ujK5^XX~gUq!X=^3vFCj7}Hc;<E|u3eXbPdF%XgZvAL z{{X_9I4v86yY?l(u|iYuWK^AnV~(~g+z$`ca}Tiy=;+cFJugQpzo<`=+eJW?|bNj5h;v@Z6k@jeyGN=$q(YqiI|Udk$O% zMN^Fp-E!r+YW#C9%~N8xQB3iAjgo3IKtqsd!qLcdHNZ}^>rl$+DA4jX&9eVE9 z!GJx`?{*>ciK3MiUL}>8*_C@kyqz5%x{bEOT*tv)({cE_<<3@rH3IQro7i$0^QIfJ z9PSHYng*b)P9rrW*Dz920Jb}@n{XxS|?RQcVv3Zk|(~FAx^}YoaB?|YS#!3TPF77J~inuzCg^xVH zC&<5Ol*x+FWnGz1V1ryAsa&ks+_5qQMhwByU~AP-x6JDcWRm03Z#OXS(FW;xVoV8H zLePR+wi4jykUvn^IA^O)(Rz5zL;MC_hC%fZEG*=HJRKOwSxHwDR9jSj)OFo?-38c- zM*=K^oOLo zjh1ya=mu0T=+Es3p*Sze(?TJgEq*cPp8=tn<&|#?+;MQM&_8WHcK>4W2zQ@C|8e5t zP(2JYNBH&bE?HlIq48BKABc^60L0ikN~%x`cW0IM0qBz+8$>MSubJo7O#Ye=-kUXF zLjKb%*%xpRPBqcKC{_4<-s`yB0-}MuH9e)OU0J_ctqofEgjIw7j82$Wl5nLv$Cw+00E=I zo!6~t;q`f^9s2r6m<+!&Y^soO+xsOy0Zk_!ZQmCy{Iu6U2$HgMH#cgju9gAy=36mK zg7vvjuK9vBP~SN~={BZFdMmA)F8bYTFV^3tWar{J0gi`^8Vz-tD04&`pbMOmV^iD> z>!d}FqnGG#z_Oul3|GF9YP)Ze>#X9vg?qXOAudePeP6Hr`6(M?4;)ut1O=p`d_Q(Q z7D5ki=a*XS^Q{Sm&SoEQ5U(|%QXlDD|5p;cxymI|thZu`Zj+^;eGI2@b(VxFzg#Jf z>_AKn&nq#`;Y}}yQ42ub#YgXM7vzpJDF#N)$F%~`0bJ}8@oy%ue^`uZ(kuNB<{&JatQET|;AEnh;7PB(mvMOPgdR=M#C~7|x&9}WL+<`eId7U)!tvVWl zk1K(=H5CeT?A5VM-5;o$W?-_|RhkPSNhc5>FoJ7M9L zaD87;YwApro%R-ukp{{*9E7`fC&kj;_i8jX>BMvOexp{v$ECRH1zX-~_a7{`No*6K z42=u-InYp1c?~RCk@dHS-iRx-Q6isbE<$LPqxQ0Fd+qQlu&XORyPGZIXZ!-(F13DRz-hOfkK=K?yGfr2$un~f zX@6uHA{Uq~Q9+sPg+>&gSQhiU?UY&ue4F;MzgZ#1$D+be8ysGDd-=68q(q^FLS}y}U-_7w*ph7rXN%aMc$A+T*hCe-p6{5)v>6|* z4%WeC&U%WweAe`0{PG(M(yQ^tlUX@x4c8WZ#)H$Vd^D>HzTBSZ#k1fC*5jVH*8`{W za0j_+pj$n6E1^08l>7xsOGm&V#G7)$pll6YSN-h9uDgSvpIZ%DrLB56#<4_P>DY3* zC3=^`4|QMr8>)%hCixZ!sn z|0q(OLoYW?fwLn7=b^P)AFLN#4HITz+aJ)Ug9P?x9K^jg1LrBg*+C2Odbc}|YS(^y z7xbk1I3|8r2c>w#*n@Gx_7F?3u%SiDV%!ee8?&%i zWO$XMIF! z=&|nHC1`p=erd*H#E08}D}AF5d-jHSQ^vwuo%(VC>3%t8fKmgkJF8&@U+qz ztL>d_!PdlfqI+rL--z%>eB$8Kim>mETnRSlYzez-y=?1&l#Ku!kv#HBtq{F|jAV=& z1o;p8p_htD5H?K5ot1-(aB4&J)3?mXs)M(f4k9Z<53Soj>AKGwcqj$~Js^>PC%V;` z4u$e7899R6e6HksUkE%jI)~z>?=<5h!Yx?i+Jg~woErLWwJ_JqXM)Dd+^#EWggey( ze90WD~!*rarr%6!jhJRIkY}3OaejkAtW$P!Jn7cR?a@_uWOncNk;IdK1Nn|Rm zYnRf%*sBmt<$llX7e~xPzexAm5*!~iu&3YpG)VN9UMmns(G!x4kL>52n~mCKr$_!C zThK3mIOX9iYpVmhL>Bng>0G<&<|OcD{objuyGm@98RGj&796^qr)#^5(rP)Sao?iL zTkFpqTbZ0N{1ShIg)$W|7ksW2vQb?Tr2^Xc9 z3lzh@&UP@WzI5^PnYe-g*?EyYDUu_JwkexKKnn1lh=Er&%xUDA;7N?w&H-`MVqbMi zoCb=X-BwEI*=DWLhe`W^^T^mLNh>%lZTH&_Hl4uaJA;;*Jj9)& zcych*g^!H%9ix&_2+lSVux;PD*psJLl6~sq5PHr+U6_kn}IP57em=eV?p< zHwkuM`Yo->-V`u~-Ha8mPDqOT3iuf^i2dk$qKQ>1&8zwpFw-|S;M@a@gP-2pu%LCT zdqZ`@B>e&t1bcf%aR%v@unt}#k$NgR^o$rjS{ks9XJ9RXe3N}KR)p0S73x9u_yg8MN2?p>Ur|D zx|5+7Mo@Z?f6XiU7T+&iibFtBwB!e4Z3NtJ$y?Jhq7g+YAyMDwlUrx_FuBN6$`f%__tyg#8H;1p@nur1tVHYRfkfA(>_)#(Gi3Yh$0=T1j2n_S8i3thk1lu8SN(-|NZ+=6$7CJ=-VyNLi8SLLEM;W z+go_&%(RXYo$h4B@~D=wVmgw-4k_KSCO+W3O-(3&#NA|)*Qe}~M(~F9?`>X4L0ocR z!VSmA?sjKx_ZLaLtdbx&sMb`x;a?3wD3aCug2?I@HQc1zbG5IQjOuZ34<-%cJY+VE zh!J}^skuFWf7GEzp_iJ6PbM{}#%1O02@iXdp4-anedXdypS96M$nslx^69z;Sh8qr zk^KY z5+PW^h&XWV((K-5AAP%tU5>lUv&#~=hr2{*Sp0y%Hbr6pf@US2_!a!i!%D`8(X=nF zNNqNh!p7%Cr-BPla2u~%Fb{0>MuYiRx5&H9!8|zYSgz4gf>q6wV=^C=n!Y^fB~ZtS zT|j7IAPxn1%qyOo{yT`28ae7(P7Qz=^A?%l7-?XYMw1riNQ@HN3U2r(|ADpm3r7u~ z>^t6adsb^tZzu=pne;pNQ3^PuTxMFf4Wzs3-m5+`fhVGb6-!6n&DO}auC_Ncr-GBu zlD%Z!+nz|Zz11}MV&hQlcl!dprBT@%*06O(UFpSiyV8e%u&m;=UXSp@dkKy<9~M6M zCWA+rOsnB6u;2xS>CM>;!yka_zV9?r1v`o>rifklqJD>M$#`bLKUg*ml&t{2Yp3A}QY$9YRtQYC1jXz`Xv&dA5f3 zUdTYV`)0V*pQnEW{`{WpMU<}>^#=1ao-LEz_;??Me^DngQiTj1We>bBN!2%1!=zi# zaC%DgWYOJ>)yNMwE~368_@uH_m-cI77wZpwA5&-3W_;`r1->IQOnV~gD{J?x)4K!g za{LV%^EC|ZN+ntII0B1TT}Mg*nS;*5BH{1x&Hm_)oeg9 ziyR~7>D%Pnv1fDzFH0H#kmO%N>A-i$M}omuCo1>7d?YpQ4g?XQ0F8Lxx#H=wF4K{M z=N(;KfM{9U-`}4lm#yRXKe(|gIAE3vmLqG8uPdYDMB1loNuR4|asrxKNS5@Id#q%;L}izUTU+5t zNxE7^hI8I)@~3|mDP2rT_JyzvOXVIm@>*C~i5F~_nIUpQsYMFpE$5ov>!0huRVoiQ zEF-^snYuNFdDx$mpC1<)DLF0FOMCD+GV(cq^Fu=zB!=CGzq}eNHg!W}m{nwDDgQyE z_^O>K85|e_QQfF|X(D20k5|MrrBK)2i}MYUawcx=Qu!{$>H?h#WG8c+HDJu z;lF$Vkd1hWUfP^8eXcrm=fQq=e^KF(T4J=ukb;&>`hv#G_T2cg$PyE?de|+RPc*3$ z6=sZhWDqSy#c#J^aEG@}?Lbn4a`{AOB_rdNR@s}FZ@QJw0V|V7ElV*5$gM2T zNI3risDZILSo5frTPb`TC4&GAku{^ZSe!)^Yd9Jje|jJLrKxF52$PgPR#Tall~vL= zEs8wDTZHiW`4KMU>sPNjLuiHGJv26)b(g-Y7@s&rX!N9X3g zNf3AZe5m_}$w5y~uU0X!)wy&5jN`XkI~i+A%-)a2nS;IyXwx>XcI$P5ZVo&?7( zyQkNB)B~#f-{)P~>ZoNI?2=1M;^Ql4*H1U2qo1m3Wv+8`#x{L^8iY`e7!t5w&0G${ z3VtZ^`d7TktV4fB2jh>Hnk}|_>RaqHI5a@kH#Rytzu0Q*EuMMA00yeiw zt?O>=p-fb@+W?jm0|#C+`=ZjpI5~p+Sd5R@8<^p2wF5i1G8>xT(L56Ffw#7SIUnW% zMbYoFWZi`kqO06q}VhE#+T-4Z4>dRy8-^t&*cdvFW z(*0ricY72zO~VuI(%aI_lJ1AG78A30*`yW@{h_#xa$(yxJandp++w!kDmC`=ua$z4 z^sv6TGo@H-BwNJwj(nATL2YXF0 zV%|n(Wqt4rZZn%#4Sy=etQVO-lIS1Kd-=rTj?bFRiOYQJr|}BzYw9nC=u5sna#xk@ z{CV^#SSQcA%S90}^JmC0ChM8U3Kx}|`C)AA%dLy%X;Je*7^VjeSjTN}Gz6_yB=`9{ z(Eb($#zC>eSfiPITAFFUN>$xX4$^lrkbq>n@g6~y@FUDk)oGeFZ8oZ^ADU72ZsmEt z&XXrGe|{dB)~L$0@_2NfW|frWQ8Q|#vUu#!ioJ~NHz~1${R7)6A~;gt*7SEo+L({bzi!c`$_gk```(-lA9#0EnC*ti>#Q{$k9-{ z7*3Vk7`+Ukm?qt1_#6|H?$Pvved7Wy^lzvJH7hKSxGJpCu^9{M3QCBGU+Xs&Ch8Qv zjO0f=Ntx?3k~yE+TA8KrBTb(SLenFS<*#qHUW(W%Kfl&I;CEf@%^=5vN&ZOw&w)^; zwALi1PFHEtg6(5X>K-yktQ2%hP+iZ{&N05_KVXf79 zLE*FabB?0a_2@9mZAPr|Qd&n^AQcx&=jRFn%;(plg_MjuJ39jjxdDPJ7!gd6JwnIG zAAy4FrF~c zfX(A3X%JowC$%-Y>Dr-DFHZ0z0rvpAKbM28mDRU$ob$F(gBq9bhu;`H-T)Ckws9wy zAq&=;m<+kgvTc{R^%cN}PahT~hYVpCF2NXh=C#2&s@Qpyh%YxN-xTN2-ym3-`K?mUjFOV_(* zR^c)F&qE1UJ$mP!@Nq{iTK+?(eLo^ zAL+vou>!|wxe(6~g%EjZGE74k7P*R{{ZssS$unQ7yMq9;u&8Jtsu`Ei}K z^#+lUO+Aw=JU}!RaoR6DNV{JaM%J6H#~Ey?(MmnI8FTH_s0HihgcS0B~?+H&0thLVKtt-5ApaX zdwl7>9*BtbL!C%I)Hafmii%;NUbpMVEAAbJb0T_yEDPdRX7q=xnBCLh_e8VTmW{1` zSK^7fDx06G5W}Mr%>3%ita{|#2uE?}YB*Cbg!f5)v*jNW{v(!3FZ5ezuU^^vy>9w8F>Tnj6YWQCV`il zGL=U=>dEbs@H#B-9QNM{UzA)#FkV#F%Vw=asw6cA3SD>qrAnYUkWS7_(VhJyInxa6 znPNhw%^#OcSAQ%GxzM+J3J{?D$12qrRSie2`H|Q-Jx4fo5ULQPkXIx}vyv!J*Aref zexxxob^wiifwD{XHB;gM>=3tE3Yot5=qgE+bRQ6Q&6D;K2nGgn7!rR(h-*z?GVkQ*`S~OEgLjDF~pm^DBv*s0*^({<0#ZqoC@x-Rjl)M&XE2@ z#3cljrM*GDl}alM(V~*ql@j{ngO+!PuRJ?RamStm{Bd)?UEI$QB?1%>r0+X~pb-Y( zQ-|^7x-WViiQ8xgQe<&FB@I4;u|aHczIHx^v|>rz%vUs@h&A zi1ly6k>j?)|120zTINdR4%VMW)gI?%@_R&nOSy~=VLDDSON}EvA`h!OK+5`}^L5n1 zd=Vr(B<=GS-iAjD-sB{fkI<8hDvx$Csd#iD4a~C4k{Xw>QBUdD2^_M5^m-{Z&$XowLPq^`LUDBQ5z+Bl{v50g7yMD&;{9!lf^1 zdliO?m~+srpQC^>TNo?uGT?uoFadL33uuVFH=YTs$ofQ^=CCQ69(kl zDl2AWB;b{1=!P(iH@oIzr}Ju&`P(O0TXjduyiwrc?3_S*;7%{*}y<|<2%JTaOQ z+N)e6hI2}7UF*;2rl}`m0b%qBgaF0u0tsFZex(Se!qT=5sd0kz$Qu^Ybv?n1Bq$ig z9_L}znT%`rirPug_a03}C8ZI2S#@l*#C&kLF4ZqxFUapbY7>8Z*;{*+TlPKu_8u8i z)$3-d|IDR5b}&H#>hW=G_NoJ>JsFKVJ$Z+nHDggj(x(}-6ee`-&1%<{4PE9qn|n?1 zE?o|g#eAf;g!+7BT8$GQRBt6w$?`}y!taxq*N{i!rIWLU3YMTq_&DsO;Vw+rk|^Ck ztgZ`Kh>`yiQ8T4H-i;iB6loHLgCD=A8ZdaR=EOHiS|Q}7w{dT(G-2-K&-)-wKEfa= zuDeuwZg2s^F=%jLxHz^Z@O2(4U$Wh~-CZ|JVTkia;I}}kz_8D~@emcGgSoua3B6pOs54e?XWEn8{GyB!;he{6R$K7<8_*f;oLChfo~q*xkar$Q|q;^Cda zbnjiXAjR*e3A83KXBhQh!WOO9AQ;+hSyE-hCK>fxZ%Qu)(wi+yrZJ1tBX?>dncUSZ zG*YlqC{sASyBpaZ(?cJ#s4$Kv*aI?!LYpf-ZN)|7Qa1l1=F>Qg38x?s+bN)=3p zd&nWKJ3=8?;8#hPCZK_qQp_h7X%{TgV%>0s_7;SQwbG>(!kEsaTwvr*#LFd2(RhM2 zr!}XV^sG!N&W{1hW=Ol*<{NisoBH<%oWDVgn#P%DZHKs}N zzrZ40=yrCo2r04VkztKYvvFHj?LQR z-NKPE5LiwB@^THG38A5>9}I*+q`jM=KQ~o>+~zsKVr6QcV%U_q#3m)vx6qi46Hb#l zq8`N}vXC3^a#an}Bexi|e=N4_+z?tk7i2o~+TMQq)cs_9=-HyDn_v07?IFDiRV&LE zE1F%O>8Dh8zCyicw?@|bY9KlCQX)7meO{Bqb^`%>gz(MQa&rRX*T(1X=$xQfr;NnAyC+i9*d_`(vi8)ZmuFjfv%Tn zVGUKhe(A}6T;&&V1~cQ#D3Oa;n}j30<}5zz&$|;ZnH%_Pt6s%fsIB+;PF=H^EzeUv$Ye_pG zEwG`W<%+hKG>NX$0}e{ImyCo_J%euivK>)sMXv0b4EL`}zvRi^xGViq^zt`< zJn``~ZbUO3QoQ3XF8cW!f+j)38DA%I{{wb-uwYh{BU?0`17Fi4T6r@bOqy*jsrX(p zt=gJNV~cKHsH_}T(DN#Vh{LEOR+nLcG$B4xBRAsV4cKAuJ% zHf{s4sT08~yfDg>Q68!ygIm`)@7?=&BoS#7;q5L{mUk*qWPP^u<;iKlW#F2D$id|9 zeE%1N%9+Ixjg(EXcY#X#``_N5OrUq$g~)UD2LpEk+@^g|Mm3)yy0c}C76ERD{A9Xf zEQ|IT$>)b*mP-xpq1}1ehY3!-^trIPCYu##>(@1nL$P47nn3f**`@o>Kif?1{=$cQ zrKRZoi}-~xz?HJlk&`QBjqbZ}E3u;%iYXL|;jNUrkA~oAv*~}p!7CCe>f!zf#l^!X z*Gy9h>iF!dc=UyK|6y^1-v3|p*M9~CfUf=rRs3(f^zSiA-~`yHi($KBmTXd~6EvR2~Zp+LM7B_^JQn z%i=aixc81pTZ@bDja7urd|ThU*bM*p@g*nsH$Y!iAFFaqbd%0k{TDgAYS}woOh;I( z#)~1h-Z9?fWXb6ng3QXwe-KjF;DtXi3X|iXo~x@HOVJwr=OO?w_#cEc=i4{6<@HT? z#_b;r42<68@2(Kin{odGAuSI$$Hm?Ax-pB^JSu&!GeE{2pTt3Yn`y*0o-vGLM7ph= zfL0Cl2Pi|LUi^D2(6~rpkqQMZtxp7LdW`R!6f`s{2oeY~^Yhi-+|o8hD5ZbXisJx4 z-aauL%MT!9u+)6`>h9p+eNK+i%vKWssoY^>JG96sD=&WrAmLlz&hz&UHfW1I&ria~ zYpaiB1oY`{-C`3K-eeske&!ZklAm8IveBJbA#ePZX<^B(?Q zf!-5A+i4h3w2QQw`h1dOKmvfxsNCGo)7#Hn57#+AxqKM$!O@%EEqSsw-q*(ofSt&Q zh%^-Rj_soru6wyPOULPJ)&2doSMb=DR$>2=uy6`o6JTlX`d5(w=$l4b^x#4wl`WLM_$smq!^JJ~d%C4DpSV z&GF{N@mtdA>xSN2A3uI%6LDS=2oTqwn`;itiwi8}m{}dNd<9%A zYGrv-7NyY~jBMk9XPk1PDrtJ#(rvA+PmyPCP@01`V;ne(L18n@U?Ql7gK`@%(_Nw> zhOmqDEAG$0N0sKE1aPk0N*$GyuWn12#K7STJPuy8rqW&6~ytC`ouUYc?lhx!8 z)d^mjdzEBi2g`lwwN9F=nI#IO9#rBSbo*)gd&DC<3|>O7X*Db?CPKIAu?Y(Fqa${z zEopSb#410t&-6`qcjw=3BV=rCc=r{$(XdovhF0}%qiEGMtO1^KPfuf?+~{oEFMXlV z!N|ZwNf|SaHZ@(;PI(ecwI9kg9(wZQ?dE7i9y-iVp#L8CWTthy2gO~*Uct=FOv@Re z*I(7F*0l@sMc!Mj$*0JV50()eMxy)>HGT`ty9fy^%jlTx$74RvA(Tg1A<+rRjoc8*`lhB>d&9l))rH_~<^j;y;7V2}xtN z&_RF2qWsSAJB6u~ds<>ZA|>I@cfz$-ef^7(hjkC9>ciEU;2!N9gDN`roz{QoAGNr& z(5<*Xj9N%`o>onNx7Zo8n!g|pc>^*$JDb&8x$IbB)U7vVG5&-ULy*-jyA%oMlv_GJ z0X(g<0JVEHl>0(EV0*reX>mpL#&gZAROxu887$#w0Wq;BpI%FUP>~ro1(t)WWvM+b zkB_DBdG;IJn;$fgs02mGySBRnhmkfKTbhPa0(?HlyO+z$LvFy}V}P=*J<-jcFF?Xu zhR#S)jftdr_Tnu+;+CpvpLW4miJ4`hvG;(Ki|e)YmR)T%wY<6f=D@ICC*2=*5g{}J z&q-f&LNzhxxi3`jZ8k#Min3tbw+#K&pshGF^B%7sdOJDZPNQjQpm9tBGLx}uho^6)76+v*#WZYOTaamsSHkJw)5h!vUsJ&RHe>Qex{z1}X%rkF+XnJEJ+p;T(L- zPiG(zdy*c~r+rQh(DP@S_gAWZ;`e7T_&gjB5*N_-W`^U){8%vc#J8mlrhZ~5jwZ3DK`G8R1B+P6zui&JDVJB)*` z0T)?i|DHNY;F-aIS;Gx9gNcvlEJLI3Q_OF&E%sGuonEsLqyD7?{PJbz@dPK_&$Jo~ z&&0IU=d_HF0|wkZnDyQ1-|qeR0OfPcUY|re{PMjP{Cf9Kw?go| z!w#>T(n@(g+A8TR`MEn!^++@6_pR}GXQA^?ZNr`cUH`1Ayk`dvsU9div?*Ti(c!BG zrZ8RO_JY>GEvrtLme1GtkigNY`c1o7?eU+)S`4A6kw2KmG5-v1pYf)Ug|g-J@4xKh>!M)$=(Q9V)S** zpVIU0A;u(DAumW?jN{HjUFHqOqe}T({jhGyd=|uhaE1~W|A5zdMAA%S67>#45^Ps z22J`V*|in+*Qfm^YWbT2$xas60Fh(RbqbzQ(H<@ z*B$uW)2^Qv`|``1^_bri+`OFB<{ynw?V}`k=8a9e?X^8JD~DPGsws$Z26-HKNASUd z`>LM{e$o=fHJpYVInkp`9xRr+?6bk3JvB8CK3)`#6i{pu&*ES*={&@2j>uz4ef%Q1 z;PV2)Y}e}O%`$&2oCQiP{;RB1fcQ~QUe6ce5fykVm37A`ek|=8sN+@Eb~&s}SqiON zs+Fmw?IMHwJe+2&k@`W_%WAONAkptS#VMrHx!cq9k{^I{4MM-lV2GMin!rJnpdcB> z`-WbF!=o8H9`rkqnHmmzi&eb`J?xt)6$s|!=7pr3p^67bM9hyNuO_nJ{GIq(NMlw4 zZ5aL=b}hMMv`8%IIJukB_`^(^Yk~|uFi??a6nZ@nyV=HXjsoWwZ3B(@K$g-L=>$%O z?SP*ZYJV`V1h;P=EKBQoTvrpoEvNU1dM2jXgN=qz?>w@t-H-KsXjctH3Gb>X(_!`P6%rfWvF`Leyn$KLK4DLCPI`iq>Q}7B zcoJ15c7#jsV^x5Mp-CT<5M|gAj||;PaJc=uug`MOa84_~DI3 zJbmmrq26l35Xdd=$NqkZ9h?u|B1=#3TP(~@IPH?K4I>`0bFz9ocE=q-x%q<<=Oit9 z`_l(Fhsgdm8$RI%h61nR;4-#>rqAYR&c{QzSleDeOGSg7Ze)ldT9?HiZ?(?+&RZXAs+$_cHqS)=JhV$>~ zvJ86cHK&b%v|>k-<=qAxuV5gCcM7N8^uZXK8GDED6*NtsD%Pk-x3eLK^4->L^<2 zWN)|9>C=*^tooQ?$wY_;PSjJ9!S#MHwBA`!WeQPDO|Pq~6WOvmrO08Gqjk#*vK1#3gXd$rBYJ^q1(3~4%pj0G*D%#>7Y5GnP|}e>Xb?^&0rl!KtP^hBR$-Q8Qb>c*!vTXQ8>rQ z3wg@7T}}i(S(TCJNqMRvJO26Y_xeHCvap7w3(rROv^0O%bE?^>?N4SRG;l)NMOp_; zhbWs>tT2>5`+Te(?knJbPxTd4!vCii1k} zKq~*dtzla}5${lHKEbSaW1EesHNp=u%grA>7>MR+YcQMD-v-oY_alqgwcVyuNTCBi zK)3h7;asxoU8Hs{8_c+AMj4P*9F(g{t}eD%34_#_%zP~?mMM8mhtOj>p{(P?r6@e1 z=`QX~yJRk?tIlZtKl~@GX7*Xt@Cv=*wqM~tg;L@oY$v%&vclAG7NP*)E|LnJzXtUc z5*KJ6b9aTg!?7NQIFpDs^+F`2Idrwxqp&p@)+@!ukM1N3n6$1su0O*W79$Vb`YKg~ zIhe5J;#T!MF!-KL(aaw`htQg0lp#@NHrZe8#RR1VJ$&YFLXT}NeFt;1hL6OK85t#x z^QM8&u`RsC{izPt^#wvJyHBSIQPM}avHUhZ_YOwq9GmRgIPgSQP@t|JGTW4jb*(00 zeS0HpiDK&kL}ru?|G}($T`88V$DJeG6CVi7(tr8J^rxkeGXP4IN?8-&Mv}>jn*!y9 z@%SpWmt@pUn%TNYw98$|h7!Q%oF`j{xPwHoDh&(wt>vH1@=SJiq!zoh)}h%0P!FC# zciK1`FIKys#)R|Nn6psw6ozR$eiI}J8hySLv4)_!tnMR`o5+*X@N9GU9Yqxz=7 zVdSpCzo^Y=*;YxPP>Qha)9?-oxsIeUA$LS3y?ho86HU;17s-8Nfk**wH#f4J>%rIk z(mtgH+AqyQafn!N;1KzJ@U!t2fW7L;Bak*0J;Xz;FA)W(&k_}eNZ=AQ&%DIYTQ4-qL6RxOR}MN5I+FKfN3Y!iIR4*l;*ji`t;d@SWZ6>~k_?vz)6TLJAsU~beq&)_(s^3u>ZN<<-1 zm^tHS^AvQ6{?hYWir0rAiJG>VYGK6O=(*CR@fi*|gy;O(Etgkcoxgf`(=_eT;g?Q? zwdp???;m34E0o>^fNPfuIi1TaIWzy;1&$3q=1wW~_CVS3N!OcLcC8$YGb)VY{a9ZV z0xt)oYz)|1B^J{W=0g4Z&D3pgXqPn%XMA|~e~&>Jk3&#z?B_!L#jDS2 z#i6x9@DbmUzH!(`Mdo=V<+>~8Sn&00@0x}COx_e@znWrld-Hp}ok?up5ISjGL*s`* z9?5%Hj`L!UCXr8wQ}7C~^d}!Ibd^vd<0%|7x+~*^GYclyJhR>l4p7;kZxfS3s7=$8 zCy&Uc3wuQ0ZryCXW!fUt4mW9iKn&&OPN?yA)__t)eib>cGMn*YjM`tahrFr-32YHp zNUzIp2L6(8>C-5Yt;aj~NZNrKCfCr)5r)o|{TivS6sk07O}gjJ*|BcuB(EFAOgpvX zICHOfC>EUpwYRNyf2oMfxYs>y!?QR_n|$Ubxf^o(0$)}kj>2E-hr`xgDyYjJpmD;O zN$M+;{|`zB>Pv3w-zMQAiK-)G3A))tXSG+2lG?`N!dwQ1`4-LAD-e?#J5FV;%%Xo%}F<-&bX$0PLWXaZBm)8j`|OuV(TZwD?mi{fY9aLZBE(^BhS zl}QKe&j0jhZqlqbdU!kE+zQmOvrFrk8y{c@@zuEDH{wCPT4(1KMIA0bQ7PG!Hu0y( zZ3(A7ouM6d67FS4M_@pgYhXd#Fu_oIQ}aUJWM}l9_Fe*^a^Mz7eFyR44sQ8T;i)=X z+l~8dG+$1kBMnChc=7E?_p{HxdSM)}RP3PSYX=Grq}EDOyOOA5f(^wNq9h_t=9W8l zj`pVSF7YpBV!F>4NQiF~82A+i?QyGUq_A%~Z``z@uPoIw&yivzdxC7MEShf+JVN_0 zJzs@q*OjKz%}1mVYp}Oco!_88Sv!e*8_=0}ioN?sD0OIvb5b-!{jT!|8Vi0#zuon% zlGW8eo_{zn3B(UV|8vz3CWud5ZIjSu3{bDTYZni@b{}qD7LETdfu&%cmT25RVz*g8 zu5b?dJ2>1OkRt=)2rDhu89Sxe7Ypf*hs=40lwD6Ha16v^S zTMl#G8O4FZ4EgHMimBt%Wj_`F{u!(TynTR6+tXMHXB&4Q6txbtfOeV^I>{lk*@6y# z6!V^EeyjxoQ7_XT;pM4iht{5MRv#34odcxP@^x1nU&Wv9#0em4`e#uK7|{Xf(sQ^B zsCi0x)sfN({}OjxeP!TzoawmI{}Ug|Xf>3lad;lXrO|V!TKr0Z52q|&TVkTr!lbbN zqAJdV$@3_UNB0LNX(?;|Cg<}ObS97v9{#Gz+Lb6$2*9VV!+bP2q%B|VUgTE2^@Nkt za_{w3HgKcb_2<+y3}3ih&OyD3>d!Z98Tq$<%#-nrI>u6*di8xf!#DCM=B z7H9?B6+J2Ah^~W^N=`M zo0Xa)mp@ZsYhXE6oawmS+c*Op^1{Fgp_zs#H70<^^B7L9?-$-GVe9e1)=&mZnLx6A zs$W~gsHtk_Ll4e{)h278@L~14B}mw?0Rkc>Rx3$BS8SK_}<->X7Q zjsWl@cL14lB{Q0f9(8 zIZ_W#1o(NJD$z%PyX_W<+RaK|DjKO`sT59B*lx|KrP&XE(=zi%)ModB+>a$Rj|lY! z5152~+d>$ro~p?YUdV>hulVc-Hf0~=6x0y4joWlYvI)OxC-*Wq9Z2V$T&)GCrv13( z?tfi!EH$1KDEufDPzDb}>>m)N6QROjJ0HBVnzYt(@YEl^YYSyi{{UL&dZY_LV$iNG zob*X0V#?>$j%%@E9T8t0)la7YX$`8N8mE(=O{L;EG4$Qn!Jz70PDRV+1hq`9 zKZX!8#)W*7)o?iDHB(T%DP9f0Djoo*Oy9`e=B;}A?5d4#KC``C3=i;DjOTCEA*ZCL z6n=nwyv0SoDpVHYc`#-M4^ZRza>Bjl^u>OB=IQNkPV@k zOEEo`D~6$m5;k zZ(hf{ONRnn_wGEXMpbdHbQWy}WfjP=J&nfXm1`BAU_&tVbweMuDbaPA3K;!i^dQ?y zN!ND~dygtA!_oIg9u}duBr0|{)Cz%mjG4VX;ovh6_QEB%c5|3>P7`z3)WaU$&hdTe z>zdrw5&DFFr z@Y=wO6rxc+kbQhfe>EQPTIQC1FDfe1T_K*MxO(FniW_YHXe$<8-p1i?geC3m`Dct* zd$}mV9PcCIpF4glRQUP#J6x?mb_7J96=BEK`)iYx!N97k?Jgqa&9gY(l8}&rGuf-( z)e)j1A|i&P>W5saU;ICTnh7A!&i6y`>ptLtT7Z9*v(})e7+r<< z4a6{!%u(R61Fn$>+1s}T4xMbzQsURx$ExhCiZ`h zlIC4$Gv&smcY<@ei@LN5lRSvu-;!!jPWmu^2%ad2-Rq-YaeSyi1YRAGxt4Ijr2cGe z9Z!AexBf|Fx`*zFFIk|YgEzDhX5{O{4-MRBB;IU+GjKf5^HE?lNwQaQOP4(HB zuAK;Fka*3GNGSz_-vsb4L>jz#0U~Rm^-SHAj(VBL^XHKaqIL}+b#qo3nz`F6J{~r0 z2DU+boo z0&`tISu3od7kfMURW;qJ<-_%Z{%3q+>0$6UAf%vT?!D;rn_C&kwjM1qisjPabqC`L zvU;-8;nefyEpR)nZR?J+BtaZ^T1s{vci*ZtyBgkVfft2S8-w#GFtwUJy`tJPd4X~B zig)i0b_;wq^^4e1$o>&EQ`x!b_h7@g9?K)7OgT9%(k@ZZ_nja6gw1*;d)L&TDJd=e zy~da+jM(d6G)xn~FpqM}IPazG`|d~YiN=8MD35?Z-^szo+Rd9oY#MX+VC;d*?g9bA z?=SPUUAwY}H4M28>S_YfR}m;I&19t{8|66;KUrqgsrRf^N`Z}40E8kyicj}PQNDIr zCtB_lB=-V0#!A|%oVRSir7Qy)@O^A?f7_YhRR7{xb`wWE0qASq4grWVUf>lb`4Wuu z(8xC(gI^4DX1|7ieKKVg$7f&z%BV_#CggZCRBBz%K`xAOW9~W1LdOw(z7U1@2HM96 zANqVXPyy4*aOdo9lvMrx=F~*>%;rP|x`IKPQ&D6r|c9I0+d-lEfFN|3FO`*%8>U|-e9vhCgg*8jpWg+ zALC;JDC2sX0O+bEf?u~&fCgYU35r3&Y43aLtu?JwX{@!G`uadE$MhF8k{UB>4e;H3Y?L;CNdRK%BRF+1SD?VPp8V05 z;&tH)MS%(3{&o^kI8oeZLwTPapjvhpSzJ^EnhpY$H|BUF9)SnPQ^bRPIvwPBUL1f1 z7QZecno4&wRB{^Jx_ByFjt03a#$|c3-%t*jf!kPLF9+)9!BdZY)yL-sY@NR(m{MXt zC>MmmCjHWEGQR``-Y4t@Y2x#e_;?x=UWHPkaJkF2F`f9kuh!$G9b1<20l#m@y$rdn$W^ z|JQ8;CvkNa{~ckaik2@0n%Mt$u)g~EpJ09U=bzyIp9ua>#Q*pE|M!T0cIRMy%nTI& zl=~4t4KTvh&g^5KAAF~xOZ03#&B@8O{`t`)4NY-=?B#CL70XbPEOA-l@v}9h6vSi@ zjH(|^Wbans{~bzxsNd|p_agTd2*KOrZfO&rXiG+N)wRqLg?}b*d+O>|#c-C42aryf zup=%GeG1icUI^RGZeE%jC@63agGW41^ZS?gfwsT5z{&-*+AarF#`S!p<}(7m3Pq)* zA>jj549Uy+ah4;k?Cgtx73u;cY(#7xJ{|q?r_(jI>v_m)BWjkiL-YXi_=7Yl- z8y-Hl6czb){4g&1UFXOEoP~AXYJYXK7p^8$5f&t72$Jn(bsnd#y?<=U{x%dtp{6nT zGzMPISGSxrw)oPhSlTD^pp%PuVlCn#z^*>sv^e;a z_zZc@qw_o8Zf@~Ht3cObBY^I%_SUp2n4aRbp6s)Nkw|zVMN)y0Oyb?>8>P=yJH47U zNB7(>j*kz12NSP%urC4cYXQ$+%t%=|_T$}^0jL}GWWLUP{^Ot+U?8gsO?&g+<9z>T ztjHFN)Zx$IuoD46LFGW-w<4!|1KMfxR*PHzo`PC%@Uv@p-M+$}XSiEmPLwo;)SMRN zKW~i3m=jYoevdQIU)D3H{Ij!U@W!NVvt)GiKHYuuiWgtWU(<=Cl*)c$`R2C2&-i%g zjaKP05gknQM1lu3ki}5M^5o@F-QdULY4@3L&c7eKEyw3D@;5glKye?JWX9%1ToNt( zK|rarkEyUlzb6z$^bL=gch});H81&P*{V3O9*+Onawiabe_SPX`cGT0y~a09)6Aza z<)&RPG0p^kpSz=+jTtZgo6AIFVD(Vbl|LQ)@o6anuC>MU!M5gmi%q>p?*3+NS59Jn zQ`Ru>(=80Faa>c@47!nb=HU40g~oU!n?`cUM1EECJ-dSqI?5B+cxSAhNuCDNA^*ge zCm9vRxexYz2wrRFYtsqoNO*A|dr)4Zxi55V#TADB?A-las1l@A(52e85grdaFKn-e&x!1(^Fn^Q%Xz z=XNUoy>^6b?0Ia(<{TVkqPJW4qxVU%2H$$EI_0_;VXZi%l~s;JJ8e z6vR1fr7!a2x&BXO?-|w9+O>@$iY2Jn00jkgZyU`9qEtb#(?bhQMFB$-k(LlpFruQc zEr22r=_DZ_C4`QEf}#*ws6s%*V5rg|ly5F9&wk$TJ?D&*A2^01$y!)3f^TiO=BW)rwN56352810Ix@zCtu9dJ4k!ai`Nv4}LPgte|5QW3+Ky z;aD9%=IR?a z>UuMbs*X_QQcIl9H=H9kUU<~kz!Srh$FXZf$XNlWUc0o@g^}b_piGN#-bp zsWstBipDmJhIesZxo1e6?(1uwxuBuYdn5m1i6+1SB!Efk^F>A#f8N)elQa@cA7F&2 zr#h}*|1ym-!j%k15(KDQQ{Kf&dq8s zn!zR!14)pBdbCtXrqL$`7_Ect_W?y()mOi#63c46C@giSWp+C7M4N5%^Mkzpr@D>i z?;c#5pPl+4|5BCr&rlKsBuH`ZJldMuBqqOdvPt|%jrw_RsBHYC1QktwLL|~gMJjULgxbtqWa$v-94nvANo+Q! zKgjYPT^p#`gXv@YF{Cj!6UGO`dq^yDW^K0fBOzj)sd>iNS_ z?WrVs_sW=i(1qm+KHptaf3V3cL?YjDdc;P;QP_*FlY7I#kwxi-*wKoc=ody66*?`< z2h7rb7HO%F4LHzTyLUtMJL0EmSG~ib(ebI)sd8_@D-cfyLQO;<#iqSh@fIqT|IBM)>0q<=JaL$QyzvOO!AjcfM(B!9cBH5wS~SM*&8>Ei;foL42lC1o z?Tr1$HeHNMIUl|as+x~h1oy`)Iy~8ykmkx|2nYsy1@(UYU`TW0$cYHkUlt4h3~-^2 z-R1Z6yi)95DxS8z%M_8_>BO5@cK)1F5ADf`yC)YnvF)r-C}jwZ*#jbNbm>}XFTKV| z()qCM)~t-HO?UXam%uY!!Z7r-ATl)qVh7$oM)!3Pl90%~cI%n+l7P4qU2gd+>ctcq z@j>6a%E-Q}x0!IDvsaGZ#er|M%s&_DB4p8wLsu)Czq~syD=XXmaQMaJA9PQmQD0JC zqcLTZElj*f_nq_b+k?dMx8|xJpP6mUXuZLShBRoKlFJm@q@7~a)OK2umW~@QrP)@k z>39$k5pfA}f0UE*(X4@k^TxlH`k^XksKW4lENaL$rJHY0#QNK5YTosWesZG{5|P&U zvpm%cl#eON?uLDlM;|+zXTRmel@o#`i`fCmyVon>4_^LU5D*JIQF(P`E2J6&d{^)g$Lt+XO zsFRLKIwBi4E(N#LJ66is7T5LLRJ`7A*zhDd9L}th8`kmqvB~ye_kN^4=i`fPy3b|p zQn6jzea+mW@r2x$-32QmST z78DX%fO^}bd9XcyKlZk=I~UCx`MBQ+VhlWiBI1W_A0m)0V85J-I0OFQpS~V?mkH2O z3ysl%Rb=~&Zo!T9UIIIPVY0wrg`{6UPYw_a1SLm_$k-Pz%ni|?gcMo7UL#={oQ6qc zZQSWL6Kg_`C^~TMHf)gS{@rl8OZXrK*k3U0Z;2nEdo)>kwq!EZ9QGGY#lkLh{s?py za1m~QeJP;cO`sg$SiE!(IJKRisLuA8z5yu0%OPnHA~#tA@&-jDTas>BeC4 z7!*?&KG1T44Re^R%|V@0NDn=?8p8d4JHSjCL_twpXCzdV;a8zVK!AMjq3C07-yj2` zs@z)Mm%J67n|tNM23V~A0Hl6`E2i@k*4yu+wlF*DQKisi3b?h?;OAT``@2M<_Y!4* z)P>?g)aP^3CMSy*+6N0pb*K`Qd&%P?(fGk1#`W;kGe@NUvBnQ500aqBtQ6b7b{V%j z8VyTbQJZMCnfRVWYHg)Ez$!UDRS=u}u)l%)l$ESsb`BtiC}q!VNYHUp{QynVVTxRt zJ+J{j+d@N0e)G9$hN%|E_B+t4%O7?9#Nr5L9Mb&Qp8SFAwtf&EFp%mWM84l*^p}i= z7tbajn7agFOrKZf;@h1DGUaOvlYR?!#k}^R{&I1bG3g={0)%7$%nu^qs(vW4GuY65 zcA_g#5*Kuhj%D@l_nQt1-Dg;Cy%AY}-n;arZ5QU}XlSy*#HYhd(?Z-h;uzR5gBHSw$a;mSN0jE+=|4{W(`Deo(^` zW)!T@6VR`95I7^8df4{U>p)50=B4p@qGTSeJpY-jd1L+{B>~NA%rS5;F`6ovpXvK~ z^>(h=db9@1qV#ktvtr3L@VX@zdU*y^d$>a?j_@48_#Q=Fk%&s8?n z#-C7Mm}WA?)fCj8nL~)~8oiP9nmm{ZSjE_Na)!(299OGTQV$=f)${W9QiF0(Q8?=m z9PPv0#E|;&-w({%%?IA>Iip9lGmcO>vqZoBzWj?)kXyj^`e+`8triVab3j~O8QHGe z$1QplaZkhY0fvt4v9XcwxC#&)0!r?W9LEUI6O)<-EE)I8tcR6;mz^qxzX2;kkCuW>+r3|4ewCi_eG zMluq0xATbqpAi+=qL4U_Y$gz3j{_U=8>8-enh~(b7|xz~^wLXUC*8#5{Dlk4`8o^g z#N^}qbM8TF92r^J03`&kPIXRtDL;;S`+a`t6x37Cwjtk^e4LMOuQC$A^=|X=>3J-o z9m0@UUR{A4S85#}U*%dP)FV;-RX@a4zJIEu*FiOr0*PHC+0YJ(mBGfi)4F{imhMeI zy_+yk8;lt*%5ZKk%969p!|)~sXkZ7(zWh!~*>z_%)Xk$qOOfwcJbL7{nXxS~+gqx3 zYe!sxx6vW;HA4@R&y6(mIrl49;(^J^)H>;y0sLPxmqm5zD42#4Pu-z4>&2RFN}pom zCZk=86;w$_obuLeKETJ9iUNK1$~no+gOlMv+rWmk-DiF!=>OC8<4(0i9&>Y?n;G|j zb*Gmg_2J3Wr*j7Z)ZDOPgN&M52h>W}fMWtA>$%>_M+ly5I@D39>I2A*@+LIH4BDV? z>2iaSsT~GNz=w$+y0VhbBKqFsE;a0XWuk&g$kt9aZ(U5-KMbk;dawv$~~8 z{7L=^m^}*7hV7N|^M;`^#8U$Ls!h*z>0a2n7{IbyK%Vb7GxohP-R3kY<=#)A^7obY zb(ylrxN<+R41wVLIGqVfaC@Az7I)lLb6F@8qdHI*~b@m7Qe6BpKLrC(}5hdG?>evJEG{ER4sF z)_v9HQj${f2p0nR2CUaxj!>=}GXV^4212<&JoTZtVs(W(C5YynyWu8%0QNE6q8Jea zfhJg)7J46(c1ut!^Rov&=Z-3eDs3A=uxuF5P!4!;&!sU<5$!wZY)3P7N!8+-1I_Vg zH%eRPWresF{-Y(VL-5f z_0kvtweSD%$Jpi@4cF)B&^@Fqf;S&5Elcdp#b~jC!H_P@>bNXuqw2hl=5#JaM}6B6QRA%W6OLEi5d)<&|*k(j;Y2tyrSb)scRY z=1hj+Q6^y9Mr4C`75S;A>7{-_{sMwC$E4px7iu@o_2&9o3ou`~PiPjk<%SKleJgIS zAkI7gxqy779KS1rpS_QGk8Bb$g@LT2o#aXuWFiHEDgKGhw{FXJe+FF20K>3Yf>%iINqPS2|3x0O*sD0fM%R6FZoP(&X}g zex3Xbheo&&wZUv45D_c!io9quZl z!2@QTcwvi+u#uvfz&n^VWmX%jRoG*4$tcExlO~ssdM4>Nn+|uR(l2vtY)tPT5~o5I zQbhNGR#yHbwk{D#W~9@j9V}?UF+=cd9$rXAeU50p24*$m^vha8^ckmM2~{rJj6-Ih zEe3ZU6fg{8XTU5MW zuSi1)OHIX};E0cIxuZ+0z>RZTfanSLRuL!wQb2jr<>IkhNlh~roW$)(O`r;qK(W2L z*Z8#qvuDi-Gk5-xp4_Tq=?Tf1ckx^hX165dT0^_3t`tOh9jG{PLc?&!`Ag;+!#^q{ zC-stsetdRgnnfwOtE7o{;&H(F&dy+UHtM(Qn?1v|_gg=;`@ag_%wich;m z?hP|YYv&3Y-kB^hv#}4_wC_tvE@b5JRyCnY6mMoQt!Rd_a74)$+6}2*r(~EH;@pK= zW(vo}xm!0yWCoLrf)cCG@@kI3*hIDOL;Ftpjn$s+@Q2z@S=uBu67uGSks!gDHDfP} zfZCF{ORt75vtNqSefJO&;jf~I2vTG$?u4W2ASg-EJ45DZXx%vr_ zbN==od({Rv0U1@8-mJ2TF9^qIqnR_J^mix&&k__}Y7(PKEJ!e-5wVvV4hrXOdNLM` zIY@tmX=^~4052o-7J`*M%MPpcDN32KLWaJ*2xBwPwl_;%_m%7AcPgHnpf$4=#C z9NKY8SRM2l!}Y~ttc2IXH5{)_8lC`oM`UQ(C%`%YZe9Jn8O8#1U`Ig|!y@Dr!%}i#QXSz%9kg z6XQTw>#%-zVgHTV;gx2`w92-x z{i65k*cCGQyZUCep}amh9xKhaXNO6ZRi38)^+16^+>{Jlr5WiDdn}pUH3oJ)S4 zAaYvUHhx{wFdTO$I~=o?Wk9x(x<%b(dK<%`$-UD!AKz&7O0X2RsL}x#C*H$8yF`zN z9%kio8L09Ythv4-hH#oVezA5aX*kW8by5F4>llD^Bg#CzaE!ni0T)^BH)S!vng@M zzb4_qEB>T%U#XQ?RU$p5%dm^<(`9Js5-?02e1{@&B~qC3ItDS?wA)HW)jTN9Cf22- z7K=@i-z26#!=7EONq4r43p-2KT;64mEZ9r5)H z`>&M&8rRVuvoK}>T73XG7i%>VdQI~bf-wa5XqPd9c>6S@rBJs@O-of5b}pCP|=0&z`E++aq;(K9xG z3mcPQ(xwoJyMb~r3gx|i{rV2Vcy^ofM@M48bNGcg;R1OpLs~E{^>wm{4)F-_6j7B} zcIVDAp^qS_ieRWncWR6=h)RuaYIR#I<~hg05A-0FYOg&wuBhRy(m z`IEui?qii+y_O^vPCocd>@e9_gLwFnC7KVtx#78?_DGyFm21W83=nEPA*A}X|OawPbT8FCz*K($2MTaZaNsK#*ZGtsSSMfgUx{*WDEj=-zQ?WH@jW1VwLJl9t5 z?;A=aT$yY4X9s{{0d$8@EdV^xU&aZ|Th?_!Hamh~EPI<z77A$fe{hjs}tS;k>^ho>E zZLR93d?4_3o=aT#__IP;NeYjNk9TpY;O8@0Dxlk*_#k8H??S9)2?B$mK((0>z+Q@6 z&wmwBulSezs+W!n0IB?+BIr=ZBDt^WO*ma%htz z>0%pW=yguc9l?%oZ|}>u6|1*Ad8!L!GH&KtTfX9l%Qp3k#B?j{7}pkRivSdKtO&M@ zaXWTx%a){R^QAv4zvBX53}C1|{acl}={Q$GbIDDPfQ#ZK&4;YiLWFgw_EMLVYnL*@ zIK-VE8s#huOe4f*+1-Kkr+fTni$KPc2{kz8X-zRPIoW=`<4@(8gNCoXC?Htm0H{#r zvuE-yJ62;9gd{E;i@SRGuWkpI+6KF&%loq*2seRZ@a%%juAZzkNkDjqii_*+uAX+j z_%MVyJa_?JbkENq_eTqSn{uc&CZg``X#M+Nx14rDBfa1!@2p zPdvB5Ms`G;j9K{XPHf&uLAO6Ou?7(67-Hq)kpk9h?1N$eEY45jM2v zL*^Tpn^q+G}myb-lMnwK2W>h`Mc0WuH&+NC#dTVKNXpn!xF z1uWNU3zSU#as5T~y!+nafgkBnINIx`xC+Hfx-l6i?;COYJ@P$WZuEM6RJo(`(&J4) z&y!uJW%qr526;$zxE02p(V_GX+t7Tmw)QM&2Aq_y)y;nzCLhSV-gU`ky%E&`A%)^X z8mGLQfRhTy5uDrg_itzIAC~4&3YkHrkx+K&MJbUR?dH&>i=O}1?0Wg zFq%&mWEJds9Pp~3140o9Gbg>NyR&Yh|164FTGm0F z{J7uK%M+AKWdoVe>1~VJo(s(``}QRrD&zPI1k!+fdU@0pQ4&=dnOu4_x4P6W z{W6Lq2(aXDXlIK2-S}@JN;m^Bah{t%=G`@a6%Y+AZA?;*+U_qdsHt$Nj&Oh9;br5x z_t_vlN_pcUKs-M-Qs^ZWj#2;{rj!Rw3>EVt4>!nJ;u?UBe%$WOkrxVzxMlzTAA49i zS6{T-3R@}Mm3NqGII1tumF>jvdfnfS4-eUInKOKkMDqWhb!|mqk1?mnRy#%4Al^pm zX4t+H4D&xYl*I;+&l%@?I3bGYfi?!4U4K#?73j%UZ3jw;1B`i(;o+8S$1T?ovU`4- zxn=&v?%f80UuVYmsHk+{hZKj@XNNBgVeqNuH2b@lswY$@MVI++M`W>c4Xbk}JCxfe zNryRG9a?Wb)jb4d$E6qo;jr(`sbSTQgo$W;Vw-fDOjZ&pnj;&9igapqOy5I_?Bl(E zY!f!#C)zV4tp^QNq&C@#ALv^5C!EWLz6%OBh1Kc!?Nf^{Q@1_iYjZl9q&?A`E>AjZ zY$K!KmV()5bNNZ3utAA|jRL)B?^Y=pN}p4sQ?>gACs9Xg6Gpd<>M#I2Tnxbve_n(p z+J8O-Rg$+Ys8Pt79?NVHHo4@+F1n)bSJ=oy=wj=l*(0`}nrn)lOuzhBT&{V@fD$Ji zN=VF=uZ^E3i}xS(W%D?^eoc$_6YS5$qootB&|{WrRd^Rfi87lUpu~`310C2jBwZ%l#gMvqWbHE`ECh%_|*Lk0?>7G{@}*IT)uqhmk*5_#En~LC}{_e|&GlNtH;>x)kv@={F z$adh@roI}^^%%h5XMa=-G!@U&$A{SLGMh#wr#i|3QN^}jFIyvFAiCem5d^tepekKl zgOE>39088XfvGwfso?y%8IV%HTEP)Owiih>NuS}{fcrnGTmxsnz!8x#?G#n>yO4Y2 zQt2`PGw%(w=ZE~{1nj2J$*VEaOZD~j=dHr!ETKz;Z8mUIe!7meHsVGZIuW8&G(l~`?qJOaFvl@~ zi{i@da8dNDbX@Y~n?P5XgE7JBdtJi(bPFv7m+G|hufOKpwjK7e?t9QtKi}h5t0@S` z=lT76P0$j_jNthN6Eiw)9P3AOADafAYqs#!r&X2Zow;gFT8$u`oAJHjLU9w98R+uBi$W~tnELKw# zfw5^0i2;PNR}9UV1>PMD1mA+544d9rE8O>8>J#9L!7fZysQ1Hwzik;2s6X=9<#d(&U@`Z;Upp8F>@{Wi$btt2sC$W*25*z3~%9nUxx{W>GxO|P+SAmSY z7T}>uN&Ib+^TUBdU?G`AiW(j&6!lnR3f(MinD}t+M~L4TUvg@p)LWPQfg{$Qfb=1I zgL;Vi+;`m`|}+wg%j`Mtg(Fccb8x9z7;A`wQH0MDsaFdBf{kIDnZ z0KCteF{4!xz;dxFxKcb!_8)=n@?*xIfCuynk6GXqFN|(al+H(yP*~Irj0uqnV8af=CI!akBu)$8750tD6JrB5p^GR z&3?3={}N+Fbg#KVkuK+QsnRT^a-g~FftX;fCc(l@4Jpyr>I7fN$UhWgBYK3?@jiW% zqyX0xZldyyuV;j^{N_hVG-x`dcKeAxr={B*A^67cFd-$I`P+R)-C8yjbQ>cd#?h(! z_EHM!1zIIkabBkADRd2b`g-axqOF!>k`JA~`ur}{-mkT|vG$$Lz|hOaI_4_GAn+cZ zHX;}3Tt%2$x$wP2e`uenuk};|%YrBm`eTvPP8+kX17B&hvad2DnkwkrTg-*EF`!#9 z1vlw>vcHw^5~7v+rMhNAcS4;vwJ#NOBr|xrVMZyt=qcucvgcrbyAz8-p1i@S9vF+3 z+Gw*<+xUWQWD8kGMNLtb?s(q%@#bkzd;Ynju90HuQh5bE;9besyk^*~q}=cS_T6Sh~s zw2YFvUD~H;ZlX;>%{`iX3hyx`gHHa(n%=lsoR$`5V(H!Z+?ehYCTH1dt|J`jJ}T)a=k%B^JMI`E-MH5k=k`Co1K!G1gLZeq|}pAE`8fJh$9w+)li6A^cr zIyX`{%-zU*huIGE3VqWeh(QE`WsC9AU5Gnq6)8_K3s-orG$yZ{s~IoBayvCdb*zcY z`;6Uu|8AnaC9x7HyJ?)5Z|n{IHtu1XI*8srrN_6DqCov7u>8s6bBp4gf)6y=aF*iNzUc7MseC4%OBhQXo*g1~{LWs>dY`W0TyXDI! zXzV)5$Q)vAag4KBUa@A-Tx=_;a}}S7-&8@vzY`)PK80yl?WE$pxgF2Bcd5>rsOxC( z0scyNuIra3VP+fF7+a!Q?~G{vS$v33X;B5#8GHBt4}twgH^p^h+VQ_9d%sU^Udq?$ zW6;->1Uxkmu(ApYQUAqLlYN)U{M9Yb$H&oXadp*~1PJeVHj0$Q6Y8A&O;!IJ=m2x= zA|kU$RsTqhg-Ls#J$p7CA)2TDu&;k3UX5R7jdg07gsEAu3>E*?7uy7m zEwE6{M=`S^mE0?(Z{dE~85XIfFUnnp-3bwjF3ykyd_>2cTGN*2PK{C{w1TsXU=T7p zJ=&%`RA2);IlZ~L`IBBAWR{2#x2Ni5laxuSBTz|Uj~{D1dXD&R5T6T@h0Y!UE&OQ^ zYZhLGdSR@^1rOpYAeI?Gu6o^@{SvglpJifA2XT}+)tDv&hE>FMbY4d%8vy>9Y}k?+ zOO`G-1)?Rzu_Xg^+8)@qi-6oBfvsE0VRX3x6F&ikTMHP6RrRnF?_c3*{Jr8X1($%^ zqeC(cX?-lhhMJ#>i;YdOV@4alzNi74dV&km+Y&$B6Yf+Oe|A3NkJAG=@v-4!o`V+B zdarJ=Xy#4%Oh~3`^6R8jxIYFM?CckZ?Qq*!hk(6D>~Dd_^f0V4JsPX;Wi)9)e-(Yy z)gN;Z@uL0Yn4S(#Yfo*3K8pb9oRAPhSQ?En_QE`aW>we<-t2*H6_%9Ph28SdztY+h zLS{$1aa->^uEZez%zD2eAT1jnEE2&;1p`kE)1{OHWE8+BM8_sftH;9l!HMpK~u?j-**4~x1O}^ zZ*LD$x)rY?K`k}r8Wr*P8HS!dqZRCDc16Zbn3f#ZI54J_AQ@s`b9$Waae3%k`tj+W zkU(wsLe|5ayq?ODo{vm#bv;jcV_+o6mv_zvYYNJfype zH#Gdxltq^PW13}tV}<8nbNW)gRQs9Yhrb>o?-w85A9aG3)E*;OBGvidu(reWvATNQ zKXJoK2ftF_7FFP<)&@%C-?-hP{^tKy;G~|a2uW%IyhG;5M5%4?1syfO^tOP=xvM)> zUb+V$Y)2S4mhI{CP+k4T*UiQ1e{hP7Ai9Ii0BF10${+37Z$EdbY@%7z+A*`YH(pS! z{MM2H&5C4O@gsN4EiC*&{#OqYJV)3+zqtH4rF+s*n0=yhDwmh8IMtS{kC&B_s;#S& zH~-p{ea$cu(Ptx&-@6Aim@f*>8Pz*FFK)cqt=;MZMyS?|s}(+l^w(K!e0)M8XHRON z!JT1hP`9rwV^>EbEr|YfPyLCIJ)iHaI#@Ixb7Ei7Pzq-qsHDz?$!wYNIcLw?L?R!O zaf}L;<;BRFzJ70DSU+w4AK2}j$Cy1u!KJ7rLcV1a3h&SlP~DwUn@CyA&9@x{&s+d$ z zct$BXjUeYn@HfpacY0M6z8N>!ag}E7^24|Rz*uj^&o&hXG&`ncV@ivywPN3~n|%`r zhJyBulaT+8EU?wzfbRbHx-rS<`559YXg4?0B_THY)$HQvw`~(5A6>gI`+V6>w>74W zIZZX-0)>)ha4c#XHeO`4 zXSeMXe#RoRmrE!NkC>^NQybr$LK@!+bV>>|>}@Q>Ge6<+5JD;`X!7O0CYNDjy?-AJ z6-nSd9WC@rrl4>$D5_A9p0BL0SaR zpVgK}V)`ByCt;ExV&7WClv16)uPG)U-`dw)3wk<4g&vinACS?#v$c5P*1L*520wcS ztRnqi>hr~l3qjxhOK$!PD2p6^p_i3xvXhVRC@H?c8>uznt(~XuGM%k)Ke5T-&XPN) zK{xUg&_~hTaJ6)@oH&-rUqQ-xgx6x{1Pd`6{7B04ANIT;S)va1RJJ6R5}j;H{B@Xd z=fWpOS2wm8W~XT5x%*y@z1^5iMehru84tup2Y@piS|FG1T2STdyx}_basR4dyB6@B z17pGheYbl_8@Tg7fXnmMVr4~D_u)Qp&|7)x?H7mMc?^EOhRBgQB)<*`*d@gkog<4q4>Dt1*hLd#^|}a0 z;s~vD(XSz6mM6^I6hC_X733*1{){d1_Wyvue%B^bPs5*AS&)=_qbEas{znK%IQJlC zUBsP?2=GmA(yL+PM1VL69rcA-Hz6Mw!8b7}Y-}_II#-pW%e&31jU@YY}OK_M{)U5c2a=0o2i#A)Ye7e&gm)L*si z7Aczl3)0g7dihKo`icOO;7PzYr+||_Tmf7djJ4a85OF_J2#+2h3%-VuVqLje?0#c zz&;D~K#l1jTn%1>5vJetN9$J5F1f&1&Mc^USd&S&z^JMqL_~RDWzmA)5lmARGYAT2ea5`%wH2qmDY37pZ3x)bz3&2c8$DR+ z3YX6RI@MYFLZ8=+>d4m*-4!+7eTJ??&Q1%U)e@SOj(jkr8hwO7@j402- z&GMR)ZzKW$-+`h?s6uNCq{Y+pLN^YrD>@!l>n30lO61y(Ee&*;R+e?> zK14w&sVnM8*XB)ZLu!1!_Z{ud!eN`n(0tMsT&dS6O95s29UY{9%+B*+GT&wW5mupC z^iDmjdT&K&6eAmeddXeR13!irHK8;ybwVl-gj>ry8`h=B!g=)?*(vEc9?=Vy%v%p5<)@2PnVG5A^HR5`dvy4UM*2 zL&E85824O+I#u=6a$dcgdoJt8&Gih3l|NCyA!x4j9A%9%MLaAjdgS9q=aZB5jMmkM zS`c-K$)N9w(d*tuB21XENt!YIQC2Iu3~6M*e1oyK8$z$>$I$qB{b9O9O?Q{N87#fQ z?a`2m$y9^4{mY9FDZAIyP3kG`9Wbe=jjJ|nCv6g8iBVor*qWF0(P#Ch8YWPQV&W9( zCR7ABF+sYCdt>Vz-EG!vEgsVPV-CNpIIVmWnQqv(?+*6z9(N|H`~g3oFOI7bC-`V) z0ka?}y$&m53zSiz;zPMaN?Qu9u2(Z2mv8?*Fz-88bsSs!4n1zKzn2wPxpvL|TA!ud zVCu+mp5b{)X=)xDYd-!^pNd6q+PHT8q8H@U6q;fFs2%M!3&P$xEG>`9rI$vQwoI2M zmEVC#bZPwYX^9_mFoU6CGKN}$2m%A!w);pW_W+B~0XkNf+=i+1?t+a*Hc|DtrAgI> zr0;kE_K6*4oFrF8F>2i8O**E{ek)aNKkx%4nm5$|gL5-zHa^n`{fW+4wlp5xbk3-& zX0wrd70bJ~Ai$Y{=E*QFslaq~g=>A-N z(aqz2bOaej_dL6Mu~)Tf$*W0va9+=YiI}FD1@&g@8VcofVHzi5vu+3kAEe2{pK#7K zz@-k8oinjy!*JtAWb{4sYcw?pWg+}oR7_2H{-%oi5COb2vzu|&ZP=0Rj{?xgji%6g zhT&#W;hM1+2^Qaq>)$ zzrE?nM&`}i`l34mUT^V9yYEo-g~DWw8wn)mZQXZKssVyvtzD}X@y7KyC*c&cNko*qLpzQ2?kq#4 z*64~m!9Wos+={dAOTN`8e67}vMkTCZoT_~f^(!GpGXdFzzKo>CIO$G`rk5ldY zR0)Z4*^~pxFQ2J3vFyP-oyb0Z+b}e^^YhKMt>IETP?eOEy;Czfl=pk@^)>FdV|$`a zs#p&wTYOj};yyxrZxUh_7~_8Fz0)ljzKJ)q{hLJd+Jy+9qE~}{3_p{veqpr$&7*yv zsAhs6GX=52Z|s~z literal 0 HcmV?d00001 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/README.md new file mode 100644 index 0000000000..7644522478 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/README.md @@ -0,0 +1,17 @@ +# Using Examples to enable RBAC + +This guide helps in setting up RBAC for Kubeflow. + +The RBAC rules here assume 3 groups: admin, datascience and validator as sample groups for operating on Kubeflow. + +## Setup + +``` +./apply_example.sh --issuer https://dex.example.com:32000 --jwks-uri https://dex.example.com:32000/keys --client-id ldapdexapp +``` + +### Note Regarding Istio RBAC + +Currently, the only service authenticated and authorized supported in this example is ml-pipeline service. +Support for authorization in Pipelines is being discussed in this [issue](https://github.com/kubeflow/pipelines/issues/1223). +This example allows for authentication and authorization only for requests within the Kubernetes cluster. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/apply_example.sh b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/apply_example.sh new file mode 100755 index 0000000000..d7cf656747 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/apply_example.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + -i|--issuer) + ISSUER="$2" + shift + shift + ;; + -j|--jwks-uri) + JWKS_URI="$2" + shift + shift + ;; + -c|--client-id) + CLIENT_ID="$2" + shift + shift + ;; + -h|--help) + echo " + Use Arguments: + -i|--issuer Issuer for dex + -j|--jwks-uri JWKS Key path provided by dex server + -c|--client_id Client ID of the Dex Client set + " + exit + shift + shift + ;; + *) # unknown option + echo "Invalid option -$2" >&2 + exit + ;; + esac +done + +if [ -z "$ISSUER" ] || [ -z "$JWKS_URI" ] || [ -z "$CLIENT_ID" ]; +then + echo " + Missing one of the options mentioned below: + -i|--issuer Issuer for dex + -j|--jwks-uri JWKS Key path provided by dex server + -c|--client_id Client ID of the Dex Client set + " + exit +fi + +cat << EOF > authentication/Istio/base/params.env +issuer=$ISSUER +client_id=$CLIENT_ID +jwks_uri=$JWKS_URI +EOF + +kubectl create -f authorization/Kubernetes +kubectl create -f authorization/Istio +kustomize build authentication/Istio/base | kubectl apply -f - diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/kustomization.yaml new file mode 100644 index 0000000000..005b692872 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/kustomization.yaml @@ -0,0 +1,36 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow + +resources: +- policy.yaml + +configMapGenerator: +- name: auth-parameters + env: params.env + +vars: +- name: issuer + objref: + kind: ConfigMap + name: auth-parameters + apiVersion: v1 + fieldref: + fieldpath: data.issuer +- name: jwks_uri + objref: + kind: ConfigMap + name: auth-parameters + apiVersion: v1 + fieldref: + fieldpath: data.jwks_uri +- name: client_id + objref: + kind: ConfigMap + name: auth-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id + +configurations: + - params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.env new file mode 100644 index 0000000000..ff648ef183 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.env @@ -0,0 +1,3 @@ +issuer=https://dex.example.com:32000 +client_id=ldapdexapp +jwks_uri=https://dex.example.com:32000/keys diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.yaml new file mode 100644 index 0000000000..6abefadd7d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: spec/origins/jwt/audiences + kind: Policy +- path: spec/origins/jwt/issuer + kind: Policy +- path: spec/origins/jwt/jwksUri + kind: Policy diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/policy.yaml new file mode 100644 index 0000000000..1178767968 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authentication/Istio/base/policy.yaml @@ -0,0 +1,16 @@ +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + name: auth-policy +spec: + targets: + - name: ml-pipeline + peers: + - mtls: {} + origins: + - jwt: + audiences: + - $(client_id) + issuer: $(issuer) + jwksUri: $(jwks_uri) + principalBinding: USE_ORIGIN diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/cluster_rbac_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/cluster_rbac_config.yaml new file mode 100644 index 0000000000..2519f065ba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/cluster_rbac_config.yaml @@ -0,0 +1,8 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ClusterRbacConfig +metadata: + name: default +spec: + mode: 'ON_WITH_INCLUSION' + inclusion: + services: ["ml-pipeline.kubeflow.svc.cluster.local"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role.yaml new file mode 100644 index 0000000000..db4ec7a079 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role.yaml @@ -0,0 +1,8 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: ml-pipeline-viewer + namespace: kubeflow +spec: + rules: + - services: ["ml-pipeline.kubeflow.svc.cluster.local"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role_binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role_binding.yaml new file mode 100644 index 0000000000..31f69f6121 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Istio/ml_pipeline_service_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-ml-pipeline-viewer + namespace: kubeflow +spec: + subjects: + - group: "datascience" + + roleRef: + kind: ServiceRole + name: "ml-pipeline-viewer" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role.yaml new file mode 100644 index 0000000000..8c0cb32bb8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-read-all-role +rules: + - + apiGroups: + - "" + - apps + - autoscaling + - batch + - extensions + - policy + - networking.k8s.io + - rbac.authorization.k8s.io + - storage.k8s.io + resources: + - componentstatuses + - configmaps + - cronjobs + - daemonsets + - deployments + - events + - endpoints + - horizontalpodautoscalers + - ingress + - ingresses + - jobs + - limitranges + - namespaces + - nodes + - pods + - pods/log + - pods/exec + - persistentvolumes + - persistentvolumeclaims + - resourcequotas + - replicasets + - replicationcontrollers + - serviceaccounts + - services + - statefulsets + - storageclasses + - clusterroles + - roles + - tfjobs + verbs: + - get + - watch + - list + - nonResourceURLs: ["*"] + verbs: + - get + - watch + - list + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role_binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role_binding.yaml new file mode 100644 index 0000000000..ce091f8f13 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_read_all_cluster_role_binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cluster-read-all-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-read-all-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: admin +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: datascience +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: validator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role.yaml new file mode 100644 index 0000000000..87455cabdc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-write-all-role +rules: + - + apiGroups: + - "" + - apps + - autoscaling + - batch + - extensions + - policy + - networking.k8s.io + - rbac.authorization.k8s.io + - storage.k8s.io + - kubeflow.org + resources: + - componentstatuses + - configmaps + - cronjobs + - daemonsets + - deployments + - events + - endpoints + - horizontalpodautoscalers + - ingress + - ingresses + - jobs + - limitranges + - namespaces + - nodes + - pods + - pods/log + - pods/exec + - persistentvolumes + - persistentvolumeclaims + - resourcequotas + - replicasets + - replicationcontrollers + - serviceaccounts + - services + - statefulsets + - storageclasses + - clusterroles + - roles + - tfjobs + verbs: + - get + - watch + - list + - create + - delete + - patch + - update + - nonResourceURLs: ["*"] + verbs: + - get + - watch + - list + - create + - delete + - patch + - update + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role_binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role_binding.yaml new file mode 100644 index 0000000000..3fda556c8d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/cluster_write_all_cluster_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cluster-write-all-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-write-all-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: admin +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: datascience diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role.yaml new file mode 100644 index 0000000000..56c56bedce --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secrets-write-all-role +rules: + - + apiGroups: + - "" + - apps + - autoscaling + - batch + - extensions + - policy + - rbac.authorization.k8s.io + - storage.k8s.io + resources: + - secrets + verbs: + - get + - watch + - list + - create + - update + - patch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role_binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role_binding.yaml new file mode 100644 index 0000000000..52ca39069e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/authorization/Kubernetes/secrets_write_all_cluster_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: secrets-write-all-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-write-all-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/gencert.sh b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/gencert.sh new file mode 100755 index 0000000000..48cbbbceeb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/docs/dex-auth/examples/gencert.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# TODO(krishnadurai): Remove this file as soon as cert tooling is introduced in kfctl +# Tracking issue: https://github.com/kubeflow/kfctl/issues/6 + +mkdir -p ssl + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + -d|--dex-domain) + DEX_DOMAIN="$2" + shift + shift + ;; + -h|--help) + echo "Use -d|--dex-domain to supply domain name for dex server" + exit + shift + shift + ;; + *) # unknown option + echo "Invalid option -$2" >&2 + exit + ;; + esac +done + +if [ -z "$DEX_DOMAIN" ]; +then + echo "Enter -d|--dex-domain to supply domain name for dex server" + exit +fi + +cat << EOF > ssl/req.cnf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name + +[req_distinguished_name] + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = dex.$DEX_DOMAIN +DNS.2 = login.$DEX_DOMAIN +DNS.3 = ldap-admin.$DEX_DOMAIN +EOF + +openssl genrsa -out ssl/ca-key.pem 2048 +openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 1000 -out ssl/ca.pem -subj "/CN=kube-ca" + +openssl genrsa -out ssl/key.pem 2048 +openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf +openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 1000 -extensions v3_req -extfile ssl/req.cnf diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/gcp/template/openapi.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/gcp/template/openapi.yaml new file mode 100644 index 0000000000..7e53098980 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/gcp/template/openapi.yaml @@ -0,0 +1,54 @@ +swagger: "2.0" +info: + description: "wildcard config for any HTTP service." + title: "General HTTP Service." + version: "1.0.0" +host: "CHANGE.TO.YOUR.HOST.NAME" +x-google-endpoints: +- name: "CHANGE.TO.YOUR.HOST.NAME" + target: "CHANGE.TO.YOUR.IP" +basePath: "/" +consumes: +- "application/json" +produces: +- "application/json" +schemes: +- "http" +- "https" +paths: + "/**": + get: + operationId: Get + responses: + '200': + description: Get + default: + description: Error + delete: + operationId: Delete + responses: + '204': + description: Delete + default: + description: Error + patch: + operationId: Patch + responses: + '200': + description: Patch + default: + description: Error + post: + operationId: Post + responses: + '200': + description: Post + default: + description: Error + put: + operationId: Put + responses: + '200': + description: Put + default: + description: Error diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/gcp_template.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/gcp_template.yaml new file mode 100644 index 0000000000..d19b1582c7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/gcp_template.yaml @@ -0,0 +1,9 @@ +apiVersion: replication.utils.kubeflow.org/v1alpha1 +kind: Replication +spec: + patterns: + - src: + exclude: gcr.io + # change to the gcr registry as image replication destination + dest: + context: gs://kubeflow-examples/image-replicate/replicate-context.tar.gz diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/mirror_task.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/mirror_task.yaml new file mode 100644 index 0000000000..52c01204ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/experimental/mirror-images/mirror_task.yaml @@ -0,0 +1,23 @@ +apiVersion: tekton.dev/v1alpha1 +kind: Task +metadata: + creationTimestamp: null + name: mirror-image +spec: + inputs: + params: + - name: inputImage + type: string + - name: outputImage + type: string + - name: context + type: string + steps: + - image: gcr.io/kaniko-project/executor:v0.11.0 + command: + - /kaniko/executor + - --dockerfile=Dockerfile + - --context=$(inputs.params.context) + - --destination=$(inputs.params.outputImage) + - --build-arg INPUT_IMAGE=$(inputs.params.inputImage) + name: build-push diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/README.md new file mode 100644 index 0000000000..bb9497d7ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/README.md @@ -0,0 +1,58 @@ +# Gatekeeper and Kubeflow + +[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a validating webhook for Kubernetes that enforces CRD-based access control policies. +In Kubeflow, we use Gatekeeper to restrict controllers to their own namespaces. The details can be found [here](https://bit.ly/2yJeU5u). + +## Installation + +1. Follow the instructions [here](https://github.com/open-policy-agent/gatekeeper#deploying-a-release-using-prebuilt-image) to install Gatekeeper controller. + +1. Apply the constraint template in this directory: +``` +kubectl apply -f constraint-template.yaml +``` + +## Configuration + +1. In order to configure contraints for your controllers, edit the `ns-required-annotations.yaml` file. +```yaml + # Fill in the service account name + usernames: ["system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)"] + # Replace with your own labels + annotations: ["kubeflow-admins", "kubeflow-users"] +``` + * Under `usernames`, enter the names of the service accounts used to deploy Kubeflow resources. + * Under `annotations`, enter your own label names. + +2. Deploy the constraint: +``` +kubectl apply -f ns-required-annotations.yaml +``` + +## Usage + +The constraint is now enabled. You can test that the constraint is working by creating a namespace without the required labels: +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow +``` + +Then try to create any resource under this namespace using one of the restricted users' credentials. This should result in an access violation: + +``` +Missing labels for user SERVICEACCOUNT namespace kubeflow: Required one of labels: ["kubeflow-admins", "kubeflow-users"] Actual labels: None +``` + +Now add the required labels to the namespace: +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + annotations: + category: kubeflow-admins +``` + +Then try to create the same source again, and it should work. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/constraint-template.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/constraint-template.yaml new file mode 100644 index 0000000000..3cb15f60d3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/constraint-template.yaml @@ -0,0 +1,40 @@ +apiVersion: templates.gatekeeper.sh/v1alpha1 +kind: ConstraintTemplate +metadata: + name: requiredannotations +spec: + crd: + spec: + names: + kind: RequiredAnnotations + listKind: RequiredAnnotationsList + plural: requiredannotations + singular: requiredannotations + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + labels: + type: array + items: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package requiredannotations + + violation[{"msg": msg, "details": {"Invalid namespace": ns}}] { + # Check if the actual user is one of the restricted_users + actual_user := {input.review.userInfo.username} + restricted_users := {username | username := input.constraint.spec.parameters.usernames[_]} + + # Check if the namespace is annotated with the required labels + ns := input.review.object.metadata.namespace + real_ns := data.inventory.cluster.v1.Namespace[ns] + actual := {annotation | annotation := real_ns.metadata.annotations["category"]} + required := {annotation | annotation := input.constraint.spec.parameters.annotations[_]} + + count(actual_user - restricted_users) == 0 + count(required & actual) == 0 + + msg := sprintf("Missing labels for username %v namespace %v: Required one of labels: %v Actual labels: %v", [actual_user, ns, required, actual]) + } diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/ns-required-annotations.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/ns-required-annotations.yaml new file mode 100644 index 0000000000..2c196dd471 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gatekeeper/ns-required-annotations.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1alpha1 +kind: RequiredAnnotations +metadata: + name: ns-required-annotations +spec: + match: + # Policy applies to all resources + kinds: + - apiGroups: ["*"] + kinds: ["*"] + parameters: + # Fill in the service account name + usernames: ["system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)"] + # Replace with your own labels + annotations: ["kubeflow-admins", "kubeflow-users"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/backend-config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/backend-config.yaml new file mode 100644 index 0000000000..812bfd91fb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/backend-config.yaml @@ -0,0 +1,7 @@ +apiVersion: cloud.google.com/v1beta1 +kind: BackendConfig +metadata: + name: basicauth-backendconfig +spec: + # Jupyter uses websockets so we want to increase the timeout. + timeoutSec: 3600 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cloud-endpoint.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cloud-endpoint.yaml new file mode 100644 index 0000000000..139273b25a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cloud-endpoint.yaml @@ -0,0 +1,9 @@ +apiVersion: ctl.isla.solutions/v1 +kind: CloudEndpoint +metadata: + name: $(appName) +spec: + project: $(project) + targetIngress: + name: $(ingressName) + namespace: $(istioNamespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..d8714334d2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kf-admin-basic-auth +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kf-admin-basic-auth +subjects: +- kind: ServiceAccount + name: kf-admin + namespace: $(istioNamespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role.yaml new file mode 100644 index 0000000000..93801ac106 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/cluster-role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kf-admin-basic-auth +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - get + - list + - patch + - update +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - update + - patch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/config-map.yaml new file mode 100644 index 0000000000..0949a292f0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/config-map.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +data: + update_backend.sh: "#!/bin/bash\n#\n# A simple shell script to configure the health + checks by using gcloud.\nset -x \n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nset_health_check() {\n # Activate the service account, allow + 5 retries\n if [[ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" ]]; then\n # + TODO(jlewi): As of 0.7 we should always be using workload identity. We can remove + it post 0.7.0 once we have workload identity\n # fully working\n # Activate + the service account, allow 5 retries\n for i in {1..5}; do gcloud auth activate-service-account + --key-file=${GOOGLE_APPLICATION_CREDENTIALS} && break || sleep 10; done\n fi + \ \n\n # For debugging print out what account we are using\n gcloud auth + list\n\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[0].nodePort}')\n + \ echo node port is ${NODE_PORT}\n\n while [[ -z ${BACKEND_NAME} ]]; do\n BACKENDS=$(kubectl + --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n + \ echo \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n while [[ -z ${BACKEND_SERVICE} + ]];\n do BACKEND_SERVICE=$(gcloud --project=${PROJECT} compute backend-services + list --filter=name~k8s-be-${NODE_PORT}- --uri);\n echo \"Waiting for the backend-services + resource PROJECT=${PROJECT} NODEPORT=${NODE_PORT} SERVICE=${SERVICE}...\";\n sleep + 2;\n done\n\n while [[ -z ${HEALTH_CHECK_URI} ]];\n do HEALTH_CHECK_URI=$(gcloud + compute --project=${PROJECT} health-checks list --filter=name~${BACKEND_NAME} + --uri);\n echo \"Waiting for the healthcheck resource PROJECT=${PROJECT} NODEPORT=${NODE_PORT} + SERVICE=${SERVICE}...\";\n sleep 2;\n done\n\n echo health check URI is ${HEALTH_CHECK_URI}\n\n + \ # Since we create the envoy-ingress ingress object before creating the envoy\n + \ # deployment object, healthcheck will not be configured correctly in the GCP\n + \ # load balancer. It will default the healthcheck request path to a value of\n + \ # / instead of the intended /healthz.\n # Manually update the healthcheck request + path to /healthz\n if [[ ${HEALTHCHECK_PATH} ]]; then\n echo Running health + checks update ${HEALTH_CHECK_URI} with ${HEALTHCHECK_PATH}\n gcloud --project=${PROJECT} + compute health-checks update http ${HEALTH_CHECK_URI} --request-path=${HEALTHCHECK_PATH}\n + \ else\n echo Running health checks update ${HEALTH_CHECK_URI} with /healthz\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --request-path=/healthz\n fi\n\n if [[ ${USE_ISTIO} ]]; then\n # Create the + route so healthcheck can pass\n kubectl apply -f /var/envoy-config/healthcheck_route.yaml\n + \ fi\n}\n\nwhile true; do\n set_health_check\n echo \"Backend updated successfully. + Waiting 1 hour before updating again.\"\n sleep 3600\ndone\n" +kind: ConfigMap +metadata: + name: envoy-config +--- +apiVersion: v1 +data: + ingress_bootstrap.sh: | + #!/usr/bin/env bash + + set -x + set -e + + # This is a workaround until this is resolved: https://github.com/kubernetes/ingress-gce/pull/388 + # The long-term solution is to use a managed SSL certificate on GKE once the feature is GA. + + # The ingress is initially created without a tls spec. + # Wait until cert-manager generates the certificate using the http-01 challenge on the GCLB ingress. + # After the certificate is obtained, patch the ingress with the tls spec to enable SSL on the GCLB. + + # Wait for certificate. + until kubectl -n ${NAMESPACE} get secret ${TLS_SECRET_NAME} 2>/dev/null; do + echo "Waiting for certificate..." + sleep 2 + done + + kubectl -n ${NAMESPACE} patch ingress ${INGRESS_NAME} --type='json' -p '[{"op": "add", "path": "/spec/tls", "value": [{"secretName": "'${TLS_SECRET_NAME}'", "hosts":["'${TLS_HOST_NAME}'"]}]}]' + + echo "Done" +kind: ConfigMap +metadata: + labels: + ksonnet.io/component: basic-auth-ingress + name: ingress-bootstrap-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/deployment.yaml new file mode 100644 index 0000000000..ac515e347e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami-app +spec: + replicas: 1 + template: + metadata: + labels: + app: whoami + spec: + containers: + - env: + - name: PORT + value: "8081" + image: gcr.io/cloud-solutions-group/esp-sample-app:1.0.0 + name: app + ports: + - containerPort: 8081 + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/gcp-credentials-patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/gcp-credentials-patch.yaml new file mode 100644 index 0000000000..26a42d7815 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/gcp-credentials-patch.yaml @@ -0,0 +1,21 @@ +# Patch the env/volumes/volumeMounts for GCP credentials +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: backend-updater +spec: + template: + spec: + containers: + - name: backend-updater + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/sa/admin-gcp-sa.json + volumeMounts: + - mountPath: /var/run/secrets/sa + name: sa-key + readOnly: true + volumes: + - name: sa-key + secret: + secretName: admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/ingress.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/ingress.yaml new file mode 100644 index 0000000000..cd8db84a36 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: extensions/v1beta1 # networking.k8s.io/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + kubernetes.io/ingress.global-static-ip-name: $(ipName) + networking.gke.io/managed-certificates: gke-certificate + name: $(ingressName) +spec: + rules: + - host: $(hostname) + http: + paths: + - backend: + serviceName: ambassador + servicePort: 80 + path: /* diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/istio-mapping-svc.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/istio-mapping-svc.yaml new file mode 100644 index 0000000000..bc149601b4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/istio-mapping-svc.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: istio-mapping + prefix_regex: true + prefix: /(?!whoami|kflogin).* + rewrite: "" + service: istio-ingressgateway.istio-system + precedence: 1 + use_websocket: true + labels: + app: istioMappingSvc + ksonnet.io/component: basic-auth-ingress + name: istio-mapping-service + namespace: istio-system +spec: + ports: + - port: 80 + targetPort: 8081 + selector: + app: istioMappingSvc + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/kustomization.yaml new file mode 100644 index 0000000000..5a42041d8b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/kustomization.yaml @@ -0,0 +1,88 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- backend-config.yaml +- cloud-endpoint.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- deployment.yaml +- ingress.yaml +- istio-mapping-svc.yaml +- service-account.yaml +- service.yaml +- stateful-set.yaml +namespace: kubeflow +commonLabels: + kustomize.component: basic-auth-ingress +images: +- name: gcr.io/kubeflow-images-public/ingress-setup + newName: gcr.io/kubeflow-images-public/ingress-setup + newTag: latest +- name: gcr.io/cloud-solutions-group/esp-sample-app + newName: gcr.io/cloud-solutions-group/esp-sample-app + newTag: 1.0.0 +configMapGenerator: +- name: basic-auth-ingress-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: secretName + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.secretName +- name: appName + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.appName +- name: namespace + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: hostname + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.hostname +- name: project + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.project +- name: ipName + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ipName +- name: ingressName + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ingressName +- name: istioNamespace + objref: + kind: ConfigMap + name: basic-auth-ingress-parameters + apiVersion: v1 + fieldref: + fieldpath: data.istioNamespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.env new file mode 100644 index 0000000000..797e3a9c5e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.env @@ -0,0 +1,9 @@ +appName=kubeflow +namespace=kubeflow +hostname= +project= +ipName= +secretName=envoy-ingress-tls +privateGKECluster=false +ingressName=envoy-ingress +istioNamespace=istio-system diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.yaml new file mode 100644 index 0000000000..920c9cbec0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/params.yaml @@ -0,0 +1,35 @@ +varReference: +- path: metadata/name + kind: Certificate +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/dnsNames + kind: Certificate +- path: spec/issuerRef/name + kind: Certificate +- path: metadata/annotations/kubernetes.io\/ingress.global-static-ip-name + kind: Ingress +- path: spec/commonName + kind: Certificate +- path: spec/secretName + kind: Certificate +- path: spec/acme/config/domains + kind: Certificate +- path: spec/acme/config/http01/ingress + kind: Certificate +- path: metadata/name + kind: Ingress +- path: metadata/annotations/certmanager.k8s.io\/issuer + kind: Ingress +- path: metadata/name + kind: CloudEndpoint +- path: spec/project + kind: CloudEndpoint +- path: spec/targetIngress/name + kind: CloudEndpoint +- path: spec/targetIngress/namespace + kind: CloudEndpoint +- path: spec/domains + kind: ManagedCertificate +- path: subjects/namespace + kind: ClusterRoleBinding diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service-account.yaml new file mode 100644 index 0000000000..ce1417d64c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kf-admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service.yaml new file mode 100644 index 0000000000..057a73ea53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: whoami-mapping + prefix: /whoami + rewrite: /whoami + service: whoami-app.$(namespace) + labels: + app: whoami + name: whoami-app +spec: + ports: + - port: 80 + targetPort: 8081 + selector: + app: whoami + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/stateful-set.yaml new file mode 100644 index 0000000000..4be68658c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/base/stateful-set.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + service: backend-updater + name: backend-updater +spec: + selector: + matchLabels: + service: backend-updater + serviceName: "backend-updater" + template: + metadata: + labels: + service: backend-updater + spec: + containers: + - command: + - bash + - /var/envoy-config/update_backend.sh + env: + - name: NAMESPACE + value: $(namespace) + - name: SERVICE + value: ambassador + - name: HEALTHCHECK_PATH + value: /whoami + - name: INGRESS_NAME + value: $(ingressName) + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: backend-updater + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume + # Workaround for https://github.com/kubernetes-sigs/kustomize/issues/677 + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/application.yaml new file mode 100644 index 0000000000..b289b7a6c0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: basic-auth-ingress +spec: + selector: + matchLabels: + app.kubernetes.io/name: basic-auth-ingress + app.kubernetes.io/instance: basic-auth-ingress-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: basic-auth-ingress + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: basic-auth-ingress + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - basic-auth-ingress + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..e558d8be51 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: basic-auth-ingress + app.kubernetes.io/name: basic-auth-ingress +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/certificate.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/certificate.yaml new file mode 100644 index 0000000000..c54e44ae2b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/certificate.yaml @@ -0,0 +1,18 @@ +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: $(secretName) +spec: + acme: + config: + - domains: + - $(hostname) + http01: + ingress: $(ingressName) + commonName: $(hostname) + dnsNames: + - $(hostname) + issuerRef: + kind: ClusterIssuer + name: $(issuer) + secretName: $(secretName) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/job.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/job.yaml new file mode 100644 index 0000000000..612adcf3a0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/job.yaml @@ -0,0 +1,31 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-bootstrap +spec: + template: + spec: + containers: + - command: + - /var/ingress-config/ingress_bootstrap.sh + env: + - name: NAMESPACE + value: $(namespace) + - name: TLS_SECRET_NAME + value: $(secretName) + - name: TLS_HOST_NAME + value: $(hostname) + - name: INGRESS_NAME + value: $(ingressName) + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: bootstrap + volumeMounts: + - mountPath: /var/ingress-config/ + name: ingress-config + restartPolicy: OnFailure + serviceAccountName: kf-admin + volumes: + - configMap: + defaultMode: 493 + name: ingress-bootstrap-config + name: ingress-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/kustomization.yaml new file mode 100644 index 0000000000..bea2a94168 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/certmanager/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- job.yaml +- certificate.yaml +namespace: kubeflow +commonLabels: + kustomize.component: basic-auth-ingress +images: +- name: gcr.io/kubeflow-images-public/ingress-setup + newName: gcr.io/kubeflow-images-public/ingress-setup + newTag: latest diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/gcp-credentials-patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/gcp-credentials-patch.yaml new file mode 100644 index 0000000000..26a42d7815 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/gcp-credentials-patch.yaml @@ -0,0 +1,21 @@ +# Patch the env/volumes/volumeMounts for GCP credentials +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: backend-updater +spec: + template: + spec: + containers: + - name: backend-updater + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/sa/admin-gcp-sa.json + volumeMounts: + - mountPath: /var/run/secrets/sa + name: sa-key + readOnly: true + volumes: + - name: sa-key + secret: + secretName: admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/kustomization.yaml new file mode 100644 index 0000000000..820285a91c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/gcp-credentials/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- gcp-credentials-patch.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/cert.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/cert.yaml new file mode 100644 index 0000000000..18381b283d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/cert.yaml @@ -0,0 +1,7 @@ +apiVersion: networking.gke.io/v1beta1 +kind: ManagedCertificate +metadata: + name: gke-certificate +spec: + domains: + - $(hostname) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/kustomization.yaml new file mode 100644 index 0000000000..76381cab83 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/basic-auth-ingress/overlays/managed-cert/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- cert.yaml +namespace: kubeflow +commonLabels: + kustomize.component: basic-auth-ingress diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..79ff5afd2d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cloud-endpoints-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cloud-endpoints-controller +subjects: +- kind: ServiceAccount + name: kf-admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role.yaml new file mode 100644 index 0000000000..fac2877b10 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/cluster-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cloud-endpoints-controller +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + verbs: + - get + - list +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/composite-controller.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/composite-controller.yaml new file mode 100644 index 0000000000..43146ad532 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/composite-controller.yaml @@ -0,0 +1,20 @@ +apiVersion: metacontroller.k8s.io/v1alpha1 +kind: CompositeController +metadata: + name: cloud-endpoints-controller +spec: + childResources: [] + clientConfig: + service: + caBundle: '...' + name: cloud-endpoints-controller + namespace: $(namespace) + generateSelector: true + hooks: + sync: + webhook: + url: http://cloud-endpoints-controller.$(namespace)/sync + parentResource: + apiVersion: ctl.isla.solutions/v1 + resource: cloudendpoints + resyncPeriodSeconds: 2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/crd.yaml new file mode 100644 index 0000000000..4d09e9fbb9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/crd.yaml @@ -0,0 +1,15 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: cloudendpoints.ctl.isla.solutions +spec: + group: ctl.isla.solutions + names: + kind: CloudEndpoint + plural: cloudendpoints + shortNames: + - cloudep + - ce + singular: cloudendpoint + scope: Namespaced + version: v1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/deployment.yaml new file mode 100644 index 0000000000..2e60524142 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloud-endpoints-controller +spec: + replicas: 1 + template: + metadata: + labels: + app: cloud-endpoints-controller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: gcr.io/cloud-solutions-group/cloud-endpoints-controller:0.2.1 + imagePullPolicy: Always + name: cloud-endpoints-controller + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 80 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + serviceAccountName: kf-admin + terminationGracePeriodSeconds: 5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/gcp-credentials-patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/gcp-credentials-patch.yaml new file mode 100644 index 0000000000..02daa7f7b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/gcp-credentials-patch.yaml @@ -0,0 +1,21 @@ +# Patch the env/volumes/volumeMounts for GCP credentials +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloud-endpoints-controller +spec: + template: + spec: + containers: + - name: cloud-endpoints-controller + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/sa/admin-gcp-sa.json + volumeMounts: + - mountPath: /var/run/secrets/sa + name: sa-key + readOnly: true + volumes: + - name: sa-key + secret: + secretName: admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/kustomization.yaml new file mode 100644 index 0000000000..a792eddaad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/kustomization.yaml @@ -0,0 +1,40 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- composite-controller.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + app: cloud-endpoints-controller + kustomize.component: cloud-endpoints +images: +- name: gcr.io/cloud-solutions-group/cloud-endpoints-controller + newName: gcr.io/cloud-solutions-group/cloud-endpoints-controller + newTag: 0.2.1 +configMapGenerator: +- name: cloud-endpoints-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: secretName + objref: + kind: ConfigMap + name: cloud-endpoints-parameters + apiVersion: v1 + fieldref: + fieldpath: data.secretName +- name: namespace + objref: + kind: ConfigMap + name: cloud-endpoints-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.env new file mode 100644 index 0000000000..53ba6bd1ed --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.env @@ -0,0 +1,2 @@ +namespace=kubeflow +secretName=admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.yaml new file mode 100644 index 0000000000..61954abfe2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: spec/template/spec/volumes/secret/secretName + kind: Deployment +- path: spec/clientConfig/service/namespace + kind: CompositeController +- path: spec/hooks/sync/webhook/url + kind: CompositeController diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service-account.yaml new file mode 100644 index 0000000000..ce1417d64c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kf-admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service.yaml new file mode 100644 index 0000000000..5d0b3de7d2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/base/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: cloud-endpoints-controller +spec: + ports: + - name: http + port: 80 + selector: + app: cloud-endpoints-controller + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/application.yaml new file mode 100644 index 0000000000..f70170518b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: cloud-endpoints +spec: + selector: + matchLabels: + app.kubernetes.io/name: cloud-endpoints + app.kubernetes.io/instance: cloud-endpoints-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: cloud-endpoints + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - cloud-endpoints + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..844385cea4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/application/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: cloud-endpoints + app.kubernetes.io/name: cloud-endpoints +kind: Kustomization +namespace: kubeflow +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/gcp-credentials-patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/gcp-credentials-patch.yaml new file mode 100644 index 0000000000..02daa7f7b1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/gcp-credentials-patch.yaml @@ -0,0 +1,21 @@ +# Patch the env/volumes/volumeMounts for GCP credentials +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloud-endpoints-controller +spec: + template: + spec: + containers: + - name: cloud-endpoints-controller + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/sa/admin-gcp-sa.json + volumeMounts: + - mountPath: /var/run/secrets/sa + name: sa-key + readOnly: true + volumes: + - name: sa-key + secret: + secretName: admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/kustomization.yaml new file mode 100644 index 0000000000..820285a91c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/cloud-endpoints/overlays/gcp-credentials/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- gcp-credentials-patch.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/README.md new file mode 100644 index 0000000000..80d35fd21e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/README.md @@ -0,0 +1,4 @@ +This directory contains some deployment manager configuration files that can be used to setup +GCP for Kubeflow. + +These deployment configuration files are intended to be used with kfctl. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster-kubeflow.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster-kubeflow.yaml new file mode 100644 index 0000000000..cfeb695275 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster-kubeflow.yaml @@ -0,0 +1,97 @@ +# Copyright 2016 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +imports: +- path: cluster.jinja +resources: +# Deployment manager doesn't support depends on references in template type. +# So the two possible work arounds are +# 1. Use a single template (.jinja file for all resources) or +# 2. Create two separate deployments and launch the boot strapper +# after the cluster is created. +# +# Two separate deployments doesn't make much sense; we could just use +# kubectl at that point. So we put all resources in a single deployment. +- name: kubeflow + type: cluster.jinja + properties: + # You need to use a zone with Broadwell because that's what TFServing requires. + zone: SET_THE_ZONE + # "1.X": picks the highest valid patch+gke.N patch in the 1.X version + # https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters + cluster-version: "1.14" + # Set this to v1beta1 to use beta features such as private clusterss + # and the Kubernetes stackdriver agents. + gkeApiVersion: SET_GKE_API_VERSION + # Whether to enable workload identity + enable-workload-identity: false + identity-namespace: SET_IDENTITY_NAMESPACE + # An arbitrary string appending to name of nodepools + # bump this if you want to modify the node pools. + # This will cause existing node pools to be deleted and new ones to be created. + # Use prefix v so it will be treated as a string. + pool-version: v1 + # CPU Pool Configs + # Two is small enough to fit within default quota. + cpu-pool-initialNodeCount: 2 + # machine type for nodes in cpu pool. Available options: https://cloud.google.com/compute/docs/machine-types + cpu-pool-machine-type: n1-standard-8 + # Autoscaling parameters + cpu-pool-enable-autoscaling: true + cpu-pool-min-nodes: 0 + cpu-pool-max-nodes: 10 + # GPU Pool Configs + gpu-pool-initialNodeCount: 0 + # machine type for nodes in gpu pool. Available options: https://cloud.google.com/compute/docs/machine-types + gpu-pool-machine-type: n1-standard-8 + # GPUs are not enabled by default. To add GPUs + # set gpu-pool-max-nodes to a none-zero value. + gpu-pool-enable-autoscaling: true + gpu-pool-min-nodes: 0 + gpu-pool-max-nodes: 10 + # Controls gpu number per node, valid input: [1, num_cpu_per_node], for n1-standard-8, num_cpu_per_node = 8 + gpu-number-per-node: 1 + # Check https://cloud.google.com/compute/docs/gpus/ for available GPU models and their regions + gpu-type: nvidia-tesla-k80 + # Autoprovisioning parameters (only supported in gkeApiVersion v1beta1). + # This is configured by the gkeApiVersion setting. + autoprovisioning-config: + enabled: true + # Max CPU and Max Memory are the total maximum allowed CPU and Memory in the cluster + max-cpu: 128 + max-memory: 2000 + max-accelerator: + - type: nvidia-tesla-k80 + count: 16 + # Whether to enable TPUs + enable_tpu: false + securityConfig: + # Whether to use a cluster with private IPs + # Use v1beta1 api + privatecluster: false + # masterIpv4CidrBlock for private clusters, if enabled + # Use v1beta1 api + masterIpv4CidrBlock: 172.16.0.16/28 + # Protect worker node metadata from pods + # Use v1beta1 api + secureNodeMetadata: false + # Whether to enable Pod Security Policy Admission Controller + # Use v1beta1 api + podSecurityPolicy: false + masterAuthorizedNetworksConfigEnabled: false + masterAuthorizedNetworksConfigCidr: + - cidrBlock: 1.2.3.4/32 + # This is the name of the GCP static ip address reserved for your domain. + # Each Kubeflow deployment in your project should use one unique ipName among all configs. + ipName: kubeflow-ip diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja new file mode 100644 index 0000000000..c580e321f9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja @@ -0,0 +1,185 @@ +{# +Copyright 2016 Google Inc. All rights reserved. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +#} + + +{% set NAME_PREFIX = env['deployment'] %} +{% set CLUSTER_NAME = NAME_PREFIX %} +{% set CPU_POOL = NAME_PREFIX + '-cpu-pool-' + properties['pool-version'] %} +{% set GPU_POOL = NAME_PREFIX + '-gpu-pool-' + properties['pool-version'] %} +{% set VM_OAUTH_SCOPES = ['https://www.googleapis.com/auth/logging.write', + 'https://www.googleapis.com/auth/monitoring', + 'https://www.googleapis.com/auth/devstorage.read_only'] %} + +{# Names for service accounts. + -admin is to be used for admin tasks + -user is to be used by users for actual jobs. + -vm is used for the VM service account attached to the GKE VMs. + #} +{% set KF_ADMIN_NAME = NAME_PREFIX + '-admin' %} +{% set KF_USER_NAME = NAME_PREFIX + '-user' %} +{% set KF_VM_SA_NAME = NAME_PREFIX + '-vm' %} + +resources: +- name: {{ KF_ADMIN_NAME }} + type: iam.v1.serviceAccount + properties: + accountId: {{ KF_ADMIN_NAME }} + displayName: Service Account used for Kubeflow admin actions. + +- name: {{ KF_USER_NAME }} + type: iam.v1.serviceAccount + properties: + accountId: {{ KF_USER_NAME }} + displayName: Service Account used for Kubeflow user actions. + +- name: {{ KF_VM_SA_NAME }} + type: iam.v1.serviceAccount + properties: + accountId: {{ KF_VM_SA_NAME }} + displayName: GCP Service Account to use as VM Service Account for Kubeflow Cluster VMs + +- name: {{ CLUSTER_NAME }} + {% if properties['gkeApiVersion'] == 'v1beta1' %} + type: gcp-types/container-v1beta1:projects.locations.clusters + {% else %} + type: container.v1.cluster + {% endif %} + properties: + parent: projects/{{ env['project'] }}/locations/{{ properties['zone'] }} + zone: {{ properties['zone'] }} + cluster: + name: {{ CLUSTER_NAME }} + initialClusterVersion: "{{ properties['cluster-version'] }}" + resourceLabels: + application: 'kubeflow' + {% if properties['gkeApiVersion'] == 'v1beta1' %} + # We need 1.10.2 to support Stackdriver GKE. + loggingService: logging.googleapis.com/kubernetes + monitoringService: monitoring.googleapis.com/kubernetes + {% if properties['enable_tpu'] %} + enable_tpu: {{ properties['enable_tpu'] }} + ipAllocationPolicy: + useIpAliases: {{ properties['enable_tpu'] }} + {% endif %} + podSecurityPolicyConfig: + enabled: {{ properties['securityConfig']['podSecurityPolicy'] }} + {% endif %} + {% if properties['enable-workload-identity'] %} + workloadIdentityConfig: + identityNamespace: {{ properties['identity-namespace'] }} + {% endif %} + {% if properties['securityConfig']['privatecluster'] %} + ipAllocationPolicy: + createSubnetwork: true + useIpAliases: true + privateClusterConfig: + masterIpv4CidrBlock: {{ properties['securityConfig']['masterIpv4CidrBlock'] }} + enablePrivateNodes: true + masterAuthorizedNetworksConfig: + enabled: {{ properties['securityConfig']['masterAuthorizedNetworksConfigEnabled'] }} + {% if properties['securityConfig']['masterAuthorizedNetworksConfigEnabled'] %} + cidrBlocks: + {{ properties['securityConfig']['masterAuthorizedNetworksConfigCidr'] }} + {% endif %} + {% endif %} + # Autoprovisioning is only supported in v1beta1. + {% if properties['gkeApiVersion'] == 'v1beta1' and properties['autoprovisioning-config']['enabled'] %} + autoscaling: + enableNodeAutoprovisioning: true + autoprovisioningNodePoolDefaults: + oauthScopes: {{ VM_OAUTH_SCOPES }} + serviceAccount: {{ KF_VM_SA_NAME }}@{{ env['project'] }}.iam.gserviceaccount.com + + resourceLimits: + - resourceType: 'cpu' + maximum: {{ properties['autoprovisioning-config']['max-cpu'] }} + - resourceType: 'memory' + maximum: {{ properties['autoprovisioning-config']['max-memory'] }} + {% for accelerator in properties['autoprovisioning-config']['max-accelerator'] %} + - resourceType: {{ accelerator.type }} + maximum: {{ accelerator.count }} + {% endfor %} + {% endif %} + nodePools: + - name: {{ CPU_POOL }} + initialNodeCount: {{ properties['cpu-pool-initialNodeCount'] }} + autoscaling: + enabled: {{ properties['cpu-pool-enable-autoscaling'] }} + {% if properties['cpu-pool-enable-autoscaling'] %} + minNodeCount: {{ properties['cpu-pool-min-nodes'] }} + maxNodeCount: {{ properties['cpu-pool-max-nodes'] }} + {% endif %} + config: + {% if properties['securityConfig']['secureNodeMetadata'] %} + workloadMetadataConfig: + nodeMetadata: SECURE + {% endif %} + machineType: {{ properties['cpu-pool-machine-type'] }} + serviceAccount: {{ KF_VM_SA_NAME }}@{{ env['project'] }}.iam.gserviceaccount.com + oauthScopes: {{ VM_OAUTH_SCOPES }} + # Set min cpu platform to ensure AVX2 is supported. + minCpuPlatform: 'Intel Broadwell' + metadata: + dependsOn: + - {{ KF_VM_SA_NAME }} + +# We manage the node pools as separate resources. +# We do this so that if we want to make changes we can delete the existing resource and then recreate it. +# Updating doesn't work so well because we are limited in what changes GKE's update method supports. + +{% if properties['gpu-pool-max-nodes'] > 0 %} +- name: {{ GPU_POOL }} + {% if properties['gkeApiVersion'] == 'v1beta1' %} + type: gcp-types/container-v1beta1:projects.locations.clusters.nodePools + {% else %} + type: container.v1.nodePool + {% endif %} + properties: + parent: projects/{{ env['project'] }}/locations/{{ properties['zone'] }}/clusters/{{ CLUSTER_NAME }} + project: {{ properties['securityConfig']['project'] }} + zone: {{ properties['zone'] }} + clusterId: {{ CLUSTER_NAME }} + nodePool: + name: gpu-pool + initialNodeCount: {{ properties['gpu-pool-initialNodeCount'] }} + autoscaling: + enabled: {{ properties['gpu-pool-enable-autoscaling'] }} + {% if properties['gpu-pool-enable-autoscaling'] %} + minNodeCount: {{ properties['gpu-pool-min-nodes'] }} + maxNodeCount: {{ properties['gpu-pool-max-nodes'] }} + {% endif %} + config: + {% if properties['securityConfig']['secureNodeMetadata'] %} + workloadMetadataConfig: + nodeMetadata: SECURE + {% endif %} + machineType: {{ properties['gpu-pool-machine-type'] }} + serviceAccount: {{ KF_VM_SA_NAME }}@{{ env['project'] }}.iam.gserviceaccount.com + oauthScopes: {{ VM_OAUTH_SCOPES }} + # Set min cpu platform to ensure AVX2 is supported. + minCpuPlatform: 'Intel Broadwell' + accelerators: + - acceleratorCount: {{ properties['gpu-number-per-node'] }} + acceleratorType: {{ properties['gpu-type'] }} + + metadata: + dependsOn: + # We can only create 1 node pool at a time. + - {{ CLUSTER_NAME }} +{% endif %} + +{# Project defaults to the project of the deployment. #} +- name: {{ properties['ipName'] }} + type: compute.v1.globalAddress + properties: + description: "Static IP for Kubeflow ingress." diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja.schema b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja.schema new file mode 100644 index 0000000000..4ba13ae9d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/cluster.jinja.schema @@ -0,0 +1,34 @@ +# Copyright 2016 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +info: + title: GKE cluster + author: Google, Inc. + description: | + Creates a GKE cluster and associated type for use in DM. The type can be + used in other DM configurations in the following manner: + + "type: :/api/v1/namespaces/{namespace}/services" + +required: +- zone + +properties: + zone: + type: string + description: Zone in which the cluster should run. + initialNodeCount: + type: integer + description: Initial number of nodes desired in the cluster. + default: 4 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/gcfs.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/gcfs.yaml new file mode 100644 index 0000000000..8927a83881 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/gcfs.yaml @@ -0,0 +1,19 @@ +# Modify this instance to create a GCFS file store. +# 1. Change the zone to the desired zone +# 2. Change the instanceId to the desired id +# 3. Change network if needed +# 4. Change the capacity if desired. +resources: +- name: filestore + type: gcp-types/file-v1beta1:projects.locations.instances + properties: + parent: projects/isolated-project/locations/us-west1-b + # Any name of the instance would do + instanceId: YOUR_DEPLOYMENT_NAME + tier: STANDARD + description: Filestore for Kubeflow + networks: + - network: default + fileShares: + - name: kubeflow + capacityGb: 1024 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/iam_bindings_template.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/iam_bindings_template.yaml new file mode 100644 index 0000000000..11672cbcbb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/iam_bindings_template.yaml @@ -0,0 +1,46 @@ +# This config is used by iam_patch.py. It is not a DM config. +# +# Schema for this yaml file +# * bindings is a list of (members, roles) dict +# * members and roles are lists +# * each role in roles is granted to each member in members +bindings: +- members: + - set-kubeflow-admin-service-account + roles: + # Grant permissions needed to push the app to a cloud repository + - roles/source.admin + # servicemanagement.admin is needed by CloudEndpoints controller so we can create a service to get a hostname. + - roles/servicemanagement.admin + # Network admin is needed to enable IAP and configure network settings like backend timeouts and health checks + - roles/compute.networkAdmin +- members: + - set-kubeflow-user-service-account + roles: + # Grant permissions needed to submit builds to Google Cloud Container Builder + - roles/cloudbuild.builds.editor + # roles/viewer is required for viewing the logs of a GCB build + - roles/viewer + # Grant permissions needed to push the app to a cloud repository + - roles/source.admin + - roles/storage.admin + - roles/bigquery.admin + - roles/dataflow.admin + - roles/ml.admin + - roles/dataproc.editor + - roles/cloudsql.admin +- members: + - set-kubeflow-vm-service-account + roles: + # VM service account is used to write logs + - roles/logging.logWriter + # VM service account is used to write monitoring data + - roles/monitoring.metricWriter + # VM service account can retrieve monitoring data + - roles/monitoring.viewer + # VM service account is used to pull image from gcr + - roles/storage.objectViewer +- members: + - set-kubeflow-iap-account + roles: + - roles/iap.httpsResourceAccessor diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.jinja b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.jinja new file mode 100644 index 0000000000..ee511443bd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.jinja @@ -0,0 +1,19 @@ +# Copyright 2018 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +resources: +- type: gcp-types/compute-v1:networks + name: network-{{ env["deployment"] }} + properties: + autoCreateSubnetworks: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.yaml new file mode 100644 index 0000000000..978271f623 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/network.yaml @@ -0,0 +1,19 @@ +# Copyright 2018 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +imports: +- path: network.jinja +resources: +- name: network + type: network.jinja diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage-kubeflow.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage-kubeflow.yaml new file mode 100644 index 0000000000..b4bea7336e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage-kubeflow.yaml @@ -0,0 +1,34 @@ +# Copyright 2016 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +imports: +- path: storage.jinja +resources: +- name: kubeflow + type: storage.jinja + properties: + zone: SET_THE_ZONE + createPipelinePersistentStorage: SET_CREATE_PIPELINE_PERSISTENT_STORAGE + disks: + - sizeGb: 20 + diskType: pd-standard + usage: metadata-store + - sizeGb: 200 + diskType: pd-standard + usage: artifact-store + enable_cloudsql: false + database: + name: mlpipeline + dbUser: + user: root diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja new file mode 100644 index 0000000000..4524bc866b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja @@ -0,0 +1,75 @@ +{# +Copyright 2016 Google Inc. All rights reserved. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +#} + +{% macro diskName(diskObj) -%}{{ env["deployment"]}}-{{ diskObj["usage"] }}{%- endmacro %} + +{% set NAME_PREFIX = env['deployment'] %} +{% set SQL_INSTANCE_NAME = env['deployment'] + '-mysql' %} + +resources: +{% if properties['createPipelinePersistentStorage'] %} +{% for diskObj in properties["disks"] %} +- name: {{ diskName(diskObj) }} + type: compute.v1.disk + properties: + zone: {{ properties["zone"] }} + sizeGb: {{ diskObj["sizeGb"] }} + type: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/diskTypes/{{ diskObj["diskType"] }} +{% endfor %} +{% endif %} + +{% if properties['enable_cloudsql'] %} +- name: {{ SQL_INSTANCE_NAME }} + type: sqladmin.v1beta4.instance + properties: + backendType: SECOND_GEN + instanceType: CLOUD_SQL_INSTANCE + databaseVersion: {{ properties['cloudsql']['databaseVersion'] }} + region: {{ properties['cloudsql']['region'] }} + settings: + tier: {{ properties['cloudsql']['tier'] }} + dataDiskSizeGb: {{ properties['cloudsql']['dataDiskSizeGb'] }} + dataDiskType: {{ properties['cloudsql']['dataDiskType'] }} + storageAutoResize: true + replicationType: SYNCHRONOUS + locationPreference: + zone: {{ properties['cloudsql']['zone'] }} + {% if properties['databaseFlags'] %} + databaseFlags: {{ properties['databaseFlags'] }} + {% endif %} + activationPolicy: ALWAYS + backupConfiguration: + enabled: true + binaryLogEnabled: true + startTime: {{ properties['cloudsql']['backupStartTime'] }} + ipConfiguration: + privateNetwork: projects/{{ env['project'] }}/global/networks/default + authorizedNetworks: {{ properties['cloudsql']['authorizedNetworks'] }} + +- name: {{ SQL_INSTANCE_NAME }}-db + type: sqladmin.v1beta4.database + properties: + name: {{ properties['database']['name'] }} + instance: $(ref.{{ SQL_INSTANCE_NAME }}.name) + charset: {{ properties['database']['charset'] }} + +- name: {{ SQL_INSTANCE_NAME }}-db-root + type: sqladmin.v1beta4.user + properties: + name: {{ properties['dbUser']['name'] }} + host: "{{ properties['dbUser']['host'] }}" + instance: $(ref.{{ SQL_INSTANCE_NAME }}.name) + metadata: + dependsOn: + - {{ SQL_INSTANCE_NAME }}-db +{% endif %} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja.schema b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja.schema new file mode 100644 index 0000000000..3a9e50251f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/deployment_manager_configs/storage.jinja.schema @@ -0,0 +1,126 @@ +# Copyright 2016 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +info: + title: Kubeflow Permanent Storage + author: Google, Inc. + description: | + Creates permanent storage for Kubeflow deployment + +required: +- zone + +properties: + zone: + type: string + disks: + type: array + items: + type: object + required: + - usage + properties: + sizeGb: + type: integer + default: 200 + diskType: + type: string + default: pd-standard + enum: + - pd-standard + - pd-ssd + usage: + type: string + description: what is the disk used for + enum: + - metadata-store + - artifact-store + + cloudsql: + type: object + default: + properties: + properties: + databaseVersion: + type: string + description: MYSQL_5_7 or MYSQL_5_6 + default: MYSQL_5_6 + dataDiskSizeGb: + type: integer + minimum: 10 + maximum: 1000 + default: 10 + dataDiskType: + type: string + decription: PD_SSD or PD_HDD + default: PD_SSD + backupStartTime: + type: string + description: HH:MM in 24 hour format + default: 00:00 + tier: + type: string + description: https://cloud.google.com/sql/pricing#2nd-gen-pricing + default: db-n1-highmem-4 + region: + type: string + description: i.e. us-central1 + default: us-central1 + zone: + type: string + description: i.e. us-central1-a + default: us-central1-a + authorizedNetworks: + type: array + description: An array of allowed CIDR blocks + items: + type: string + + databaseFlags: + type: array + description: An array of https://cloud.google.com/sql/docs/mysql/flags + items: + type: object + required: + - name + - value + properties: + name: + type: string + value: + type: + - integer + - string + + dbUser: + type: object + properties: + name: + type: string + default: root + host: + type: string + default: '%' + + database: + type: object + required: + - name + properties: + name: + type: string + charset: + type: string + description: https://dev.mysql.com/doc/refman/5.7/en/charset.html + default: utf8 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/daemon-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/daemon-set.yaml new file mode 100644 index 0000000000..4a3506f389 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/daemon-set.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: nvidia-driver-installer + name: nvidia-driver-installer + namespace: kube-system +spec: + template: + metadata: + labels: + k8s-app: nvidia-driver-installer + name: nvidia-driver-installer + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-accelerator + operator: Exists + containers: + - image: gcr.io/google-containers/pause:2.0 + name: pause + hostNetwork: true + hostPID: true + initContainers: + - env: + - name: NVIDIA_INSTALL_DIR_HOST + value: /home/kubernetes/bin/nvidia + - name: NVIDIA_INSTALL_DIR_CONTAINER + value: /usr/local/nvidia + - name: ROOT_MOUNT_DIR + value: /root + image: cos-nvidia-installer:fixed + imagePullPolicy: Never + name: nvidia-driver-installer + resources: + requests: + cpu: 0.15 + securityContext: + privileged: true + volumeMounts: + - mountPath: /usr/local/nvidia + name: nvidia-install-dir-host + - mountPath: /dev + name: dev + - mountPath: /root + name: root-mount + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /dev + name: dev + - hostPath: + path: /home/kubernetes/bin/nvidia + name: nvidia-install-dir-host + - hostPath: + path: / + name: root-mount diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/kustomization.yaml new file mode 100644 index 0000000000..8ec9deacc2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/base/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- daemon-set.yaml +commonLabels: + kustomize.component: gpu-driver +images: +- name: gcr.io/google-containers/pause + newName: gcr.io/google-containers/pause + newTag: '2.0' +- name: cos-nvidia-installer + newName: cos-nvidia-installer + newTag: fixed diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/application.yaml new file mode 100644 index 0000000000..d7a65a1552 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: gpu-driver +spec: + selector: + matchLabels: + app.kubernetes.io/name: gpu-driver + app.kubernetes.io/instance: gpu-driver-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: gpu-driver + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - gpu-driver + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..71b5877198 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/gpu-driver/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: gpu-driver + app.kubernetes.io/name: gpu-driver +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/backend-config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/backend-config.yaml new file mode 100644 index 0000000000..42cba627b7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/backend-config.yaml @@ -0,0 +1,11 @@ +apiVersion: cloud.google.com/v1beta1 +kind: BackendConfig +metadata: + name: iap-backendconfig +spec: + # Jupyter uses websockets so we want to increase the timeout. + timeoutSec: 3600 + iap: + enabled: true + oauthclientCredentials: + secretName: $(oauthSecretName) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cloud-endpoint.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cloud-endpoint.yaml new file mode 100644 index 0000000000..139273b25a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cloud-endpoint.yaml @@ -0,0 +1,9 @@ +apiVersion: ctl.isla.solutions/v1 +kind: CloudEndpoint +metadata: + name: $(appName) +spec: + project: $(project) + targetIngress: + name: $(ingressName) + namespace: $(istioNamespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..b190503205 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kf-admin-iap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kf-admin-iap +subjects: +- kind: ServiceAccount + name: kf-admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role.yaml new file mode 100644 index 0000000000..d4b9126403 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/cluster-role.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kf-admin-iap +rules: +- apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - get + - list + - patch + - update +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - update + - patch +- apiGroups: + - authentication.istio.io + resources: + - policies + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/config-map.yaml new file mode 100644 index 0000000000..e2b4d0f5a7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/config-map.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +data: + healthcheck_route.yaml: | + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: default-routes + namespace: $(namespace) + spec: + hosts: + - "*" + gateways: + - kubeflow-gateway + http: + - match: + - uri: + exact: /healthz + route: + - destination: + port: + number: 80 + host: whoami-app.kubeflow.svc.cluster.local + - match: + - uri: + exact: /whoami + route: + - destination: + port: + number: 80 + host: whoami-app.kubeflow.svc.cluster.local + --- + apiVersion: networking.istio.io/v1alpha3 + kind: Gateway + metadata: + name: kubeflow-gateway + namespace: $(namespace) + spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + setup_backend.sh: "#!/usr/bin/env bash\n#\n# A simple shell script to configure + the JWT audience used with ISTIO\nset -x\n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nPROJECT_NUM=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id)\nif + [ -z ${PROJECT_NUM} ]; then\n echo Error unable to fetch PROJECT_NUM from compute + metadata\n exit 1\nfi\n\n# Activate the service account\nif [ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" + ]; then\n # As of 0.7.0 we should be using workload identity and never setting + GOOGLE_APPLICATION_CREDENTIALS.\n # But we kept this for backwards compatibility + but can remove later.\n gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}\nfi\n\n# + Print out the config for debugging\ngcloud config list\ngcloud auth list\n\nset_jwt_policy + () {\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[?(@.name==\"http2\")].nodePort}')\n + \ echo \"node port is ${NODE_PORT}\"\n\n BACKEND_NAME=\"\"\n while [[ -z ${BACKEND_NAME} + ]]; do\n BACKENDS=$(kubectl --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} + -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n echo + \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n BACKEND_ID=\"\"\n while [[ + -z ${BACKEND_ID} ]]; do\n BACKEND_ID=$(gcloud compute --project=${PROJECT} + backend-services list --filter=name~${BACKEND_NAME} --format='value(id)')\n echo + \"Waiting for backend id PROJECT=${PROJECT} NAMESPACE=${NAMESPACE} SERVICE=${SERVICE} + filter=name~${BACKEND_NAME}\"\n sleep 2\n done\n echo BACKEND_ID=${BACKEND_ID}\n\n + \ JWT_AUDIENCE=\"/projects/${PROJECT_NUM}/global/backendServices/${BACKEND_ID}\"\n + \ \n # Use kubectl patch.\n echo patch JWT audience: ${JWT_AUDIENCE}\n kubectl + -n ${NAMESPACE} patch policy ingress-jwt --type json -p '[{\"op\": \"replace\", + \"path\": \"/spec/origins/0/jwt/audiences/0\", \"value\": \"'${JWT_AUDIENCE}'\"}]'\n\n + \ echo \"Clearing lock on service annotation\"\n kubectl patch svc \"${SERVICE}\" + -p \"{\\\"metadata\\\": { \\\"annotations\\\": {\\\"backendlock\\\": \\\"\\\" + }}}\"\n}\n\nwhile true; do\n set_jwt_policy\n # Every 5 minutes recheck the + JWT policy and reset it if the backend has changed for some reason.\n # This + follows Kubernetes level based design.\n # We have at least one report see \n + \ # https://github.com/kubeflow/kubeflow/issues/4342#issuecomment-544653657\n + \ # of the backend id changing over time.\n sleep 300\ndone\n" + update_backend.sh: "#!/bin/bash\n#\n# A simple shell script to configure the health + checks by using gcloud.\nset -x\n\n[ -z ${NAMESPACE} ] && echo Error NAMESPACE + must be set && exit 1\n[ -z ${SERVICE} ] && echo Error SERVICE must be set && + exit 1\n[ -z ${INGRESS_NAME} ] && echo Error INGRESS_NAME must be set && exit + 1\n\nPROJECT=$(curl -s -H \"Metadata-Flavor: Google\" http://metadata.google.internal/computeMetadata/v1/project/project-id)\nif + [ -z ${PROJECT} ]; then\n echo Error unable to fetch PROJECT from compute metadata\n + \ exit 1\nfi\n\nif [[ ! -z \"${GOOGLE_APPLICATION_CREDENTIALS}\" ]]; then\n # + TODO(jlewi): As of 0.7 we should always be using workload identity. We can remove + it post 0.7.0 once we have workload identity\n # fully working\n # Activate + the service account, allow 5 retries\n for i in {1..5}; do gcloud auth activate-service-account + --key-file=${GOOGLE_APPLICATION_CREDENTIALS} && break || sleep 10; done\nfi \n\nset_health_check + () {\n NODE_PORT=$(kubectl --namespace=${NAMESPACE} get svc ${SERVICE} -o jsonpath='{.spec.ports[?(@.name==\"http2\")].nodePort}')\n + \ echo node port is ${NODE_PORT}\n\n while [[ -z ${BACKEND_NAME} ]]; do\n BACKENDS=$(kubectl + --namespace=${NAMESPACE} get ingress ${INGRESS_NAME} -o jsonpath='{.metadata.annotations.ingress\\.kubernetes\\.io/backends}')\n + \ echo \"fetching backends info with ${INGRESS_NAME}: ${BACKENDS}\"\n BACKEND_NAME=$(echo + $BACKENDS | grep -o \"k8s-be-${NODE_PORT}--[0-9a-z]\\+\")\n echo \"backend + name is ${BACKEND_NAME}\"\n sleep 2\n done\n\n while [[ -z ${BACKEND_SERVICE} + ]];\n do BACKEND_SERVICE=$(gcloud --project=${PROJECT} compute backend-services + list --filter=name~${BACKEND_NAME} --uri);\n echo \"Waiting for the backend-services + resource PROJECT=${PROJECT} BACKEND_NAME=${BACKEND_NAME} SERVICE=${SERVICE}...\";\n + \ sleep 2;\n done\n\n while [[ -z ${HEALTH_CHECK_URI} ]];\n do HEALTH_CHECK_URI=$(gcloud + compute --project=${PROJECT} health-checks list --filter=name~${BACKEND_NAME} + --uri);\n echo \"Waiting for the healthcheck resource PROJECT=${PROJECT} NODEPORT=${NODE_PORT} + SERVICE=${SERVICE}...\";\n sleep 2;\n done\n\n echo health check URI is ${HEALTH_CHECK_URI}\n\n + \ # Since we create the envoy-ingress ingress object before creating the envoy\n + \ # deployment object, healthcheck will not be configured correctly in the GCP\n + \ # load balancer. It will default the healthcheck request path to a value of\n + \ # / instead of the intended /healthz.\n # Manually update the healthcheck request + path to /healthz\n if [[ ${HEALTHCHECK_PATH} ]]; then\n # This is basic auth\n + \ echo Running health checks update ${HEALTH_CHECK_URI} with ${HEALTHCHECK_PATH}\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --request-path=${HEALTHCHECK_PATH}\n else\n # /healthz/ready is the health + check path for istio-ingressgateway\n echo Running health checks update ${HEALTH_CHECK_URI} + with /healthz/ready\n gcloud --project=${PROJECT} compute health-checks update + http ${HEALTH_CHECK_URI} --request-path=/healthz/ready\n # We need the nodeport + for istio-ingressgateway status-port\n STATUS_NODE_PORT=$(kubectl -n istio-system + get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name==\"status-port\")].nodePort}')\n + \ gcloud --project=${PROJECT} compute health-checks update http ${HEALTH_CHECK_URI} + --port=${STATUS_NODE_PORT}\n fi \n}\n\nwhile true; do\n set_health_check\n + \ echo \"Backend updated successfully. Waiting 1 hour before updating again.\"\n + \ sleep 3600\ndone\n" +kind: ConfigMap +metadata: + name: envoy-config +--- +apiVersion: v1 +data: + ingress_bootstrap.sh: | + #!/usr/bin/env bash + + set -x + set -e + + # This is a workaround until this is resolved: https://github.com/kubernetes/ingress-gce/pull/388 + # The long-term solution is to use a managed SSL certificate on GKE once the feature is GA. + + # The ingress is initially created without a tls spec. + # Wait until cert-manager generates the certificate using the http-01 challenge on the GCLB ingress. + # After the certificate is obtained, patch the ingress with the tls spec to enable SSL on the GCLB. + + # Wait for certificate. + until kubectl -n ${NAMESPACE} get secret ${TLS_SECRET_NAME} 2>/dev/null; do + echo "Waiting for certificate..." + sleep 2 + done + + kubectl -n ${NAMESPACE} patch ingress ${INGRESS_NAME} --type='json' -p '[{"op": "add", "path": "/spec/tls", "value": [{"secretName": "'${TLS_SECRET_NAME}'", "hosts":["'${TLS_HOST_NAME}'"]}]}]' + + echo "Done" +kind: ConfigMap +metadata: + name: ingress-bootstrap-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/deployment.yaml new file mode 100644 index 0000000000..9394ce140b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami-app +spec: + replicas: 1 + template: + metadata: + labels: + app: whoami + spec: + containers: + - env: + - name: PORT + value: "8081" + image: gcr.io/cloud-solutions-group/esp-sample-app:1.0.0 + name: app + ports: + - containerPort: 8081 + readinessProbe: + failureThreshold: 2 + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: iap-enabler +spec: + replicas: 1 + template: + metadata: + labels: + service: iap-enabler + spec: + containers: + - command: + - bash + - /var/envoy-config/setup_backend.sh + env: + - name: NAMESPACE + value: $(istioNamespace) + - name: SERVICE + value: istio-ingressgateway + - name: INGRESS_NAME + value: $(ingressName) + - name: ENVOY_ADMIN + value: http://localhost:8001 + - name: USE_ISTIO + value: "true" + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: iap + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + restartPolicy: Always + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/ingress.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/ingress.yaml new file mode 100644 index 0000000000..1937e07078 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: extensions/v1beta1 # networking.k8s.io/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + kubernetes.io/ingress.global-static-ip-name: $(ipName) + networking.gke.io/managed-certificates: gke-certificate + name: envoy-ingress +spec: + rules: + - host: $(hostname) + http: + paths: + - backend: + serviceName: istio-ingressgateway + servicePort: 80 + path: /* diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/kustomization.yaml new file mode 100644 index 0000000000..9faee6a899 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/kustomization.yaml @@ -0,0 +1,107 @@ +# TODO(https://github.com/kubeflow/manifests/issues/1052) clean +# up this kustomization. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- backend-config.yaml +- cloud-endpoint.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- deployment.yaml +- ingress.yaml +- policy.yaml +- service-account.yaml +- service.yaml +- stateful-set.yaml +namespace: kubeflow +commonLabels: + kustomize.component: iap-ingress +images: +- name: gcr.io/kubeflow-images-public/envoy + newName: gcr.io/kubeflow-images-public/envoy + newTag: v20180309-0fb4886b463698702b6a08955045731903a18738 +- name: gcr.io/kubeflow-images-public/ingress-setup + newName: gcr.io/kubeflow-images-public/ingress-setup + newTag: latest +- name: gcr.io/cloud-solutions-group/esp-sample-app + newName: gcr.io/cloud-solutions-group/esp-sample-app + newTag: 1.0.0 +configMapGenerator: +- name: parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: namespace + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +- name: appName + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.appName +- name: hostname + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.hostname +- name: ipName + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.ipName +- name: ingressName + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.ingressName +- name: oauthSecretName + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.oauthSecretName +- name: project + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.project +- name: adminSaSecretName + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.adminSaSecretName +- name: tlsSecretName + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.tlsSecretName +- name: istioNamespace + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.istioNamespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.env new file mode 100644 index 0000000000..7d37e59c60 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.env @@ -0,0 +1,10 @@ +namespace=kubeflow +appName=kubeflow +hostname= +ingressName=envoy-ingress +ipName= +oauthSecretName=kubeflow-oauth +project= +adminSaSecretName=admin-gcp-sa +tlsSecretName=envoy-ingress-tls +istioNamespace=istio-system \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.yaml new file mode 100644 index 0000000000..fc08407b8a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/params.yaml @@ -0,0 +1,45 @@ +varReference: +- path: metadata/name + kind: Certificate +- path: spec/origins/jwt/issuer + kind: Policy +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/dnsNames + kind: Certificate +- path: spec/issuerRef/name + kind: Certificate +- path: metadata/annotations/kubernetes.io\/ingress.global-static-ip-name + kind: Ingress +- path: spec/commonName + kind: Certificate +- path: spec/secretName + kind: Certificate +- path: spec/acme/config/domains + kind: Certificate +- path: spec/acme/config/http01/ingress + kind: Certificate +- path: metadata/name + kind: Ingress +- path: spec/rules/host + kind: Ingress +- path: metadata/annotations/certmanager.k8s.io\/issuer + kind: Ingress +- path: spec/template/spec/volumes/secret/secretName + kind: Deployment +- path: spec/template/spec/volumes/secret/secretName + kind: StatefulSet +- path: metadata/name + kind: CloudEndpoint +- path: spec/project + kind: CloudEndpoint +- path: spec/targetIngress/name + kind: CloudEndpoint +- path: spec/targetIngress/namespace + kind: CloudEndpoint +- path: spec/iap/oauthclientCredentials/secretName + kind: BackendConfig +- path: data/healthcheck_route.yaml + kind: ConfigMap +- path: spec/domains + kind: ManagedCertificate diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/policy.yaml new file mode 100644 index 0000000000..c21cb4f00a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + name: ingress-jwt +spec: + origins: + - jwt: + audiences: + - TO_BE_PATCHED + issuer: https://cloud.google.com/iap + jwksUri: https://www.gstatic.com/iap/verify/public_key-jwk + jwtHeaders: + - x-goog-iap-jwt-assertion + trigger_rules: + - excluded_paths: + - exact: /healthz/ready + - prefix: /.well-known/acme-challenge + principalBinding: USE_ORIGIN + targets: + - name: istio-ingressgateway + ports: + - number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service-account.yaml new file mode 100644 index 0000000000..ce1417d64c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kf-admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service.yaml new file mode 100644 index 0000000000..ced00d5422 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: whoami + name: whoami-app +spec: + ports: + - port: 80 + targetPort: 8081 + selector: + app: whoami + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/stateful-set.yaml new file mode 100644 index 0000000000..9e9a33e951 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/base/stateful-set.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + service: backend-updater + name: backend-updater +spec: + serviceName: backend-updater + selector: + matchLabels: + service: backend-updater + template: + metadata: + labels: + service: backend-updater + spec: + containers: + - command: + - bash + - /var/envoy-config/update_backend.sh + env: + - name: NAMESPACE + value: $(istioNamespace) + - name: SERVICE + value: istio-ingressgateway + - name: INGRESS_NAME + value: $(ingressName) + - name: USE_ISTIO + value: "true" + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: backend-updater + volumeMounts: + - mountPath: /var/envoy-config/ + name: config-volume + serviceAccountName: kf-admin + volumes: + - configMap: + name: envoy-config + name: config-volume + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/application.yaml new file mode 100644 index 0000000000..750315e3e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: iap-ingress +spec: + selector: + matchLabels: + app.kubernetes.io/name: iap-ingress + app.kubernetes.io/instance: iap-ingress-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: iap-ingress + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: iap-ingress + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - iap-ingress + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..1666d5f353 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: iap-ingress + app.kubernetes.io/name: iap-ingress +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/certificate.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/certificate.yaml new file mode 100644 index 0000000000..01923845ce --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/certificate.yaml @@ -0,0 +1,18 @@ +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: $(tlsSecretName) +spec: + acme: + config: + - domains: + - $(hostname) + http01: + ingress: $(ingressName) + commonName: $(hostname) + dnsNames: + - $(hostname) + issuerRef: + kind: ClusterIssuer + name: $(issuer) + secretName: $(tlsSecretName) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/job.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/job.yaml new file mode 100644 index 0000000000..e79e71208c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/job.yaml @@ -0,0 +1,43 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-bootstrap +spec: + template: + spec: + containers: + - command: + - /var/ingress-config/ingress_bootstrap.sh + env: + - name: NAMESPACE + valueFrom: + configMapKeyRef: + name: parameters + key: istioNamespace + - name: TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: parameters + key: tlsSecretName + - name: TLS_HOST_NAME + valueFrom: + configMapKeyRef: + name: parameters + key: hostname + - name: INGRESS_NAME + valueFrom: + configMapKeyRef: + name: parameters + key: ingressName + image: gcr.io/kubeflow-images-public/ingress-setup:latest + name: bootstrap + volumeMounts: + - mountPath: /var/ingress-config/ + name: ingress-config + restartPolicy: OnFailure + serviceAccountName: kf-admin + volumes: + - configMap: + defaultMode: 493 + name: ingress-bootstrap-config + name: ingress-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/kustomization.yaml new file mode 100644 index 0000000000..4ada7f5e4d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/certmanager/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- job.yaml +- certificate.yaml +namespace: kubeflow +commonLabels: + kustomize.component: iap-ingress +images: +- name: gcr.io/kubeflow-images-public/ingress-setup + newName: gcr.io/kubeflow-images-public/ingress-setup + newTag: latest diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/deployment.yaml new file mode 100644 index 0000000000..b6277274ff --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/deployment.yaml @@ -0,0 +1,21 @@ +# Patch the env/volumes/volumeMounts for GCP credentials +apiVersion: apps/v1 +kind: Deployment +metadata: + name: iap-enabler +spec: + template: + spec: + containers: + - name: iap + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/sa/admin-gcp-sa.json + volumeMounts: + - mountPath: /var/run/secrets/sa + name: sa-key + readOnly: true + volumes: + - name: sa-key + secret: + secretName: admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/kustomization.yaml new file mode 100644 index 0000000000..a803251795 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml +- stateful-set.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/stateful-set.yaml new file mode 100644 index 0000000000..0101bd9470 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/gcp-credentials/stateful-set.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: backend-updater +spec: + template: + spec: + containers: + - name: backend-updater + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/sa/admin-gcp-sa.json + volumeMounts: + - mountPath: /var/run/secrets/sa + name: sa-key + readOnly: true + volumes: + - name: sa-key + secret: + secretName: admin-gcp-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/cert.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/cert.yaml new file mode 100644 index 0000000000..18381b283d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/cert.yaml @@ -0,0 +1,7 @@ +apiVersion: networking.gke.io/v1beta1 +kind: ManagedCertificate +metadata: + name: gke-certificate +spec: + domains: + - $(hostname) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/kustomization.yaml new file mode 100644 index 0000000000..15c93edc98 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/overlays/managed-cert/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- cert.yaml +namespace: kubeflow +commonLabels: + kustomize.component: iap-ingress diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/v3/kustomization.yaml new file mode 100644 index 0000000000..e35b75c762 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/iap-ingress/v3/kustomization.yaml @@ -0,0 +1,121 @@ +# This is the V3 version of the kustomization. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../base/backend-config.yaml +- ../base/cloud-endpoint.yaml +- ../base/cluster-role-binding.yaml +- ../base/cluster-role.yaml +- ../base/config-map.yaml +- ../base/deployment.yaml +- ../base/ingress.yaml +- ../base/policy.yaml +- ../base/service-account.yaml +- ../base/service.yaml +- ../base/stateful-set.yaml +- ../overlays/managed-cert/cert.yaml +- ../overlays/application/application.yaml +namespace: istio-system +commonLabels: + kustomize.component: iap-ingress +images: +- name: gcr.io/kubeflow-images-public/envoy + newName: gcr.io/kubeflow-images-public/envoy + newTag: v20180309-0fb4886b463698702b6a08955045731903a18738 +- name: gcr.io/kubeflow-images-public/ingress-setup + newName: gcr.io/kubeflow-images-public/ingress-setup + newTag: latest +- name: gcr.io/cloud-solutions-group/esp-sample-app + newName: gcr.io/cloud-solutions-group/esp-sample-app + newTag: 1.0.0 +configMapGenerator: +- name: iap-ingress-config + literals: + - appName=kubeflow + - hostname= + - ingressName=envoy-ingress + - ipName= + - oauthSecretName=kubeflow-oauth + - project= + # TODO(jlewi): Do we need this now that we are using workload identity? + #- adminSaSecretName=admin-gcp-sa + - tlsSecretName=envoy-ingress-tls + # TODO(jlewi): Maybe we should use patches instead of vars for this? + - istioNamespace=istio-system +#generatorOptions: +# disableNameSuffixHash: true +vars: +# TODO(jlewi): Now that its a separate kustomize package do we need this because +# we will use kustomize to set the namespace? +#- name: namespace +# objref: +# kind: ConfigMap +# name: parameters +# apiVersion: v1 +# fieldref: +# fieldpath: data.namespace +- name: appName + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.appName +- name: hostname + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.hostname +- name: ipName + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.ipName +- name: ingressName + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.ingressName +- name: oauthSecretName + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.oauthSecretName +- name: project + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.project +#- name: adminSaSecretName +# objref: +# kind: ConfigMap +# name: iap-ingress-config +# apiVersion: v1 +# fieldref: +# fieldpath: data.adminSaSecretName +- name: tlsSecretName + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.tlsSecretName +- name: istioNamespace + objref: + kind: ConfigMap + name: iap-ingress-config + apiVersion: v1 + fieldref: + fieldpath: data.istioNamespace +configurations: +- ../base/params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/iap-jwt-key.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/iap-jwt-key.yaml new file mode 100644 index 0000000000..3dd0a0bc8c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/iap-jwt-key.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +data: + public_key-jwk: | + { + "keys" : [ + { + "alg" : "ES256", + "crv" : "P-256", + "kid" : "6BEeoA", + "kty" : "EC", + "use" : "sig", + "x" : "lmi1hJdqtbvdX1INOf5B9dWvkydYoowHUXiw8ELWzk8", + "y" : "2BxEja_L10KMjrizhLS2XgkGxZHi1KsWKdbEwKyjbvw" + }, + { + "alg" : "ES256", + "crv" : "P-256", + "kid" : "2nMJtw", + "kty" : "EC", + "use" : "sig", + "x" : "9e1x7YRZg53A5zIJ0p2ZQ9yTrgPLGIf4ntOk-4O2R28", + "y" : "q8iDm7nsnpz1xPdrWBtTZSowzciS3O7bMYtFFJ8saYo" + }, + { + "alg" : "ES256", + "crv" : "P-256", + "kid" : "LYyP2g", + "kty" : "EC", + "use" : "sig", + "x" : "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU", + "y" : "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI" + }, + { + "alg" : "ES256", + "crv" : "P-256", + "kid" : "mpf0DA", + "kty" : "EC", + "use" : "sig", + "x" : "fHEdeT3a6KaC1kbwov73ZwB_SiUHEyKQwUUtMCEn0aI", + "y" : "QWOjwPhInNuPlqjxLQyhveXpWqOFcQPhZ3t-koMNbZI" + }, + { + "alg" : "ES256", + "crv" : "P-256", + "kid" : "b9vTLA", + "kty" : "EC", + "use" : "sig", + "x" : "qCByTAvci-jRAD7uQSEhTdOs8iA714IbcY2L--YzynI", + "y" : "WQY0uCoQyPSozWKGQ0anmFeOH5JNXiZa9i6SNqOcm7w" + } + ] + } +kind: ConfigMap +metadata: + name: pubkey + namespace: istio-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pubkey + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + service: pubkey + template: + metadata: + labels: + service: pubkey + spec: + containers: + - command: + - /pub-key-server + image: gcr.io/kubeflow-images-public/jwtpubkey:v20200311-v0.7.0-rc.5-109-g641fb40b-dirty-eb1cdc + name: pubkey + volumeMounts: + - mountPath: /var/pubkey/ + name: config-volume + restartPolicy: Always + serviceAccountName: kf-admin + volumes: + - configMap: + name: pubkey + name: config-volume +--- +apiVersion: v1 +kind: Service +metadata: + name: pubkey + namespace: istio-system +spec: + ports: + - port: 8087 + selector: + service: pubkey diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/kustomization.yaml new file mode 100644 index 0000000000..e40721244d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/privateutil/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- iap-jwt-key.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/kustomization.yaml new file mode 100644 index 0000000000..d109a259db --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/kustomization.yaml @@ -0,0 +1,37 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- prometheus.yaml +commonLabels: + kustomize.component: prometheus +configMapGenerator: +- name: prometheus-parameters + env: params.env +images: +- name: gcr.io/stackdriver-prometheus/stackdriver-prometheus + newName: gcr.io/stackdriver-prometheus/stackdriver-prometheus + newTag: release-0.4.2 +vars: +- name: projectId + objref: + kind: ConfigMap + name: prometheus-parameters + apiVersion: v1 + fieldref: + fieldpath: data.projectId +- name: clusterName + objref: + kind: ConfigMap + name: prometheus-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterName +- name: zone + objref: + kind: ConfigMap + name: prometheus-parameters + apiVersion: v1 + fieldref: + fieldpath: data.zone +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.env new file mode 100644 index 0000000000..12bca6abc6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.env @@ -0,0 +1,3 @@ +projectId= +clusterName= +zone= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.yaml new file mode 100644 index 0000000000..02a0eae895 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: data/prometheus.yml + kind: ConfigMap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/prometheus.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/prometheus.yaml new file mode 100644 index 0000000000..9e91e96032 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/base/prometheus.yaml @@ -0,0 +1,273 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + ksonnet.io/component: prometheus + name: stackdriver +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + ksonnet.io/component: prometheus + name: prometheus +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + ksonnet.io/component: prometheus + name: prometheus-stackdriver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus + namespace: stackdriver +--- +apiVersion: v1 +data: + prometheus.yml: | + # Source: https://github.com/stackdriver/prometheus/blob/master/documentation/examples/prometheus.yml + global: + external_labels: + _stackdriver_project_id: $(projectId) + _kubernetes_cluster_name: $(clusterName) + _kubernetes_location: $(zone) + + # Scrape config for nodes (kubelet). + # + # Rather than connecting directly to the node, the scrape is proxied though the + # Kubernetes apiserver. This means it will work if Prometheus is running out of + # cluster, or can't connect to nodes for some other reason (e.g. because of + # firewalling). + scrape_configs: + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # http + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * "prometheus.io/scrape": Only scrape pods that have a value of "true" + # * "prometheus.io/path": If the metrics path is not "/metrics" override this. + # * "prometheus.io/port": Scrape the pod on the indicated port instead of the + # pod's declared ports (default is a port-free target if none are declared). + - job_name: 'kubernetes-pods-containers' + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * "prometheus.io/scrape": Only scrape services that have a value of "true" + # * "prometheus.io/scheme": If the metrics endpoint is secured then you will need + # to set this to "https" & most likely set the "tls_config" of the scrape config. + # * "prometheus.io/path": If the metrics path is not "/metrics" override this. + # * "prometheus.io/port": If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: 'kubernetes-service-endpoints' + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + + + # Scrape config for k8s services + - job_name: 'kubernetes-services' + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + - source_labels: [__address__,__meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+)(?::\d+);(\d+) + replacement: $1:$2 + + remote_write: + - url: "https://monitoring.googleapis.com:443/" + queue_config: + # Capacity should be 2*max_samples_per_send. + capacity: 2000 + max_samples_per_send: 1000 + max_shards: 10000 + write_relabel_configs: + # These labels are generally redundant with the Stackdriver monitored resource labels. + - source_labels: [job] + target_label: job + replacement: "" + - source_labels: [instance] + target_label: instance + replacement: "" +kind: ConfigMap +metadata: + labels: + ksonnet.io/component: prometheus + name: prometheus + namespace: stackdriver +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + ksonnet.io/component: prometheus + name: prometheus + namespace: stackdriver +--- +apiVersion: v1 +kind: Service +metadata: + labels: + ksonnet.io/component: prometheus + name: prometheus + name: prometheus + namespace: stackdriver +spec: + ports: + - name: prometheus + port: 9090 + protocol: TCP + selector: + app: prometheus + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + ksonnet.io/component: prometheus + name: prometheus + namespace: stackdriver +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + annotations: + prometheus.io/scrape: "true" + labels: + app: prometheus + name: prometheus + namespace: stackdriver + spec: + containers: + - image: gcr.io/stackdriver-prometheus/stackdriver-prometheus:release-0.4.2 + imagePullPolicy: Always + name: prometheus + ports: + - containerPort: 9090 + name: web + resources: + limits: + cpu: 400m + memory: 1000Mi + requests: + cpu: 20m + memory: 50Mi + volumeMounts: + - mountPath: /etc/prometheus + name: config-volume + serviceAccountName: prometheus + volumes: + - configMap: + name: prometheus + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/application.yaml new file mode 100644 index 0000000000..8cf353029e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: prometheus +spec: + selector: + matchLabels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: prometheus + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: prometheus + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - prometheus + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..674ade30cc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/prometheus/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/name: prometheus +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/README.md new file mode 100644 index 0000000000..daf71f87c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/README.md @@ -0,0 +1,88 @@ +# Alpha: Kubeflow on KCC Installation Guide + +This instruction explains how to set up Kubeflow on top of Config Connector (KCC) and Anthos Service Mesh (ASM). +Compared with the currently documented GCP deployment, this architecture uses KCC instead of Deployment Manager, and service mesh in the form of ASM instead of open source Istio. + +Assume using IAP to protect the kubeflow UI endpoint. + +### Benefits of using KCC + +[KCC](https://cloud.google.com/config-connector) is a Google Kubernetes Engine (GKE) addon that allows you to manage your Google Cloud resources through Kubernetes configuration. +With KCC users can manage their Google Cloud infrastructure the same way as manage Kubernetes applications (Infrastructure as code). + + +### Benefits of using ASM + +[ASM](https://cloud.google.com/service-mesh/docs/overview) is a GCP distribution of Istio with more Observability features & Security features. + +## Installation Steps + + +#### Step 0: Setup KCC +If you don't have a running KCC controller yet, follow [KCC instructions](https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall) to create a KCC controller for your organization. +We recommend “Namespaced mode” for KCC controller setup. + +From now on assume your KCC controller was hosted in project `kcc-host-project-id`. +Each Project managed by KCC will have a namespace in the KCC cluster named after project id. For example Project “kubeflow-project-id” will linked to a namespace named “kubeflow-project-id” in KCC cluster. +Kfctl | anthoscli | ACP + +#### Step 1: Create GCP resources through KCC +* Install kpt + + ``` + gcloud components install kpt alpha + gcloud components update + ``` + +* Set project-id / zone / cluster name + + Checkout latest kubeflow/manifests repo; cd manifests/gcp + + Choose a cluster name `export CLUSTER_NAME=choose-name` + + ``` + kpt cfg set v2 gcloud.core.project $(gcloud config get-value project) + kpt cfg set v2 cluster-name $(CLUSTER_NAME) + kpt cfg set v2 gcloud.compute.zone $(gcloud config get-value compute/zone) + ``` + +* Connect kubectl to KCC cluster + + `gcloud container clusters get-credentials --zone <> --project ` + +* Apply CNRM resources + + `kustomize build v2/cnrm | kubectl apply -n -f -` + + +#### Step 2: Install ASM +Install ASM on the newly created kubeflow cluster `CLUSTER_NAME` + +* Connect kubectl to the new kubeflow cluster `CLUSTER_NAME` + + `gcloud container clusters get-credentials $(CLUSTER_NAME) --zone <> --project ` + +* [Set credentials and permissions](https://cloud.google.com/service-mesh/docs/gke-install-existing-cluster#set_credentials_and_permissions) + +* [Download istioctl released by GCP](https://cloud.google.com/service-mesh/docs/gke-install-existing-cluster#download_the_installation_file) + +* Run Istioctl (download in previous step) + + `istioctl manifest apply -f v2/asm/istio-operator.yaml` + + +#### Step 3: Deploy Kubeflow components + +* [Setup Environment Variables for IAP](https://www.kubeflow.org/docs/gke/deploy/oauth-setup/) + + ``` + export CLIENT_ID= + export CLIENT_SECRET= + ``` + +* Install Kubeflow on the newly created cluster + + ``` + mkdir $(CLUSTER_NAME) && cd $(CLUSTER_NAME) + kfctl apply -V -f https://raw.githubusercontent.com/kubeflow/manifests/master/kfdef/kfctl_gcp_asm_exp.yaml + ``` \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/asm/istio-operator.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/asm/istio-operator.yaml new file mode 100644 index 0000000000..5d1e4416eb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/asm/istio-operator.yaml @@ -0,0 +1,39 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: install.istio.io/v1alpha2 +kind: IstioControlPlane +metadata: + clusterName: "issue-label-bot-dev/us-central1/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} +spec: + profile: asm + hub: gcr.io/gke-release/asm + tag: 1.4.7-asm.0 + values: + gateways: + istio-ingressgateway: + type: NodePort + global: + #meshID: "jlewi-dev_us-central1_kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}} + meshID: "jlewi-dev_us-central1_kf-bp-0420-002" # + trustDomain: "issue-label-bot-dev.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + sds: + token: + aud: "issue-label-bot-dev.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + proxy: + env: + GCP_METADATA: "issue-label-bot-dev|976279526634|code-intelligence|us-central1" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"gcloud.project.projectNumber","value":"976279526634"},{"name":"name","value":"code-intelligence"},{"name":"gcloud.compute.zone","value":"us-central1-c"}]}} + nodeagent: + env: + GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/issue-label-bot-dev/locations/us-central1/clusters/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1"}]}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/cluster.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/cluster.yaml new file mode 100644 index 0000000000..664925c63f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/cluster.yaml @@ -0,0 +1,39 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# TODO(kunming): kustomize this config to include all the options we currently offer through DM + +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + clusterName: "issue-label-bot-dev/us-central1-f/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"gcloud.compute.zone","value":"us-central1-f"}]}} + labels: + mesh_id: "issue-label-bot-dev_us-central1-f_code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"gcloud.compute.zone","value":"us-central1-f"}]}} + name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} +spec: + initialNodeCount: 2 + minMasterVersion: "1.14.10-gke.36" + location: us-central1-f # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-central1-f"}}} + workloadIdentityConfig: + identityNamespace: issue-label-bot-dev.svc.id.goog # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + loggingService: logging.googleapis.com/kubernetes + monitoringService: monitoring.googleapis.com/kubernetes + nodeConfig: + machineType: n1-standard-8 + metadata: + disable-legacy-endpoints: "true" + serviceAccountRef: + name: code-intelligence-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"code-intelligence"}]}} + workloadMetadataConfig: + nodeMetadata: GKE_METADATA_SERVER diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-policy.yaml new file mode 100644 index 0000000000..b9e71c6224 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-policy.yaml @@ -0,0 +1,71 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-vm-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/logging.logWriter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-vm-policy-monitoring # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/monitoring.metricWriter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-vm-policy-meshtelemetry # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/meshtelemetry.reporter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-vm-policy-cloudtrace # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/cloudtrace.agent + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-vm-policy-monitoring-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/monitoring.viewer + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-vm-policy-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/storage.objectViewer + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-sa.yaml new file mode 100644 index 0000000000..4e7b23faaf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kf-vm-sa.yaml @@ -0,0 +1,21 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: code-intelligence-vm # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +spec: + displayName: kubeflow vm service account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kustomization.yaml new file mode 100644 index 0000000000..656866a4bc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster.yaml +- kf-vm-policy.yaml +- kf-vm-sa.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/nodepool.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/nodepool.yaml new file mode 100644 index 0000000000..d3375992ca --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/cluster/nodepool.yaml @@ -0,0 +1,36 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerNodePool +metadata: + clusterName: "issue-label-bot-dev/us-central1-f/code-intelligence" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"gcloud.compute.zone","value":"us-central1-f"}]}} + name: code-intelligence-cpu-pool-v1 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +spec: + initialNodeCount: 2 + autoscaling: + minNodeCount: 2 + maxNodeCount: 8 # {"type":"integer","x-kustomize":{"setter":{"name":"max-nodes","value":"8"}}} + nodeConfig: + machineType: n1-standard-8 + minCpuPlatform: 'Intel Broadwell' + metadata: + disable-legacy-endpoints: "true" + serviceAccountRef: + name: code-intelligence-vm@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + workloadMetadataConfig: + nodeMetadata: GKE_METADATA_SERVER + clusterRef: + name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-policy.yaml new file mode 100644 index 0000000000..81d4d50697 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-policy.yaml @@ -0,0 +1,167 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/source.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-servicemanagement # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/servicemanagement.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-network # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/compute.networkAdmin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/cloudbuild.builds.editor + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/viewer + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/storage.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/bigquery.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/dataflow.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/ml.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/dataproc.editor + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/cloudsql.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/logging.logWriter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/monitoring.metricWriter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-admin-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-admin@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/monitoring.viewer + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-sa.yaml new file mode 100644 index 0000000000..35b3d317f6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-admin-sa.yaml @@ -0,0 +1,21 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: code-intelligence-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +spec: + displayName: kubeflow admin service account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-policy.yaml new file mode 100644 index 0000000000..362a05c158 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-policy.yaml @@ -0,0 +1,143 @@ +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/cloudbuild.builds.editor + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/viewer + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/source.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/storage.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/bigquery.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/dataflow.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/ml.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/dataproc.editor + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/cloudsql.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/logging.logWriter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/monitoring.metricWriter + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: code-intelligence-user-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + member: serviceAccount:code-intelligence-user@issue-label-bot-dev.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"},{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} + role: roles/monitoring.viewer + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: projects/issue-label-bot-dev # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"}]}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-sa.yaml new file mode 100644 index 0000000000..e450a689d9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kf-user-sa.yaml @@ -0,0 +1,21 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: code-intelligence-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +spec: + displayName: kubeflow user service account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kustomization.yaml new file mode 100644 index 0000000000..2341a5fded --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/iam/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- kf-admin-policy.yaml +- kf-admin-sa.yaml +- kf-user-policy.yaml +- kf-user-sa.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/compute-address.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/compute-address.yaml new file mode 100644 index 0000000000..83a2947568 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/compute-address.yaml @@ -0,0 +1,11 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeAddress +metadata: + name: code-intelligence-ip # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} + labels: + label-one: "value-one" +spec: + addressType: EXTERNAL + description: Static IP for Kubeflow ingress. + location: global + ipVersion: IPV4 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/kustomization.yaml new file mode 100644 index 0000000000..5a26993b8d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/ingress/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- compute-address.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/kustomization.yaml new file mode 100644 index 0000000000..c88ae95033 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/kustomization.yaml @@ -0,0 +1,8 @@ +# This kustomize package defines CNRM resources to create the GCP resources needed +# to deploy Kubeflow. +namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +resources: +- cluster +- ingress +- iam +- pipelines diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/disk.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/disk.yaml new file mode 100644 index 0000000000..19527840e1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/disk.yaml @@ -0,0 +1,15 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeDisk +metadata: + name: code-intelligence-storage-metadata-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + location: us-central1-f # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-central1-f"}}} + size: 20 +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeDisk +metadata: + name: code-intelligence-storage-artifact-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"code-intelligence"}]}} +spec: + location: us-central1-f # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-central1-f"}}} + size: 200 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/kustomization.yaml new file mode 100644 index 0000000000..dd4220b86a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/cnrm/pipelines/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- disk.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/README.md new file mode 100644 index 0000000000..d169ee384d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/README.md @@ -0,0 +1,2 @@ +Configuration for the cluster; a basic GKE cluster with workload +identity. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/cluster.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/cluster.yaml new file mode 100644 index 0000000000..8287243d6d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/cluster.yaml @@ -0,0 +1,26 @@ +# TODO(jlewi): Do we still need IdentityNamespace? Isn't it automatically set for each project +apiVersion: identity.cnrm.cloud.google.com/v1alpha2 +kind: IdentityNamespace +metadata: + name: default +spec: {} +--- +# TODO(jlewi): Use a regional cluster? There should no longer be any cost savings to using zonal +# +# User specific values should be defined in a patch inside the blueprint package. +# Exception is the name since that needs to be changed in teh base package as well. +apiVersion: container.cnrm.cloud.google.com/v1alpha2 +kind: ContainerCluster +metadata: + name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} +spec: + # Use a regional cluster. Regional offer higher availability and the cluster management fee is the same. + location: us-central1-f + workloadIdentity: + identityNamespace: default + ipAllocationPolicy: + useIpAliases: true + releaseChannel: + channel: stable + clusterTelemetry: + type: enabled diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/enable-services.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/enable-services.yaml new file mode 100644 index 0000000000..edbc96126f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/enable-services.yaml @@ -0,0 +1,8 @@ +# GKE +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: gke + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +spec: + service: container.googleapis.com diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/kustomization.yaml new file mode 100644 index 0000000000..a19ece4eaf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/kustomization.yaml @@ -0,0 +1,4 @@ +bases: +- enable-services.yaml +- cluster.yaml +- nodepool.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/nodepool.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/nodepool.yaml new file mode 100644 index 0000000000..20197948c9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cluster/nodepool.yaml @@ -0,0 +1,28 @@ +apiVersion: container.cnrm.cloud.google.com/v1alpha2 +kind: ContainerNodePool +metadata: + clusterName: "issue-label-bot-dev/us-central1-f/code-intelligence" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"issue-label-bot-dev"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1-f"}]}} + name: code-intelligence-pool # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"code-intelligence"},{"name":"location","value":"us-central1-f"}]}} +spec: + autoscaling: + minNodeCount: 1 + maxNodeCount: 3 + nodeConfig: + diskSizeGb: 100 + diskType: pd-standard + machineType: n1-standard-4 + preemptible: false + oauthScopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring + - https://www.googleapis.com/auth/servicecontrol + - https://www.googleapis.com/auth/service.management.readonly + - https://www.googleapis.com/auth/trace.append + metadata: + disable-legacy-endpoints: "true" + management: + autoRepair: true + autoUpgrade: true + clusterRef: + name: code-intelligence # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"code-intelligence"}}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/README.md new file mode 100644 index 0000000000..d73d65b15a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/README.md @@ -0,0 +1,12 @@ +# Configuration for installing KCC in the management cluster. + +Configs are a copy of the CNRM install (see [docs](https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall#namespaced-mode)) + +To update: + +1. Download the the latest GCS install bundle listed on (https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall#namespaced-mode) + +1. Copy the system components for the namespaced install bundle to `install-system` +1. Copy the per namespace components to the template stored in the blueprint repo. + + * You will need to add kpt setters to the per namespace components. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/enable-services.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/enable-services.yaml new file mode 100644 index 0000000000..d4a0216dbd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/enable-services.yaml @@ -0,0 +1,8 @@ +# cloudresourcemanager, used for creating projects +apiVersion: cnrm.cloud.google.com/v1alpha1 +kind: CloudService +metadata: + name: cloudresourcemanager.googleapis.com + namespace: "issue-label-bot-dev" # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.core.project","value":"issue-label-bot-dev"}}} +spec: + service: cloudresourcemanager.googleapis.com diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/iam.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/iam.yaml new file mode 100644 index 0000000000..10c8286b50 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/iam.yaml @@ -0,0 +1,36 @@ +apiVersion: iam.cnrm.cloud.google.com/v1alpha1 +kind: IAMServiceAccount +metadata: + name: cnrm-controller-manager +spec: + displayName: Service Account for CNRM + projectRoles: + - roles/source.reader +--- +apiVersion: iam.cnrm.cloud.google.com/v1alpha1 +kind: IAMPolicy +metadata: + name: cnrm-controller-manager +spec: + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1alpha1 + kind: IAMServiceAccount + name: cnrm-controller-manager + bindings: + - role: roles/iam.workloadIdentityUser + members: + - serviceAccount:root-270714.svc.id.goog[cnrm-system/cnrm-controller-manager] +--- +# TODO: Implement this in anthos-cli ? +# For now: gcloud organizations add-iam-policy-binding 190265346736 --member=serviceAccount:cnrm-controller-manager@root-270714.iam.gserviceaccount.com --role=roles/resourcemanager.projectCreator +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: cnrm-controller-manager:project +spec: + member: serviceAccount:cnrm-controller-manager@root-270714.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Organization + external: organizations/190265346736 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml new file mode 100644 index 0000000000..83c80458d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml @@ -0,0 +1,581 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-deletiondefender + namespace: cnrm-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-resource-stats-recorder + namespace: cnrm-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-webhook-manager + namespace: cnrm-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-admin +rules: +- apiGroups: + - accesscontextmanager.cnrm.cloud.google.com + - bigquery.cnrm.cloud.google.com + - bigtable.cnrm.cloud.google.com + - cloudbuild.cnrm.cloud.google.com + - compute.cnrm.cloud.google.com + - container.cnrm.cloud.google.com + - dataflow.cnrm.cloud.google.com + - dns.cnrm.cloud.google.com + - firestore.cnrm.cloud.google.com + - iam.cnrm.cloud.google.com + - kms.cnrm.cloud.google.com + - pubsub.cnrm.cloud.google.com + - redis.cnrm.cloud.google.com + - resourcemanager.cnrm.cloud.google.com + - servicenetworking.cnrm.cloud.google.com + - serviceusage.cnrm.cloud.google.com + - sourcerepo.cnrm.cloud.google.com + - spanner.cnrm.cloud.google.com + - sql.cnrm.cloud.google.com + - storage.cnrm.cloud.google.com + resources: + - '*' + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-deletiondefender-role +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-manager-cluster-role +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - core.cnrm.cloud.google.com + resources: + - servicemappings + verbs: + - get + - list + - watch +- apiGroups: + - core.cnrm.cloud.google.com + resources: + - '*' + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-manager-ns-role +rules: +- apiGroups: + - "" + resources: + - events + - configmaps + - secrets + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-recorder-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-webhook-role +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - core.cnrm.cloud.google.com + resources: + - servicemappings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-admin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cnrm-admin +subjects: +- kind: ServiceAccount + name: cnrm-resource-stats-recorder + namespace: cnrm-system +- kind: ServiceAccount + name: cnrm-deletiondefender + namespace: cnrm-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-deletiondefender-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cnrm-deletiondefender-role +subjects: +- kind: ServiceAccount + name: cnrm-deletiondefender + namespace: cnrm-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-recorder-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cnrm-recorder-role +subjects: +- kind: ServiceAccount + name: cnrm-resource-stats-recorder + namespace: cnrm-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-webhook-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cnrm-webhook-role +subjects: +- kind: ServiceAccount + name: cnrm-webhook-manager + namespace: cnrm-system +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/system: "true" + name: cnrm-deletiondefender + namespace: cnrm-system +spec: + ports: + - name: deletiondefender + port: 443 + selector: + cnrm.cloud.google.com/component: cnrm-deletiondefender + cnrm.cloud.google.com/system: "true" +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + prometheus.io/port: "8888" + prometheus.io/scrape: "true" + labels: + cnrm.cloud.google.com/monitored: "true" + cnrm.cloud.google.com/system: "true" + name: cnrm-resource-stats-recorder-service + namespace: cnrm-system +spec: + ports: + - name: metrics + port: 8888 + selector: + cnrm.cloud.google.com/component: cnrm-resource-stats-recorder + cnrm.cloud.google.com/system: "true" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/component: cnrm-resource-stats-recorder + cnrm.cloud.google.com/system: "true" + name: cnrm-resource-stats-recorder + namespace: cnrm-system +spec: + replicas: 1 + selector: + matchLabels: + cnrm.cloud.google.com/component: cnrm-resource-stats-recorder + cnrm.cloud.google.com/system: "true" + template: + metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/component: cnrm-resource-stats-recorder + cnrm.cloud.google.com/system: "true" + spec: + containers: + - args: + - --prometheus-scrape-endpoint=:8888 + - --metric-interval=60 + command: + - /configconnector/recorder + env: + - name: CONFIG_CONNECTOR_VERSION + value: 1.7.1 + image: gcr.io/cnrm-eap/recorder:f190973 + imagePullPolicy: Always + name: recorder + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 3 + periodSeconds: 3 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + securityContext: + privileged: false + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: cnrm-resource-stats-recorder + terminationGracePeriodSeconds: 10 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/component: cnrm-webhook-manager + cnrm.cloud.google.com/system: "true" + name: cnrm-webhook-manager + namespace: cnrm-system +spec: + replicas: 1 + selector: + matchLabels: + cnrm.cloud.google.com/component: cnrm-webhook-manager + cnrm.cloud.google.com/system: "true" + template: + metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/component: cnrm-webhook-manager + cnrm.cloud.google.com/system: "true" + spec: + containers: + - args: + - --stderrthreshold=INFO + command: + - /configconnector/webhook + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/cnrm-eap/webhook:f190973 + imagePullPolicy: Always + name: webhook + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 3 + periodSeconds: 3 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + privileged: false + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: cnrm-webhook-manager + terminationGracePeriodSeconds: 10 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/component: cnrm-deletiondefender + cnrm.cloud.google.com/system: "true" + name: cnrm-deletiondefender + namespace: cnrm-system +spec: + selector: + matchLabels: + cnrm.cloud.google.com/component: cnrm-deletiondefender + cnrm.cloud.google.com/system: "true" + serviceName: cnrm-deletiondefender + template: + metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + labels: + cnrm.cloud.google.com/component: cnrm-deletiondefender + cnrm.cloud.google.com/system: "true" + spec: + containers: + - args: + - --stderrthreshold=INFO + command: + - /configconnector/deletiondefender + image: gcr.io/cnrm-eap/deletiondefender:f190973 + imagePullPolicy: Always + name: deletiondefender + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 3 + periodSeconds: 3 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + privileged: false + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: cnrm-deletiondefender + terminationGracePeriodSeconds: 10 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/crds.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/crds.yaml new file mode 100644 index 0000000000..f76dda4219 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/crds.yaml @@ -0,0 +1,17665 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: accesscontextmanageraccesslevels.accesscontextmanager.cnrm.cloud.google.com +spec: + group: accesscontextmanager.cnrm.cloud.google.com + names: + categories: + - gcp + kind: AccessContextManagerAccessLevel + plural: accesscontextmanageraccesslevels + shortNames: + - gcpaccesscontextmanageraccesslevel + - gcpaccesscontextmanageraccesslevels + singular: accesscontextmanageraccesslevel + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + accessPolicyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + basic: + description: A set of predefined conditions for the access level and + a combining function. + properties: + combiningFunction: + description: |- + How the conditions list should be combined to determine if a request + is granted this AccessLevel. If AND is used, each Condition in + conditions must be satisfied for the AccessLevel to be applied. If + OR is used, at least one Condition in conditions must be satisfied + for the AccessLevel to be applied. Defaults to AND if unspecified. + type: string + conditions: + description: A set of requirements for the AccessLevel to be granted. + items: + properties: + devicePolicy: + description: |- + Device specific restrictions, all restrictions must hold for + the Condition to be true. If not specified, all devices are + allowed. + properties: + allowedDeviceManagementLevels: + description: |- + A list of allowed device management levels. + An empty list allows all management levels. + items: + type: string + type: array + allowedEncryptionStatuses: + description: |- + A list of allowed encryptions statuses. + An empty list allows all statuses. + items: + type: string + type: array + osConstraints: + description: |- + A list of allowed OS versions. + An empty list allows all types and all versions. + items: + properties: + minimumVersion: + description: |- + The minimum allowed OS version. If not set, any version + of this OS satisfies the constraint. + Format: "major.minor.patch" such as "10.5.301", "9.2.1". + type: string + osType: + description: The operating system type of the device. + type: string + required: + - osType + type: object + type: array + requireAdminApproval: + description: Whether the device needs to be approved by + the customer admin. + type: boolean + requireCorpOwned: + description: Whether the device needs to be corp owned. + type: boolean + requireScreenLock: + description: |- + Whether or not screenlock is required for the DevicePolicy + to be true. Defaults to false. + type: boolean + type: object + ipSubnetworks: + description: |- + A list of CIDR block IP subnetwork specification. May be IPv4 + or IPv6. + Note that for a CIDR IP address block, the specified IP address + portion must be properly truncated (i.e. all the host bits must + be zero) or the input is considered malformed. For example, + "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, + for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" + is not. The originating IP of a request must be in one of the + listed subnets in order for this Condition to be true. + If empty, all IP addresses are allowed. + items: + type: string + type: array + members: + items: + properties: + group: + type: string + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + user: + type: string + type: object + type: array + negate: + description: |- + Whether to negate the Condition. If true, the Condition becomes + a NAND over its non-empty fields, each field must be false for + the Condition overall to be satisfied. Defaults to false. + type: boolean + requiredAccessLevels: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + type: object + type: array + required: + - conditions + type: object + description: + description: Description of the AccessLevel and its use. Does not affect + behavior. + type: string + title: + description: Human readable title. Must be unique within the Policy. + type: string + required: + - accessPolicyRef + - title + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: accesscontextmanageraccesspolicies.accesscontextmanager.cnrm.cloud.google.com +spec: + group: accesscontextmanager.cnrm.cloud.google.com + names: + categories: + - gcp + kind: AccessContextManagerAccessPolicy + plural: accesscontextmanageraccesspolicies + shortNames: + - gcpaccesscontextmanageraccesspolicy + - gcpaccesscontextmanageraccesspolicies + singular: accesscontextmanageraccesspolicy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + title: + description: Human readable title. Does not affect behavior. + type: string + required: + - title + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + createTime: + description: Time the AccessPolicy was created in UTC. + type: string + name: + description: 'Resource name of the AccessPolicy. Format: {policy_id}' + type: string + updateTime: + description: Time the AccessPolicy was updated in UTC. + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: bigquerydatasets.bigquery.cnrm.cloud.google.com +spec: + group: bigquery.cnrm.cloud.google.com + names: + categories: + - gcp + kind: BigQueryDataset + plural: bigquerydatasets + shortNames: + - gcpbigquerydataset + - gcpbigquerydatasets + singular: bigquerydataset + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + access: + description: An array of objects that define dataset access for one + or more entities. + items: + properties: + domain: + description: |- + A domain to grant access to. Any users signed in with the + domain specified will be granted the specified access + type: string + groupByEmail: + description: An email address of a Google Group to grant access + to. + type: string + role: + description: |- + Describes the rights granted to the user specified by the other + member of the access object. Primitive, Predefined and custom + roles are supported. Predefined roles that have equivalent + primitive roles are swapped by the API to their Primitive + counterparts, and will show a diff post-create. See + [official docs](https://cloud.google.com/bigquery/docs/access-control). + type: string + specialGroup: + description: |- + A special group to grant access to. Possible values include: + + + * 'projectOwners': Owners of the enclosing project. + + + * 'projectReaders': Readers of the enclosing project. + + + * 'projectWriters': Writers of the enclosing project. + + + * 'allAuthenticatedUsers': All authenticated BigQuery users. + type: string + userByEmail: + description: |- + An email address of a user to grant access to. For example: + fred@example.com + type: string + view: + description: |- + A view from a different dataset to grant access to. Queries + executed against that view will have read access to tables in + this dataset. The role field is not required when this field is + set. If that view is updated by any user, access to the view + needs to be granted again via an update operation. + properties: + datasetId: + description: The ID of the dataset containing this table. + type: string + projectId: + description: The ID of the project containing this table. + type: string + tableId: + description: |- + The ID of the table. The ID must contain only letters (a-z, + A-Z), numbers (0-9), or underscores (_). The maximum length + is 1,024 characters. + type: string + required: + - datasetId + - projectId + - tableId + type: object + type: object + type: array + defaultEncryptionConfiguration: + description: |- + The default encryption key for all tables in the dataset. Once this property is set, + all newly-created partitioned tables in the dataset will have encryption key set to + this value, unless table creation request (or query) overrides the key. + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - kmsKeyRef + type: object + defaultPartitionExpirationMs: + description: |- + The default partition expiration for all partitioned tables in + the dataset, in milliseconds. + + + Once this property is set, all newly-created partitioned tables in + the dataset will have an 'expirationMs' property in the 'timePartitioning' + settings set to this value, and changing the value will only + affect new tables, not existing ones. The storage in a partition will + have an expiration time of its partition time plus this value. + Setting this property overrides the use of 'defaultTableExpirationMs' + for partitioned tables: only one of 'defaultTableExpirationMs' and + 'defaultPartitionExpirationMs' will be used for any new partitioned + table. If you provide an explicit 'timePartitioning.expirationMs' when + creating or updating a partitioned table, that value takes precedence + over the default partition expiration time indicated by this property. + type: integer + defaultTableExpirationMs: + description: |- + The default lifetime of all tables in the dataset, in milliseconds. + The minimum value is 3600000 milliseconds (one hour). + + + Once this property is set, all newly-created tables in the dataset + will have an 'expirationTime' property set to the creation time plus + the value in this property, and changing the value will only affect + new tables, not existing ones. When the 'expirationTime' for a given + table is reached, that table will be deleted automatically. + If a table's 'expirationTime' is modified or removed before the + table expires, or if you provide an explicit 'expirationTime' when + creating a table, that value takes precedence over the default + expiration time indicated by this property. + type: integer + description: + description: A user-friendly description of the dataset + type: string + friendlyName: + description: A descriptive name for the dataset + type: string + location: + description: |- + The geographic location where the dataset should reside. + See [official docs](https://cloud.google.com/bigquery/docs/dataset-locations). + + + There are two types of locations, regional or multi-regional. A regional + location is a specific geographic place, such as Tokyo, and a multi-regional + location is a large geographic area, such as the United States, that + contains at least two geographic places. + + + Possible regional values include: 'asia-east1', 'asia-northeast1', + 'asia-southeast1', 'australia-southeast1', 'europe-north1', + 'europe-west2' and 'us-east4'. + + + Possible multi-regional values: 'EU' and 'US'. + + + The default value is multi-regional location 'US'. + Changing this forces a new resource to be created. + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTime: + description: |- + The time when this dataset was created, in milliseconds since the + epoch. + type: integer + etag: + description: A hash of the resource. + type: string + lastModifiedTime: + description: |- + The date when this dataset or any of its tables was last modified, in + milliseconds since the epoch. + type: integer + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: bigquerytables.bigquery.cnrm.cloud.google.com +spec: + group: bigquery.cnrm.cloud.google.com + names: + categories: + - gcp + kind: BigQueryTable + plural: bigquerytables + shortNames: + - gcpbigquerytable + - gcpbigquerytables + singular: bigquerytable + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + clustering: + items: + type: string + type: array + datasetRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + description: + type: string + encryptionConfiguration: + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - kmsKeyRef + type: object + expirationTime: + type: integer + externalDataConfiguration: + properties: + autodetect: + type: boolean + compression: + type: string + csvOptions: + properties: + allowJaggedRows: + type: boolean + allowQuotedNewlines: + type: boolean + encoding: + type: string + fieldDelimiter: + type: string + quote: + type: string + skipLeadingRows: + type: integer + required: + - quote + type: object + googleSheetsOptions: + properties: + range: + type: string + skipLeadingRows: + type: integer + type: object + ignoreUnknownValues: + type: boolean + maxBadRecords: + type: integer + sourceFormat: + type: string + sourceUris: + items: + type: string + type: array + required: + - autodetect + - sourceFormat + - sourceUris + type: object + friendlyName: + type: string + schema: + type: string + timePartitioning: + properties: + expirationMs: + type: integer + field: + type: string + requirePartitionFilter: + type: boolean + type: + type: string + required: + - type + type: object + view: + properties: + query: + type: string + useLegacySql: + type: boolean + required: + - query + type: object + required: + - datasetRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTime: + type: integer + etag: + type: string + lastModifiedTime: + type: integer + location: + type: string + numBytes: + type: integer + numLongTermBytes: + type: integer + numRows: + type: integer + selfLink: + type: string + type: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: bigtableinstances.bigtable.cnrm.cloud.google.com +spec: + group: bigtable.cnrm.cloud.google.com + names: + categories: + - gcp + kind: BigtableInstance + plural: bigtableinstances + shortNames: + - gcpbigtableinstance + - gcpbigtableinstances + singular: bigtableinstance + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + cluster: + items: + properties: + clusterId: + type: string + numNodes: + type: integer + storageType: + type: string + zone: + type: string + required: + - clusterId + - zone + type: object + type: array + displayName: + type: string + instanceType: + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: cloudbuildtriggers.cloudbuild.cnrm.cloud.google.com +spec: + group: cloudbuild.cnrm.cloud.google.com + names: + categories: + - gcp + kind: CloudBuildTrigger + plural: cloudbuildtriggers + shortNames: + - gcpcloudbuildtrigger + - gcpcloudbuildtriggers + singular: cloudbuildtrigger + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + build: + description: Contents of the build template. Either a filename or build + template must be provided. + properties: + images: + description: |- + A list of images to be pushed upon the successful completion of all build steps. + The images are pushed using the builder service account's credentials. + The digests of the pushed images will be stored in the Build resource's results field. + If any of the images fail to be pushed, the build status is marked FAILURE. + items: + type: string + type: array + step: + description: The operations to be performed on the workspace. + items: + properties: + args: + description: |- + A list of arguments that will be presented to the step when it is started. + + If the image used to run the step's container has an entrypoint, the args + are used as arguments to that entrypoint. If the image does not define an + entrypoint, the first element in args is used as the entrypoint, and the + remainder will be used as arguments. + items: + type: string + type: array + dir: + description: |- + Working directory to use when running this step's container. + + If this value is a relative path, it is relative to the build's working + directory. If this value is absolute, it may be outside the build's working + directory, in which case the contents of the path may not be persisted + across build step executions, unless a 'volume' for that path is specified. + + If the build specifies a 'RepoSource' with 'dir' and a step with a + 'dir', + which specifies an absolute path, the 'RepoSource' 'dir' is ignored + for the step's execution. + type: string + entrypoint: + description: |- + Entrypoint to be used instead of the build step image's + default entrypoint. + If unset, the image's default entrypoint is used + type: string + env: + description: |- + A list of environment variable definitions to be used when + running a step. + + The elements are of the form "KEY=VALUE" for the environment variable + "KEY" being given the value "VALUE". + items: + type: string + type: array + id: + description: |- + Unique identifier for this build step, used in 'wait_for' to + reference this build step as a dependency. + type: string + name: + description: |- + The name of the container image that will run this particular build step. + + If the image is available in the host's Docker daemon's cache, it will be + run directly. If not, the host will attempt to pull the image first, using + the builder service account's credentials if necessary. + + The Docker daemon's cache will already have the latest versions of all of + the officially supported build steps (https://github.com/GoogleCloudPlatform/cloud-builders). + The Docker daemon will also have cached many of the layers for some popular + images, like "ubuntu", "debian", but they will be refreshed at the time + you attempt to use them. + + If you built an image in a previous build step, it will be stored in the + host's Docker daemon's cache and is available to use as the name for a + later build step. + type: string + secretEnv: + description: |- + A list of environment variables which are encrypted using + a Cloud Key + Management Service crypto key. These values must be specified in + the build's 'Secret'. + items: + type: string + type: array + timeout: + description: |- + Time limit for executing this build step. If not defined, + the step has no + time limit and will be allowed to continue to run until either it + completes or the build itself times out. + type: string + timing: + description: |- + Output only. Stores timing information for executing this + build step. + type: string + volumes: + description: |- + List of volumes to mount into the build step. + + Each volume is created as an empty volume prior to execution of the + build step. Upon completion of the build, volumes and their contents + are discarded. + + Using a named volume in only one step is not valid as it is + indicative of a build request with an incorrect configuration. + items: + properties: + name: + description: |- + Name of the volume to mount. + + Volume names must be unique per build step and must be valid names for + Docker volumes. Each named volume must be used by at least two build steps. + type: string + path: + description: |- + Path at which to mount the volume. + + Paths must be absolute and cannot conflict with other volume paths on + the same build step or with certain reserved volume paths. + type: string + required: + - name + - path + type: object + type: array + waitFor: + description: |- + The ID(s) of the step(s) that this build step depends on. + + This build step will not start until all the build steps in 'wait_for' + have completed successfully. If 'wait_for' is empty, this build step + will start when all previous build steps in the 'Build.Steps' list + have completed successfully. + items: + type: string + type: array + required: + - name + type: object + type: array + tags: + description: Tags for annotation of a Build. These are not docker + tags. + items: + type: string + type: array + timeout: + description: |- + Amount of time that this build should be allowed to run, to second granularity. + If this amount of time elapses, work on the build will cease and the build status will be TIMEOUT. + This timeout must be equal to or greater than the sum of the timeouts for build steps within the build. + The expected format is the number of seconds followed by s. + Default time is ten minutes (600s). + type: string + required: + - step + type: object + description: + description: Human-readable description of the trigger. + type: string + disabled: + description: Whether the trigger is disabled or not. If true, the trigger + will never result in a build. + type: boolean + filename: + description: Path, from the source root, to a file whose contents is + used for the template. Either a filename or build template must be + provided. + type: string + github: + description: |- + Describes the configuration of a trigger that creates a build whenever a GitHub event is received. + + One of 'trigger_template' or 'github' must be provided. + properties: + name: + description: |- + Name of the repository. For example: The name for + https://github.com/googlecloudplatform/cloud-builders is "cloud-builders". + type: string + owner: + description: |- + Owner of the repository. For example: The owner for + https://github.com/googlecloudplatform/cloud-builders is "googlecloudplatform". + type: string + pullRequest: + description: filter to match changes in pull requests. Specify + only one of pullRequest or push. + properties: + branch: + description: Regex of branches to match. + type: string + commentControl: + description: Whether to block builds on a "/gcbrun" comment + from a repository owner or collaborator. + type: string + required: + - branch + type: object + push: + description: filter to match changes in refs, like branches or tags. Specify + only one of pullRequest or push. + properties: + branch: + description: Regex of branches to match. Specify only one of + branch or tag. + type: string + tag: + description: Regex of tags to match. Specify only one of branch + or tag. + type: string + type: object + type: object + ignoredFiles: + description: |- + ignoredFiles and includedFiles are file glob matches using http://godoc/pkg/path/filepath#Match + extended with support for '**'. + + If ignoredFiles and changed files are both empty, then they are not + used to determine whether or not to trigger a build. + + If ignoredFiles is not empty, then we ignore any files that match any + of the ignored_file globs. If the change has no files that are outside + of the ignoredFiles globs, then we do not trigger a build. + items: + type: string + type: array + includedFiles: + description: |- + ignoredFiles and includedFiles are file glob matches using http://godoc/pkg/path/filepath#Match + extended with support for '**'. + + If any of the files altered in the commit pass the ignoredFiles filter + and includedFiles is empty, then as far as this filter is concerned, we + should trigger the build. + + If any of the files altered in the commit pass the ignoredFiles filter + and includedFiles is not empty, then we make sure that at least one of + those files matches a includedFiles glob. If not, then we do not trigger + a build. + items: + type: string + type: array + substitutions: + additionalProperties: + type: string + description: Substitutions data for Build resource. + type: object + triggerTemplate: + description: |- + Template describing the types of source changes to trigger a build. + + Branch and tag names in trigger templates are interpreted as regular + expressions. Any branch or tag change that matches that regular + expression will trigger a build. + + One of 'trigger_template' or 'github' must be provided. + properties: + branchName: + description: |- + Name of the branch to build. Exactly one a of branch name, tag, or commit SHA must be provided. + This field is a regular expression. + type: string + commitSha: + description: Explicit commit SHA to build. Exactly one of a branch + name, tag, or commit SHA must be provided. + type: string + dir: + description: |- + Directory, relative to the source root, in which to run the build. + + This must be a relative path. If a step's dir is specified and + is an absolute path, this value is ignored for that step's + execution. + type: string + repoRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + tagName: + description: |- + Name of the tag to build. Exactly one of a branch name, tag, or commit SHA must be provided. + This field is a regular expression. + type: string + type: object + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + createTime: + description: Time when the trigger was created. + type: string + triggerId: + description: The unique identifier for the trigger. + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeaddresses.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeAddress + plural: computeaddresses + shortNames: + - gcpcomputeaddress + - gcpcomputeaddresses + singular: computeaddress + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + address: + description: |- + The static external IP address represented by this resource. Only + IPv4 is supported. An address may only be specified for INTERNAL + address types. The IP address must be inside the specified subnetwork, + if any. + type: string + addressType: + description: |- + The type of address to reserve, either INTERNAL or EXTERNAL. + If unspecified, defaults to EXTERNAL. + type: string + description: + description: An optional description of this resource. + type: string + ipVersion: + description: |- + The IP Version that will be used by this address. Valid options are + 'IPV4' or 'IPV6'. The default value is 'IPV4'. + type: string + location: + description: 'Location represents the geographical location of the ComputeAddress. + Specify a region name or "global" for global resources. Reference: + GCP definition of regions/zones (https://cloud.google.com/compute/docs/regions-zones/)' + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + networkTier: + description: |- + The networking tier used for configuring this address. This field can + take the following values: PREMIUM or STANDARD. If this field is not + specified, it is assumed to be PREMIUM. + type: string + prefixLength: + description: |- + The prefix length of the IP range. If not present, it means the + address field is a single IP address. + + This field is not applicable to addresses with addressType=EXTERNAL. + type: integer + purpose: + description: |- + The purpose of this resource, which can be one of the following values: + + - GCE_ENDPOINT for addresses that are used by VM instances, alias IP ranges, internal load balancers, and similar resources. + + This should only be set when using an Internal address. + type: string + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + labelFingerprint: + description: |- + The fingerprint used for optimistic locking of this resource. Used + internally during updates. + type: string + selfLink: + type: string + users: + description: The URLs of the resources that are using this address. + items: + type: string + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computebackendbuckets.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeBackendBucket + plural: computebackendbuckets + shortNames: + - gcpcomputebackendbucket + - gcpcomputebackendbuckets + singular: computebackendbucket + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + cdnPolicy: + description: Cloud CDN configuration for this Backend Bucket. + properties: + signedUrlCacheMaxAgeSec: + description: |- + Maximum number of seconds the response to a signed URL request will + be considered fresh. After this time period, + the response will be revalidated before being served. + When serving responses to signed URL requests, + Cloud CDN will internally behave as though + all responses from this backend had a "Cache-Control: public, + max-age=[TTL]" header, regardless of any existing Cache-Control + header. The actual headers served in responses will not be altered. + type: integer + required: + - signedUrlCacheMaxAgeSec + type: object + description: + description: |- + An optional textual description of the resource; provided by the + client when the resource is created. + type: string + enableCdn: + description: If true, enable Cloud CDN for this BackendBucket. + type: boolean + required: + - bucketRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computebackendservices.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeBackendService + plural: computebackendservices + shortNames: + - gcpcomputebackendservice + - gcpcomputebackendservices + singular: computebackendservice + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + affinityCookieTtlSec: + description: |- + Lifetime of cookies in seconds if session_affinity is + GENERATED_COOKIE. If set to 0, the cookie is non-persistent and lasts + only until the end of the browser session (or equivalent). The + maximum allowed value for TTL is one day. + + When the load balancing scheme is INTERNAL, this field is not used. + type: integer + backend: + description: The set of backends that serve this BackendService. + items: + properties: + balancingMode: + description: |- + Specifies the balancing mode for this backend. + + For global HTTP(S) or TCP/SSL load balancing, the default is + UTILIZATION. Valid values are UTILIZATION, RATE (for HTTP(S)) + and CONNECTION (for TCP/SSL). + type: string + capacityScaler: + description: |- + A multiplier applied to the group's maximum servicing capacity + (based on UTILIZATION, RATE or CONNECTION). + + Default value is 1, which means the group will serve up to 100% + of its configured capacity (depending on balancingMode). A + setting of 0 means the group is completely drained, offering + 0% of its available Capacity. Valid range is [0.0,1.0]. + type: number + description: + description: |- + An optional description of this resource. + Provide this property when you create the resource. + type: string + group: + properties: + instanceGroupRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + networkEndpointGroupRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + maxConnections: + description: |- + The max number of simultaneous connections for the group. Can + be used with either CONNECTION or UTILIZATION balancing modes. + + For CONNECTION mode, either maxConnections or one + of maxConnectionsPerInstance or maxConnectionsPerEndpoint, + as appropriate for group type, must be set. + type: integer + maxConnectionsPerEndpoint: + description: |- + The max number of simultaneous connections that a single backend + network endpoint can handle. This is used to calculate the + capacity of the group. Can be used in either CONNECTION or + UTILIZATION balancing modes. + + For CONNECTION mode, either + maxConnections or maxConnectionsPerEndpoint must be set. + type: integer + maxConnectionsPerInstance: + description: |- + The max number of simultaneous connections that a single + backend instance can handle. This is used to calculate the + capacity of the group. Can be used in either CONNECTION or + UTILIZATION balancing modes. + + For CONNECTION mode, either maxConnections or + maxConnectionsPerInstance must be set. + type: integer + maxRate: + description: |- + The max requests per second (RPS) of the group. + + Can be used with either RATE or UTILIZATION balancing modes, + but required if RATE mode. For RATE mode, either maxRate or one + of maxRatePerInstance or maxRatePerEndpoint, as appropriate for + group type, must be set. + type: integer + maxRatePerEndpoint: + description: |- + The max requests per second (RPS) that a single backend network + endpoint can handle. This is used to calculate the capacity of + the group. Can be used in either balancing mode. For RATE mode, + either maxRate or maxRatePerEndpoint must be set. + type: number + maxRatePerInstance: + description: |- + The max requests per second (RPS) that a single backend + instance can handle. This is used to calculate the capacity of + the group. Can be used in either balancing mode. For RATE mode, + either maxRate or maxRatePerInstance must be set. + type: number + maxUtilization: + description: |- + Used when balancingMode is UTILIZATION. This ratio defines the + CPU utilization target for the group. The default is 0.8. Valid + range is [0.0, 1.0]. + type: number + required: + - group + type: object + type: array + cdnPolicy: + description: Cloud CDN configuration for this BackendService. + properties: + cacheKeyPolicy: + description: The CacheKeyPolicy for this CdnPolicy. + properties: + includeHost: + description: If true requests to different hosts will be cached + separately. + type: boolean + includeProtocol: + description: If true, http and https requests will be cached + separately. + type: boolean + includeQueryString: + description: |- + If true, include query string parameters in the cache key + according to query_string_whitelist and + query_string_blacklist. If neither is set, the entire query + string will be included. + + If false, the query string will be excluded from the cache + key entirely. + type: boolean + queryStringBlacklist: + description: |- + Names of query string parameters to exclude in cache keys. + + All other parameters will be included. Either specify + query_string_whitelist or query_string_blacklist, not both. + '&' and '=' will be percent encoded and not treated as + delimiters. + items: + type: string + type: array + queryStringWhitelist: + description: |- + Names of query string parameters to include in cache keys. + + All other parameters will be excluded. Either specify + query_string_whitelist or query_string_blacklist, not both. + '&' and '=' will be percent encoded and not treated as + delimiters. + items: + type: string + type: array + type: object + signedUrlCacheMaxAgeSec: + description: |- + Maximum number of seconds the response to a signed URL request + will be considered fresh, defaults to 1hr (3600s). After this + time period, the response will be revalidated before + being served. + + When serving responses to signed URL requests, Cloud CDN will + internally behave as though all responses from this backend had a + "Cache-Control: public, max-age=[TTL]" header, regardless of any + existing Cache-Control header. The actual headers served in + responses will not be altered. + type: integer + type: object + circuitBreakers: + description: |- + Settings controlling the volume of connections to a backend service. This field + is applicable only when the load_balancing_scheme is set to INTERNAL_SELF_MANAGED. + properties: + connectTimeout: + description: The timeout for new network connections to hosts. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond + resolution. Durations less than one second are represented + with a 0 seconds field and a positive nanos field. Must + be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. + Must be from 0 to 315,576,000,000 inclusive. + type: integer + required: + - seconds + type: object + maxConnections: + description: |- + The maximum number of connections to the backend cluster. + Defaults to 1024. + type: integer + maxPendingRequests: + description: |- + The maximum number of pending requests to the backend cluster. + Defaults to 1024. + type: integer + maxRequests: + description: |- + The maximum number of parallel requests to the backend cluster. + Defaults to 1024. + type: integer + maxRequestsPerConnection: + description: |- + Maximum requests for a single backend connection. This parameter + is respected by both the HTTP/1.1 and HTTP/2 implementations. If + not specified, there is no limit. Setting this parameter to 1 + will effectively disable keep alive. + type: integer + maxRetries: + description: |- + The maximum number of parallel retries to the backend cluster. + Defaults to 3. + type: integer + type: object + connectionDrainingTimeoutSec: + description: |- + Time for which instance will be drained (not accept new + connections, but still work to finish started). + type: integer + consistentHash: + description: |- + Consistent Hash-based load balancing can be used to provide soft session + affinity based on HTTP headers, cookies or other properties. This load balancing + policy is applicable only for HTTP connections. The affinity to a particular + destination host will be lost when one or more hosts are added/removed from the + destination service. This field specifies parameters that control consistent + hashing. This field only applies if the load_balancing_scheme is set to + INTERNAL_SELF_MANAGED. This field is only applicable when locality_lb_policy is + set to MAGLEV or RING_HASH. + properties: + httpCookie: + description: |- + Hash is based on HTTP Cookie. This field describes a HTTP cookie + that will be used as the hash key for the consistent hash load + balancer. If the cookie is not present, it will be generated. + This field is applicable if the sessionAffinity is set to HTTP_COOKIE. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond + resolution. Durations less than one second are represented + with a 0 seconds field and a positive nanos field. Must + be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. + Must be from 0 to 315,576,000,000 inclusive. + type: integer + required: + - seconds + type: object + type: object + httpHeaderName: + description: |- + The hash based on the value of the specified header field. + This field is applicable if the sessionAffinity is set to HEADER_FIELD. + type: string + minimumRingSize: + description: |- + The minimum number of virtual nodes to use for the hash ring. + Larger ring sizes result in more granular load + distributions. If the number of hosts in the load balancing pool + is larger than the ring size, each host will be assigned a single + virtual node. + Defaults to 1024. + type: integer + type: object + customRequestHeaders: + description: |- + Headers that the HTTP/S load balancer should add to proxied + requests. + items: + type: string + type: array + description: + description: An optional description of this resource. + type: string + enableCdn: + description: If true, enable Cloud CDN for this BackendService. + type: boolean + failoverPolicy: + description: Policy for failovers. + properties: + disableConnectionDrainOnFailover: + description: |- + On failover or failback, this field indicates whether connection drain + will be honored. Setting this to true has the following effect: connections + to the old active pool are not drained. Connections to the new active pool + use the timeout of 10 min (currently fixed). Setting to false has the + following effect: both old and new connections will have a drain timeout + of 10 min. + This can be set to true only if the protocol is TCP. + The default is false. + type: boolean + dropTrafficIfUnhealthy: + description: |- + This option is used only when no healthy VMs are detected in the primary + and backup instance groups. When set to true, traffic is dropped. When + set to false, new connections are sent across all VMs in the primary group. + The default is false. + type: boolean + failoverRatio: + description: |- + The value of the field must be in [0, 1]. If the ratio of the healthy + VMs in the primary backend is at or below this number, traffic arriving + at the load-balanced IP will be directed to the failover backend. + In case where 'failoverRatio' is not set or all the VMs in the backup + backend are unhealthy, the traffic will be directed back to the primary + backend in the "force" mode, where traffic will be spread to the healthy + VMs with the best effort, or to all VMs when no VM is healthy. + This field is only used with l4 load balancing. + type: number + type: object + healthChecks: + items: + properties: + healthCheckRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + httpHealthCheckRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + type: array + iap: + description: Settings for enabling Cloud Identity Aware Proxy + properties: + oauth2ClientId: + description: OAuth2 Client ID for IAP + type: string + oauth2ClientSecret: + description: OAuth2 Client Secret for IAP + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + oauth2ClientSecretSha256: + description: OAuth2 Client Secret SHA-256 for IAP + type: string + required: + - oauth2ClientId + - oauth2ClientSecret + type: object + loadBalancingScheme: + description: |- + Indicates whether the backend service will be used with internal or + external load balancing. A backend service created for one type of + load balancing cannot be used with the other. Must be 'EXTERNAL' or + 'INTERNAL_SELF_MANAGED' for a global backend service. Defaults to 'EXTERNAL'. + type: string + localityLbPolicy: + description: |- + The load balancing algorithm used within the scope of the locality. + The possible values are - + + ROUND_ROBIN - This is a simple policy in which each healthy backend + is selected in round robin order. + + LEAST_REQUEST - An O(1) algorithm which selects two random healthy + hosts and picks the host which has fewer active requests. + + RING_HASH - The ring/modulo hash load balancer implements consistent + hashing to backends. The algorithm has the property that the + addition/removal of a host from a set of N hosts only affects + 1/N of the requests. + + RANDOM - The load balancer selects a random healthy host. + + ORIGINAL_DESTINATION - Backend host is selected based on the client + connection metadata, i.e., connections are opened + to the same address as the destination address of + the incoming connection before the connection + was redirected to the load balancer. + + MAGLEV - used as a drop in replacement for the ring hash load balancer. + Maglev is not as stable as ring hash but has faster table lookup + build times and host selection times. For more information about + Maglev, refer to https://ai.google/research/pubs/pub44824 + + This field is applicable only when the load_balancing_scheme is set to + INTERNAL_SELF_MANAGED. + type: string + location: + description: 'Location represents the geographical location of the ComputeBackendService. + Specify a region name or "global" for global resources. Reference: + GCP definition of regions/zones (https://cloud.google.com/compute/docs/regions-zones/)' + type: string + logConfig: + description: |- + This field denotes the logging options for the load balancer traffic served by this backend service. + If logging is enabled, logs will be exported to Stackdriver. + properties: + enable: + description: Whether to enable logging for the load balancer traffic + served by this backend service. + type: boolean + sampleRate: + description: |- + This field can only be specified if logging is enabled for this backend service. The value of + the field must be in [0, 1]. This configures the sampling rate of requests to the load balancer + where 1.0 means all logged requests are reported and 0.0 means no logged requests are reported. + The default value is 1.0. + type: number + type: object + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + outlierDetection: + description: |- + Settings controlling eviction of unhealthy hosts from the load balancing pool. + This field is applicable only when the load_balancing_scheme is set + to INTERNAL_SELF_MANAGED. + properties: + baseEjectionTime: + description: |- + The base time that a host is ejected for. The real time is equal to the base + time multiplied by the number of times the host has been ejected. Defaults to + 30000ms or 30s. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: integer + required: + - seconds + type: object + consecutiveErrors: + description: |- + Number of errors before a host is ejected from the connection pool. When the + backend host is accessed over HTTP, a 5xx return code qualifies as an error. + Defaults to 5. + type: integer + consecutiveGatewayFailure: + description: |- + The number of consecutive gateway failures (502, 503, 504 status or connection + errors that are mapped to one of those status codes) before a consecutive + gateway failure ejection occurs. Defaults to 5. + type: integer + enforcingConsecutiveErrors: + description: |- + The percentage chance that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting can be used to disable + ejection or to ramp it up slowly. Defaults to 100. + type: integer + enforcingConsecutiveGatewayFailure: + description: |- + The percentage chance that a host will be actually ejected when an outlier + status is detected through consecutive gateway failures. This setting can be + used to disable ejection or to ramp it up slowly. Defaults to 0. + type: integer + enforcingSuccessRate: + description: |- + The percentage chance that a host will be actually ejected when an outlier + status is detected through success rate statistics. This setting can be used to + disable ejection or to ramp it up slowly. Defaults to 100. + type: integer + interval: + description: |- + Time interval between ejection sweep analysis. This can result in both new + ejections as well as hosts being returned to service. Defaults to 10 seconds. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: integer + required: + - seconds + type: object + maxEjectionPercent: + description: |- + Maximum percentage of hosts in the load balancing pool for the backend service + that can be ejected. Defaults to 10%. + type: integer + successRateMinimumHosts: + description: |- + The number of hosts in a cluster that must have enough request volume to detect + success rate outliers. If the number of hosts is less than this setting, outlier + detection via success rate statistics is not performed for any host in the + cluster. Defaults to 5. + type: integer + successRateRequestVolume: + description: |- + The minimum number of total requests that must be collected in one interval (as + defined by the interval duration above) to include this host in success rate + based outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. Defaults + to 100. + type: integer + successRateStdevFactor: + description: |- + This factor is used to determine the ejection threshold for success rate outlier + ejection. The ejection threshold is the difference between the mean success + rate, and the product of this factor and the standard deviation of the mean + success rate: mean - (stdev * success_rate_stdev_factor). This factor is divided + by a thousand to get a double. That is, if the desired factor is 1.9, the + runtime value should be 1900. Defaults to 1900. + type: integer + type: object + portName: + description: |- + Name of backend port. The same name should appear in the instance + groups referenced by this service. Required when the load balancing + scheme is EXTERNAL. + type: string + protocol: + description: |- + The protocol this BackendService uses to communicate with backends. + Possible values are HTTP, HTTPS, HTTP2, TCP, and SSL. The default is + HTTP. **NOTE**: HTTP2 is only valid for beta HTTP/2 load balancer + types and may result in errors if used with the GA API. + type: string + securityPolicyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + sessionAffinity: + description: |- + Type of session affinity to use. The default is NONE. Session affinity is + not applicable if the protocol is UDP. + type: string + timeoutSec: + description: |- + How many seconds to wait for the backend before considering it a + failed request. Default is 30 seconds. Valid range is [1, 86400]. + type: integer + required: + - healthChecks + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + fingerprint: + description: |- + Fingerprint of this resource. A hash of the contents stored in this + object. This field is used in optimistic locking. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computedisks.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeDisk + plural: computedisks + shortNames: + - gcpcomputedisk + - gcpcomputedisks + singular: computedisk + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + diskEncryptionKey: + description: |- + Encrypts the disk using a customer-supplied encryption key. + + After you encrypt a disk with a customer-supplied key, you must + provide the same key if you use the disk later (e.g. to create a disk + snapshot or an image, or to attach the disk to a virtual machine). + + Customer-supplied encryption keys do not protect access to metadata of + the disk. + + If you do not provide an encryption key when creating the disk, then + the disk will be encrypted using an automatically generated key and + you do not need to provide a key to use the disk later. + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + rawKey: + description: |- + Specifies a 256-bit customer-supplied encryption key, encoded in + RFC 4648 base64 to either encrypt or decrypt this resource. + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + sha256: + description: |- + The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied + encryption key that protects this resource. + type: string + type: object + imageRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + location: + description: 'Location represents the geographical location of the ComputeDisk. + Specify a region name or a zone name. Reference: GCP definition of + regions/zones (https://cloud.google.com/compute/docs/regions-zones/)' + type: string + physicalBlockSizeBytes: + description: |- + Physical block size of the persistent disk, in bytes. If not present + in a request, a default value is used. Currently supported sizes + are 4096 and 16384, other sizes may be added in the future. + If an unsupported value is requested, the error message will list + the supported values for the caller's project. + type: integer + replicaZones: + description: URLs of the zones where the disk should be replicated to. + items: + type: string + type: array + resourcePolicies: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + size: + description: |- + Size of the persistent disk, specified in GB. You can specify this + field when creating a persistent disk using the 'image' or + 'snapshot' parameter, or specify it alone to create an empty + persistent disk. + + If you specify this field along with 'image' or 'snapshot', + the value must not be less than the size of the image + or the size of the snapshot. + type: integer + snapshotRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + sourceImageEncryptionKey: + description: |- + The customer-supplied encryption key of the source image. Required if + the source image is protected by a customer-supplied encryption key. + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + rawKey: + description: |- + Specifies a 256-bit customer-supplied encryption key, encoded in + RFC 4648 base64 to either encrypt or decrypt this resource. + type: string + sha256: + description: |- + The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied + encryption key that protects this resource. + type: string + type: object + sourceSnapshotEncryptionKey: + description: |- + The customer-supplied encryption key of the source snapshot. Required + if the source snapshot is protected by a customer-supplied encryption + key. + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + rawKey: + description: |- + Specifies a 256-bit customer-supplied encryption key, encoded in + RFC 4648 base64 to either encrypt or decrypt this resource. + type: string + sha256: + description: |- + The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied + encryption key that protects this resource. + type: string + type: object + type: + description: |- + URL of the disk type resource describing which disk type to use to + create the disk. Provide this when creating the disk. + type: string + required: + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + labelFingerprint: + description: |- + The fingerprint used for optimistic locking of this resource. Used + internally during updates. + type: string + lastAttachTimestamp: + description: Last attach timestamp in RFC3339 text format. + type: string + lastDetachTimestamp: + description: Last detach timestamp in RFC3339 text format. + type: string + selfLink: + type: string + sourceImageId: + description: |- + The ID value of the image used to create this disk. This value + identifies the exact image that was used to create this persistent + disk. For example, if you created the persistent disk from an image + that was later deleted and recreated under the same name, the source + image ID would identify the exact version of the image that was used. + type: string + sourceSnapshotId: + description: |- + The unique ID of the snapshot used to create this disk. This value + identifies the exact snapshot that was used to create this persistent + disk. For example, if you created the persistent disk from a snapshot + that was later deleted and recreated under the same name, the source + snapshot ID would identify the exact version of the snapshot that was + used. + type: string + users: + description: |- + Links to the users of the disk (attached instances) in form: + project/zones/zone/instances/instance + items: + type: string + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeexternalvpngateways.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeExternalVPNGateway + plural: computeexternalvpngateways + shortNames: + - gcpcomputeexternalvpngateway + - gcpcomputeexternalvpngateways + singular: computeexternalvpngateway + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + interface: + description: A list of interfaces on this external VPN gateway. + items: + properties: + id: + description: |- + The numberic ID for this interface. Allowed values are based on the redundancy type + of this external VPN gateway + * '0 - SINGLE_IP_INTERNALLY_REDUNDANT' + * '0, 1 - TWO_IPS_REDUNDANCY' + * '0, 1, 2, 3 - FOUR_IPS_REDUNDANCY' + type: integer + ipAddress: + description: |- + IP address of the interface in the external VPN gateway. + Only IPv4 is supported. This IP address can be either from + your on-premise gateway or another Cloud provider’s VPN gateway, + it cannot be an IP address from Google Compute Engine. + type: string + type: object + type: array + redundancyType: + description: Indicates the redundancy type of this external VPN gateway + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computefirewalls.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeFirewall + plural: computefirewalls + shortNames: + - gcpcomputefirewall + - gcpcomputefirewalls + singular: computefirewall + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + allow: + description: |- + The list of ALLOW rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a permitted + connection. + items: + properties: + ports: + description: |- + An optional list of ports to which this rule applies. This field + is only applicable for UDP or TCP protocol. Each entry must be + either an integer or a range. If not specified, this rule + applies to connections through any port. + + Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + protocol: + description: |- + The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be + one of the following well known protocol strings (tcp, udp, + icmp, esp, ah, sctp), or the IP protocol number. + type: string + required: + - protocol + type: object + type: array + deny: + description: |- + The list of DENY rules specified by this firewall. Each rule specifies + a protocol and port-range tuple that describes a denied connection. + items: + properties: + ports: + description: |- + An optional list of ports to which this rule applies. This field + is only applicable for UDP or TCP protocol. Each entry must be + either an integer or a range. If not specified, this rule + applies to connections through any port. + + Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + protocol: + description: |- + The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be + one of the following well known protocol strings (tcp, udp, + icmp, esp, ah, sctp), or the IP protocol number. + type: string + required: + - protocol + type: object + type: array + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + destinationRanges: + description: |- + If destination ranges are specified, the firewall will apply only to + traffic that has destination IP address in these ranges. These ranges + must be expressed in CIDR format. Only IPv4 is supported. + items: + type: string + type: array + direction: + description: |- + Direction of traffic to which this firewall applies; default is + INGRESS. Note: For INGRESS traffic, it is NOT supported to specify + destinationRanges; For EGRESS traffic, it is NOT supported to specify + sourceRanges OR sourceTags. + type: string + disabled: + description: |- + Denotes whether the firewall rule is disabled, i.e not applied to the + network it is associated with. When set to true, the firewall rule is + not enforced and the network behaves as if it did not exist. If this + is unspecified, the firewall rule will be enabled. + type: boolean + enableLogging: + description: |- + This field denotes whether to enable logging for a particular + firewall rule. If logging is enabled, logs will be exported to + Stackdriver. + type: boolean + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + priority: + description: |- + Priority for this rule. This is an integer between 0 and 65535, both + inclusive. When not specified, the value assumed is 1000. Relative + priorities determine precedence of conflicting rules. Lower value of + priority implies higher precedence (eg, a rule with priority 0 has + higher precedence than a rule with priority 1). DENY rules take + precedence over ALLOW rules having equal priority. + type: integer + sourceRanges: + description: |- + If source ranges are specified, the firewall will apply only to + traffic that has source IP address in these ranges. These ranges must + be expressed in CIDR format. One or both of sourceRanges and + sourceTags may be set. If both properties are set, the firewall will + apply to traffic that has source IP address within sourceRanges OR the + source IP that belongs to a tag listed in the sourceTags property. The + connection does not need to match both properties for the firewall to + apply. Only IPv4 is supported. + items: + type: string + type: array + sourceServiceAccounts: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + sourceTags: + description: |- + If source tags are specified, the firewall will apply only to traffic + with source IP that belongs to a tag listed in source tags. Source + tags cannot be used to control traffic to an instance's external IP + address. Because tags are associated with an instance, not an IP + address. One or both of sourceRanges and sourceTags may be set. If + both properties are set, the firewall will apply to traffic that has + source IP address within sourceRanges OR the source IP that belongs to + a tag listed in the sourceTags property. The connection does not need + to match both properties for the firewall to apply. + items: + type: string + type: array + targetServiceAccounts: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + targetTags: + description: |- + A list of instance tags indicating sets of instances located in the + network that may make network connections as specified in allowed[]. + If no targetTags are specified, the firewall rule applies to all + instances on the specified network. + items: + type: string + type: array + required: + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeforwardingrules.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeForwardingRule + plural: computeforwardingrules + shortNames: + - gcpcomputeforwardingrule + - gcpcomputeforwardingrules + singular: computeforwardingrule + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + allPorts: + description: |- + For internal TCP/UDP load balancing (i.e. load balancing scheme is + INTERNAL and protocol is TCP/UDP), set this to true to allow packets + addressed to any ports to be forwarded to the backends configured + with this forwarding rule. Used with backend service. Cannot be set + if port or portRange are set. + type: boolean + allowGlobalAccess: + description: |- + If true, clients can access ILB from all regions. + Otherwise only allows from the local region the ILB is located at. + type: boolean + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + ipAddress: + properties: + addressRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + ip: + type: string + type: object + ipProtocol: + description: |- + The IP protocol to which this rule applies. Valid options are TCP, + UDP, ESP, AH, SCTP or ICMP. + + When the load balancing scheme is INTERNAL, only TCP and UDP are + valid. + type: string + ipVersion: + description: |- + The IP Version that will be used by this global forwarding rule. + Valid options are IPV4 or IPV6. + type: string + loadBalancingScheme: + description: |- + This signifies what the ForwardingRule will be used for and can be + EXTERNAL, INTERNAL, or INTERNAL_MANAGED. EXTERNAL is used for Classic + Cloud VPN gateways, protocol forwarding to VMs from an external IP address, + and HTTP(S), SSL Proxy, TCP Proxy, and Network TCP/UDP load balancers. + INTERNAL is used for protocol forwarding to VMs from an internal IP address, + and internal TCP/UDP load balancers. + INTERNAL_MANAGED is used for internal HTTP(S) load balancers. + type: string + location: + description: 'Location represents the geographical location of the ComputeForwardingRule. + Specify a region name or "global" for global resources. Reference: + GCP definition of regions/zones (https://cloud.google.com/compute/docs/regions-zones/)' + type: string + metadataFilters: + description: |- + Opaque filter criteria used by Loadbalancer to restrict routing + configuration to a limited set xDS compliant clients. In their xDS + requests to Loadbalancer, xDS clients present node metadata. If a + match takes place, the relevant routing configuration is made available + to those proxies. + + For each metadataFilter in this list, if its filterMatchCriteria is set + to MATCH_ANY, at least one of the filterLabels must match the + corresponding label provided in the metadata. If its filterMatchCriteria + is set to MATCH_ALL, then all of its filterLabels must match with + corresponding labels in the provided metadata. + + metadataFilters specified here can be overridden by those specified in + the UrlMap that this ForwardingRule references. + + metadataFilters only applies to Loadbalancers that have their + loadBalancingScheme set to INTERNAL_SELF_MANAGED. + items: + properties: + filterLabels: + description: |- + The list of label value pairs that must match labels in the + provided metadata based on filterMatchCriteria + + This list must not be empty and can have at the most 64 entries. + items: + properties: + name: + description: |- + Name of the metadata label. The length must be between + 1 and 1024 characters, inclusive. + type: string + value: + description: |- + The value that the label must match. The value has a maximum + length of 1024 characters. + type: string + required: + - name + - value + type: object + type: array + filterMatchCriteria: + description: |- + Specifies how individual filterLabel matches within the list of + filterLabels contribute towards the overall metadataFilter match. + + MATCH_ANY - At least one of the filterLabels must have a matching + label in the provided metadata. + MATCH_ALL - All filterLabels must have matching labels in the + provided metadata. + type: string + required: + - filterLabels + - filterMatchCriteria + type: object + type: array + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + networkTier: + description: |- + The networking tier used for configuring this address. This field can + take the following values: PREMIUM or STANDARD. If this field is not + specified, it is assumed to be PREMIUM. + type: string + portRange: + description: |- + This field is used along with the target field for TargetHttpProxy, + TargetHttpsProxy, TargetSslProxy, TargetTcpProxy, TargetVpnGateway, + TargetPool, TargetInstance. + + Applicable only when IPProtocol is TCP, UDP, or SCTP, only packets + addressed to ports in the specified range will be forwarded to target. + Forwarding rules with the same [IPAddress, IPProtocol] pair must have + disjoint port ranges. + + Some types of forwarding target have constraints on the acceptable + ports: + + * TargetHttpProxy: 80, 8080 + * TargetHttpsProxy: 443 + * TargetTcpProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, + 1883, 5222 + * TargetSslProxy: 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, + 1883, 5222 + * TargetVpnGateway: 500, 4500 + type: string + ports: + description: |- + This field is used along with the backend_service field for internal + load balancing. + + When the load balancing scheme is INTERNAL, a single port or a comma + separated list of ports can be configured. Only packets addressed to + these ports will be forwarded to the backends configured with this + forwarding rule. + + You may specify a maximum of up to 5 ports. + items: + type: string + type: array + serviceLabel: + description: |- + An optional prefix to the service name for this Forwarding Rule. + If specified, will be the first label of the fully qualified service + name. + + The label must be 1-63 characters long, and comply with RFC1035. + Specifically, the label must be 1-63 characters long and match the + regular expression '[a-z]([-a-z0-9]*[a-z0-9])?' which means the first + character must be a lowercase letter, and all following characters + must be a dash, lowercase letter, or digit, except the last + character, which cannot be a dash. + + This field is only used for INTERNAL load balancing. + type: string + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + target: + properties: + targetHTTPProxyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + targetHTTPSProxyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + targetVPNGatewayRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + required: + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + labelFingerprint: + description: |- + The fingerprint used for optimistic locking of this resource. Used + internally during updates. + type: string + selfLink: + type: string + serviceName: + description: |- + The internal fully qualified service name for this Forwarding Rule. + This field is only used for INTERNAL load balancing. + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computehealthchecks.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeHealthCheck + plural: computehealthchecks + shortNames: + - gcpcomputehealthcheck + - gcpcomputehealthchecks + singular: computehealthcheck + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + checkIntervalSec: + description: |- + How often (in seconds) to send a health check. The default value is 5 + seconds. + type: integer + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + healthyThreshold: + description: |- + A so-far unhealthy instance will be marked healthy after this many + consecutive successes. The default value is 2. + type: integer + http2HealthCheck: + description: A nested object resource + properties: + host: + description: |- + The value of the host header in the HTTP2 health check request. + If left empty (default value), the public IP on behalf of which this health + check is performed will be used. + type: string + port: + description: |- + The TCP port number for the HTTP2 health check request. + The default value is 443. + type: integer + portName: + description: |- + Port name as defined in InstanceGroup#NamedPort#name. If both port and + port_name are defined, port takes precedence. + type: string + portSpecification: + description: |- + Specifies how port is selected for health checking, can be one of the + following values: + + * 'USE_FIXED_PORT': The port number in 'port' is used for health checking. + + * 'USE_NAMED_PORT': The 'portName' is used for health checking. + + * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each + network endpoint is used for health checking. For other backends, the + port or named port specified in the Backend Service is used for health + checking. + + If not specified, HTTP2 health check follows behavior specified in 'port' and + 'portName' fields. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to the + backend, either NONE or PROXY_V1. The default is NONE. + type: string + requestPath: + description: |- + The request path of the HTTP2 health check request. + The default value is /. + type: string + response: + description: |- + The bytes to match against the beginning of the response data. If left empty + (the default value), any response will indicate health. The response data + can only be ASCII. + type: string + type: object + httpHealthCheck: + description: A nested object resource + properties: + host: + description: |- + The value of the host header in the HTTP health check request. + If left empty (default value), the public IP on behalf of which this health + check is performed will be used. + type: string + port: + description: |- + The TCP port number for the HTTP health check request. + The default value is 80. + type: integer + portName: + description: |- + Port name as defined in InstanceGroup#NamedPort#name. If both port and + port_name are defined, port takes precedence. + type: string + portSpecification: + description: |- + Specifies how port is selected for health checking, can be one of the + following values: + + * 'USE_FIXED_PORT': The port number in 'port' is used for health checking. + + * 'USE_NAMED_PORT': The 'portName' is used for health checking. + + * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each + network endpoint is used for health checking. For other backends, the + port or named port specified in the Backend Service is used for health + checking. + + If not specified, HTTP health check follows behavior specified in 'port' and + 'portName' fields. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to the + backend, either NONE or PROXY_V1. The default is NONE. + type: string + requestPath: + description: |- + The request path of the HTTP health check request. + The default value is /. + type: string + response: + description: |- + The bytes to match against the beginning of the response data. If left empty + (the default value), any response will indicate health. The response data + can only be ASCII. + type: string + type: object + httpsHealthCheck: + description: A nested object resource + properties: + host: + description: |- + The value of the host header in the HTTPS health check request. + If left empty (default value), the public IP on behalf of which this health + check is performed will be used. + type: string + port: + description: |- + The TCP port number for the HTTPS health check request. + The default value is 443. + type: integer + portName: + description: |- + Port name as defined in InstanceGroup#NamedPort#name. If both port and + port_name are defined, port takes precedence. + type: string + portSpecification: + description: |- + Specifies how port is selected for health checking, can be one of the + following values: + + * 'USE_FIXED_PORT': The port number in 'port' is used for health checking. + + * 'USE_NAMED_PORT': The 'portName' is used for health checking. + + * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each + network endpoint is used for health checking. For other backends, the + port or named port specified in the Backend Service is used for health + checking. + + If not specified, HTTPS health check follows behavior specified in 'port' and + 'portName' fields. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to the + backend, either NONE or PROXY_V1. The default is NONE. + type: string + requestPath: + description: |- + The request path of the HTTPS health check request. + The default value is /. + type: string + response: + description: |- + The bytes to match against the beginning of the response data. If left empty + (the default value), any response will indicate health. The response data + can only be ASCII. + type: string + type: object + location: + description: 'Location represents the geographical location of the ComputeHealthCheck. + Specify a region name or "global" for global resources. Reference: + GCP definition of regions/zones (https://cloud.google.com/compute/docs/regions-zones/)' + type: string + sslHealthCheck: + description: A nested object resource + properties: + port: + description: |- + The TCP port number for the SSL health check request. + The default value is 443. + type: integer + portName: + description: |- + Port name as defined in InstanceGroup#NamedPort#name. If both port and + port_name are defined, port takes precedence. + type: string + portSpecification: + description: |- + Specifies how port is selected for health checking, can be one of the + following values: + + * 'USE_FIXED_PORT': The port number in 'port' is used for health checking. + + * 'USE_NAMED_PORT': The 'portName' is used for health checking. + + * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each + network endpoint is used for health checking. For other backends, the + port or named port specified in the Backend Service is used for health + checking. + + If not specified, SSL health check follows behavior specified in 'port' and + 'portName' fields. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to the + backend, either NONE or PROXY_V1. The default is NONE. + type: string + request: + description: |- + The application data to send once the SSL connection has been + established (default value is empty). If both request and response are + empty, the connection establishment alone will indicate health. The request + data can only be ASCII. + type: string + response: + description: |- + The bytes to match against the beginning of the response data. If left empty + (the default value), any response will indicate health. The response data + can only be ASCII. + type: string + type: object + tcpHealthCheck: + description: A nested object resource + properties: + port: + description: |- + The TCP port number for the TCP health check request. + The default value is 443. + type: integer + portName: + description: |- + Port name as defined in InstanceGroup#NamedPort#name. If both port and + port_name are defined, port takes precedence. + type: string + portSpecification: + description: |- + Specifies how port is selected for health checking, can be one of the + following values: + + * 'USE_FIXED_PORT': The port number in 'port' is used for health checking. + + * 'USE_NAMED_PORT': The 'portName' is used for health checking. + + * 'USE_SERVING_PORT': For NetworkEndpointGroup, the port specified for each + network endpoint is used for health checking. For other backends, the + port or named port specified in the Backend Service is used for health + checking. + + If not specified, TCP health check follows behavior specified in 'port' and + 'portName' fields. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to the + backend, either NONE or PROXY_V1. The default is NONE. + type: string + request: + description: |- + The application data to send once the TCP connection has been + established (default value is empty). If both request and response are + empty, the connection establishment alone will indicate health. The request + data can only be ASCII. + type: string + response: + description: |- + The bytes to match against the beginning of the response data. If left empty + (the default value), any response will indicate health. The response data + can only be ASCII. + type: string + type: object + timeoutSec: + description: |- + How long (in seconds) to wait before claiming failure. + The default value is 5 seconds. It is invalid for timeoutSec to have + greater value than checkIntervalSec. + type: integer + unhealthyThreshold: + description: |- + A so-far healthy instance will be marked unhealthy after this many + consecutive failures. The default value is 2. + type: integer + required: + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: + description: The type of the health check. One of HTTP, HTTPS, TCP, + or SSL. + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computehttphealthchecks.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeHTTPHealthCheck + plural: computehttphealthchecks + shortNames: + - gcpcomputehttphealthcheck + - gcpcomputehttphealthchecks + singular: computehttphealthcheck + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + checkIntervalSec: + description: |- + How often (in seconds) to send a health check. The default value is 5 + seconds. + type: integer + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + healthyThreshold: + description: |- + A so-far unhealthy instance will be marked healthy after this many + consecutive successes. The default value is 2. + type: integer + host: + description: |- + The value of the host header in the HTTP health check request. If + left empty (default value), the public IP on behalf of which this + health check is performed will be used. + type: string + port: + description: |- + The TCP port number for the HTTP health check request. + The default value is 80. + type: integer + requestPath: + description: |- + The request path of the HTTP health check request. + The default value is /. + type: string + timeoutSec: + description: |- + How long (in seconds) to wait before claiming failure. + The default value is 5 seconds. It is invalid for timeoutSec to have + greater value than checkIntervalSec. + type: integer + unhealthyThreshold: + description: |- + A so-far healthy instance will be marked unhealthy after this many + consecutive failures. The default value is 2. + type: integer + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computehttpshealthchecks.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeHTTPSHealthCheck + plural: computehttpshealthchecks + shortNames: + - gcpcomputehttpshealthcheck + - gcpcomputehttpshealthchecks + singular: computehttpshealthcheck + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + checkIntervalSec: + description: |- + How often (in seconds) to send a health check. The default value is 5 + seconds. + type: integer + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + healthyThreshold: + description: |- + A so-far unhealthy instance will be marked healthy after this many + consecutive successes. The default value is 2. + type: integer + host: + description: |- + The value of the host header in the HTTPS health check request. If + left empty (default value), the public IP on behalf of which this + health check is performed will be used. + type: string + port: + description: |- + The TCP port number for the HTTPS health check request. + The default value is 80. + type: integer + requestPath: + description: |- + The request path of the HTTPS health check request. + The default value is /. + type: string + timeoutSec: + description: |- + How long (in seconds) to wait before claiming failure. + The default value is 5 seconds. It is invalid for timeoutSec to have + greater value than checkIntervalSec. + type: integer + unhealthyThreshold: + description: |- + A so-far healthy instance will be marked unhealthy after this many + consecutive failures. The default value is 2. + type: integer + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeimages.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeImage + plural: computeimages + shortNames: + - gcpcomputeimage + - gcpcomputeimages + singular: computeimage + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + diskRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + diskSizeGb: + description: Size of the image when restored onto a persistent disk + (in GB). + type: integer + family: + description: |- + The name of the image family to which this image belongs. You can + create disks by specifying an image family instead of a specific + image name. The image family always returns its latest image that is + not deprecated. The name of the image family must comply with + RFC1035. + type: string + guestOsFeatures: + description: |- + A list of features to enable on the guest operating system. + Applicable only for bootable images. + items: + properties: + type: + description: The type of supported feature. Read [Enabling guest + operating system features](https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features) + to see a list of available options. + type: string + required: + - type + type: object + type: array + licenses: + description: Any applicable license URI. + items: + type: string + type: array + rawDisk: + description: The parameters of the raw disk image. + properties: + containerType: + description: |- + The format used to encode and transmit the block device, which + should be TAR. This is just a container and transmission format + and not a runtime format. Provided by the client when the disk + image is created. + type: string + sha1: + description: |- + An optional SHA1 checksum of the disk image before unpackaging. + This is provided by the client when the disk image is created. + type: string + source: + description: |- + The full Google Cloud Storage URL where disk storage is stored + You must provide either this property or the sourceDisk property + but not both. + type: string + required: + - source + type: object + type: object + status: + properties: + archiveSizeBytes: + description: |- + Size of the image tar.gz archive stored in Google Cloud Storage (in + bytes). + type: integer + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + labelFingerprint: + description: |- + The fingerprint used for optimistic locking of this resource. Used + internally during updates. + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeinstancegroups.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeInstanceGroup + plural: computeinstancegroups + shortNames: + - gcpcomputeinstancegroup + - gcpcomputeinstancegroups + singular: computeinstancegroup + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + type: string + instances: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + namedPort: + items: + properties: + name: + type: string + port: + type: integer + required: + - name + - port + type: object + type: array + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + zone: + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + size: + type: integer + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeinstances.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeInstance + plural: computeinstances + shortNames: + - gcpcomputeinstance + - gcpcomputeinstances + singular: computeinstance + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + anyOf: + - required: + - bootDisk + - machineType + - networkInterface + - required: + - instanceTemplateRef + properties: + attachedDisk: + items: + properties: + deviceName: + type: string + diskEncryptionKeyRaw: + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used + if 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value + from. + type: string + required: + - name + - key + type: object + type: object + type: object + diskEncryptionKeySha256: + type: string + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + mode: + type: string + sourceDiskRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - sourceDiskRef + type: object + type: array + bootDisk: + properties: + autoDelete: + type: boolean + deviceName: + type: string + diskEncryptionKeyRaw: + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + diskEncryptionKeySha256: + type: string + initializeParams: + properties: + labels: + type: object + size: + type: integer + sourceImageRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: + type: string + type: object + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + mode: + type: string + sourceDiskRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + canIpForward: + type: boolean + deletionProtection: + type: boolean + description: + type: string + enableDisplay: + type: boolean + guestAccelerator: + items: + properties: + count: + type: integer + type: + type: string + required: + - count + - type + type: object + type: array + hostname: + type: string + instanceTemplateRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + machineType: + type: string + metadata: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + metadataStartupScript: + type: string + minCpuPlatform: + type: string + networkInterface: + items: + properties: + accessConfig: + items: + properties: + natIpRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + networkTier: + type: string + publicPtrDomainName: + type: string + type: object + type: array + aliasIpRange: + items: + properties: + ipCidrRange: + type: string + subnetworkRangeName: + type: string + required: + - ipCidrRange + type: object + type: array + name: + type: string + networkIp: + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + subnetworkProject: + type: string + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + type: array + scheduling: + properties: + automaticRestart: + type: boolean + nodeAffinities: + items: + properties: + value: + type: object + type: object + type: array + onHostMaintenance: + type: string + preemptible: + type: boolean + type: object + scratchDisk: + items: + properties: + interface: + type: string + required: + - interface + type: object + type: array + serviceAccount: + properties: + scopes: + items: + type: string + type: array + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - scopes + type: object + shieldedInstanceConfig: + properties: + enableIntegrityMonitoring: + type: boolean + enableSecureBoot: + type: boolean + enableVtpm: + type: boolean + type: object + tags: + items: + type: string + type: array + zone: + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + cpuPlatform: + type: string + instanceId: + type: string + labelFingerprint: + type: string + metadataFingerprint: + type: string + selfLink: + type: string + tagsFingerprint: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeinstancetemplates.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeInstanceTemplate + plural: computeinstancetemplates + shortNames: + - gcpcomputeinstancetemplate + - gcpcomputeinstancetemplates + singular: computeinstancetemplate + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canIpForward: + type: boolean + description: + type: string + disk: + items: + properties: + autoDelete: + type: boolean + boot: + type: boolean + deviceName: + type: string + diskEncryptionKey: + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - kmsKeyRef + type: object + diskName: + type: string + diskSizeGb: + type: integer + diskType: + type: string + interface: + type: string + labels: + additionalProperties: + type: string + type: object + mode: + type: string + sourceDiskRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + sourceImageRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: + type: string + type: object + type: array + enableDisplay: + type: boolean + guestAccelerator: + items: + properties: + count: + type: integer + type: + type: string + required: + - count + - type + type: object + type: array + instanceDescription: + type: string + machineType: + type: string + metadata: + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + metadataStartupScript: + type: string + minCpuPlatform: + type: string + namePrefix: + type: string + networkInterface: + items: + properties: + accessConfig: + items: + properties: + natIpRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + networkTier: + type: string + type: object + type: array + aliasIpRange: + items: + properties: + ipCidrRange: + type: string + subnetworkRangeName: + type: string + required: + - ipCidrRange + type: object + type: array + networkIp: + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + subnetworkProject: + type: string + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + type: array + region: + type: string + scheduling: + properties: + automaticRestart: + type: boolean + nodeAffinities: + items: + properties: + value: + type: object + type: object + type: array + onHostMaintenance: + type: string + preemptible: + type: boolean + type: object + serviceAccount: + properties: + scopes: + items: + type: string + type: array + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - scopes + type: object + shieldedInstanceConfig: + properties: + enableIntegrityMonitoring: + type: boolean + enableSecureBoot: + type: boolean + enableVtpm: + type: boolean + type: object + tags: + items: + type: string + type: array + required: + - disk + - machineType + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + metadataFingerprint: + type: string + selfLink: + type: string + tagsFingerprint: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeinterconnectattachments.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeInterconnectAttachment + plural: computeinterconnectattachments + shortNames: + - gcpcomputeinterconnectattachment + - gcpcomputeinterconnectattachments + singular: computeinterconnectattachment + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + adminEnabled: + description: |- + Whether the VLAN attachment is enabled or disabled. When using + PARTNER type this will Pre-Activate the interconnect attachment + type: boolean + bandwidth: + description: |- + Provisioned bandwidth capacity for the interconnect attachment. + For attachments of type DEDICATED, the user can set the bandwidth. + For attachments of type PARTNER, the Google Partner that is operating the interconnect must set the bandwidth. + Output only for PARTNER type, mutable for PARTNER_PROVIDER and DEDICATED, + Defaults to BPS_10G + type: string + candidateSubnets: + description: |- + Up to 16 candidate prefixes that can be used to restrict the allocation + of cloudRouterIpAddress and customerRouterIpAddress for this attachment. + All prefixes must be within link-local address space (169.254.0.0/16) + and must be /29 or shorter (/28, /27, etc). Google will attempt to select + an unused /29 from the supplied candidate prefix(es). The request will + fail if all possible /29s are in use on Google's edge. If not supplied, + Google will randomly select an unused /29 from all of link-local space. + items: + type: string + type: array + description: + description: An optional description of this resource. + type: string + edgeAvailabilityDomain: + description: |- + Desired availability domain for the attachment. Only available for type + PARTNER, at creation time. For improved reliability, customers should + configure a pair of attachments with one per availability domain. The + selected availability domain will be provided to the Partner via the + pairing key so that the provisioned circuit will lie in the specified + domain. If not specified, the value will default to AVAILABILITY_DOMAIN_ANY. + type: string + interconnect: + description: |- + URL of the underlying Interconnect object that this attachment's + traffic will traverse through. Required if type is DEDICATED, must not + be set if type is PARTNER. + type: string + region: + description: Region where the regional interconnect attachment resides. + type: string + routerRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: + description: |- + The type of InterconnectAttachment you wish to create. Defaults to + DEDICATED. + type: string + vlanTag8021q: + description: |- + The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. When + using PARTNER type this will be managed upstream. + type: integer + required: + - routerRef + type: object + status: + properties: + cloudRouterIpAddress: + description: |- + IPv4 address + prefix length to be configured on Cloud Router + Interface for this interconnect attachment. + type: string + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + customerRouterIpAddress: + description: |- + IPv4 address + prefix length to be configured on the customer + router subinterface for this interconnect attachment. + type: string + googleReferenceId: + description: |- + Google reference ID, to be used when raising support tickets with + Google or otherwise to debug backend connectivity issues. + type: string + pairingKey: + description: |- + [Output only for type PARTNER. Not present for DEDICATED]. The opaque + identifier of an PARTNER attachment used to initiate provisioning with + a selected partner. Of the form "XXXXX/region/domain" + type: string + partnerAsn: + description: |- + [Output only for type PARTNER. Not present for DEDICATED]. Optional + BGP ASN for the router that should be supplied by a layer 3 Partner if + they configured BGP on behalf of the customer. + type: string + privateInterconnectInfo: + description: |- + Information specific to an InterconnectAttachment. This property + is populated if the interconnect that this is attached to is of type DEDICATED. + properties: + tag8021q: + description: |- + 802.1q encapsulation tag to be used for traffic between + Google and the customer, going to and from this network and region. + type: integer + type: object + selfLink: + type: string + state: + description: '[Output Only] The current state of this attachment''s + functionality.' + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computenetworkendpointgroups.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeNetworkEndpointGroup + plural: computenetworkendpointgroups + shortNames: + - gcpcomputenetworkendpointgroup + - gcpcomputenetworkendpointgroups + singular: computenetworkendpointgroup + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + defaultPort: + description: |- + The default port used if the port number is not specified in the + network endpoint. + type: integer + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. + type: string + location: + description: 'Location represents the geographical location of the ComputeNetworkEndpointGroup. + Specify a zone name. Reference: GCP definition of regions/zones (https://cloud.google.com/compute/docs/regions-zones/)' + type: string + networkEndpointType: + description: |- + Type of network endpoints in this network endpoint group. Currently + the only supported value is GCE_VM_IP_PORT. + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - location + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + size: + description: Number of network endpoints in the network endpoint group. + type: integer + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computenetworkpeerings.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeNetworkPeering + plural: computenetworkpeerings + shortNames: + - gcpcomputenetworkpeering + - gcpcomputenetworkpeerings + singular: computenetworkpeering + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + exportCustomRoutes: + type: boolean + importCustomRoutes: + type: boolean + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + peerNetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - networkRef + - peerNetworkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + state: + type: string + stateDetails: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computenetworks.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeNetwork + plural: computenetworks + shortNames: + - gcpcomputenetwork + - gcpcomputenetworks + singular: computenetwork + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoCreateSubnetworks: + description: |- + When set to 'true', the network is created in "auto subnet mode" and + it will create a subnet for each region automatically across the + '10.128.0.0/9' address range. + + When set to 'false', the network is created in "custom subnet mode" so + the user can explicitly connect subnetwork resources. + type: boolean + deleteDefaultRoutesOnCreate: + type: boolean + description: + description: |- + An optional description of this resource. The resource must be + recreated to modify this field. + type: string + routingMode: + description: |- + The network-wide routing mode to use. If set to 'REGIONAL', this + network's cloud routers will only advertise routes with subnetworks + of this network in the same region as the router. If set to 'GLOBAL', + this network's cloud routers will advertise routes with all + subnetworks of this network, across regions. + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + gatewayIpv4: + description: |- + The gateway address for default routing out of the network. This value + is selected by GCP. + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computenodegroups.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeNodeGroup + plural: computenodegroups + shortNames: + - gcpcomputenodegroup + - gcpcomputenodegroups + singular: computenodegroup + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional textual description of the resource. + type: string + nodeTemplateRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + size: + description: The total number of nodes in the node group. + type: integer + zone: + description: Zone where this node group is located + type: string + required: + - nodeTemplateRef + - size + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computenodetemplates.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeNodeTemplate + plural: computenodetemplates + shortNames: + - gcpcomputenodetemplate + - gcpcomputenodetemplates + singular: computenodetemplate + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional textual description of the resource. + type: string + nodeType: + description: |- + Node type to use for nodes group that are created from this template. + Only one of nodeTypeFlexibility and nodeType can be specified. + type: string + nodeTypeFlexibility: + description: |- + Flexible properties for the desired node type. Node groups that + use this node template will create nodes of a type that matches + these properties. Only one of nodeTypeFlexibility and nodeType can + be specified. + properties: + cpus: + description: Number of virtual CPUs to use. + type: string + localSsd: + description: Use local SSD + type: string + memory: + description: Physical memory available to the node, defined in MB. + type: string + type: object + region: + description: |- + Region where nodes using the node template will be created. + If it is not provided, the provider region is used. + type: string + serverBinding: + description: |- + The server binding policy for nodes using this template. Determines + where the nodes should restart following a maintenance event. + properties: + type: + description: |- + Type of server binding policy. If 'RESTART_NODE_ON_ANY_SERVER', + nodes using this template will restart on any physical server + following a maintenance event. + + If 'RESTART_NODE_ON_MINIMAL_SERVER', nodes using this template + will restart on the same physical server following a maintenance + event, instead of being live migrated to or restarted on a new + physical server. This option may be useful if you are using + software licenses tied to the underlying server characteristics + such as physical sockets or cores, to avoid the need for + additional licenses when maintenance occurs. However, VMs on such + nodes will experience outages while maintenance is applied. + type: string + required: + - type + type: object + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computereservations.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeReservation + plural: computereservations + shortNames: + - gcpcomputereservation + - gcpcomputereservations + singular: computereservation + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + specificReservation: + description: Reservation for instances with specific machine shapes. + properties: + count: + description: The number of resources that are allocated. + type: integer + inUseCount: + description: How many instances are in use. + type: integer + instanceProperties: + description: The instance properties for the reservation. + properties: + guestAccelerators: + description: Guest accelerator type and count. + items: + properties: + acceleratorCount: + description: |- + The number of the guest accelerator cards exposed to + this instance. + type: integer + acceleratorType: + description: |- + The full or partial URL of the accelerator type to + attach to this instance. For example: + 'projects/my-project/zones/us-central1-c/acceleratorTypes/nvidia-tesla-p100' + + If you are creating an instance template, specify only the accelerator name. + type: string + required: + - acceleratorCount + - acceleratorType + type: object + type: array + localSsds: + description: |- + The amount of local ssd to reserve with each instance. This + reserves disks of type 'local-ssd'. + items: + properties: + diskSizeGb: + description: The size of the disk in base-2 GB. + type: integer + interface: + description: |- + The disk interface to use for attaching this disk, one + of 'SCSI' or 'NVME'. The default is 'SCSI'. + type: string + required: + - diskSizeGb + type: object + type: array + machineType: + description: The name of the machine type to reserve. + type: string + minCpuPlatform: + description: |- + The minimum CPU platform for the reservation. For example, + '"Intel Skylake"'. See + the CPU platform availability reference](https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform#availablezones) + for information on available CPU platforms. + type: string + required: + - machineType + type: object + required: + - count + - instanceProperties + type: object + specificReservationRequired: + description: |- + When set to true, only VMs that target this reservation by name can + consume this reservation. Otherwise, it can be consumed by VMs with + affinity for any reservation. Defaults to false. + type: boolean + zone: + description: The zone where the reservation is made. + type: string + required: + - specificReservation + - zone + type: object + status: + properties: + commitment: + description: |- + Full or partial URL to a parent commitment. This field displays for + reservations that are tied to a commitment. + type: string + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + status: + description: The status of the reservation. + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeresourcepolicies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeResourcePolicy + plural: computeresourcepolicies + shortNames: + - gcpcomputeresourcepolicy + - gcpcomputeresourcepolicies + singular: computeresourcepolicy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + region: + description: Region where resource policy resides. + type: string + snapshotSchedulePolicy: + description: Policy for creating snapshots of persistent disks. + properties: + retentionPolicy: + description: Retention policy applied to snapshots created by this + resource policy. + properties: + maxRetentionDays: + description: Maximum age of the snapshot that is allowed to + be kept. + type: integer + onSourceDiskDelete: + description: |- + Specifies the behavior to apply to scheduled snapshots when + the source disk is deleted. + Valid options are KEEP_AUTO_SNAPSHOTS and APPLY_RETENTION_POLICY + type: string + required: + - maxRetentionDays + type: object + schedule: + description: Contains one of an 'hourlySchedule', 'dailySchedule', + or 'weeklySchedule'. + properties: + dailySchedule: + description: The policy will execute every nth day at the specified + time. + properties: + daysInCycle: + description: The number of days between snapshots. + type: integer + startTime: + description: |- + This must be in UTC format that resolves to one of + 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, + both 13:00-5 and 08:00 are valid. + type: string + required: + - daysInCycle + - startTime + type: object + hourlySchedule: + description: The policy will execute every nth hour starting + at the specified time. + properties: + hoursInCycle: + description: The number of hours between snapshots. + type: integer + startTime: + description: |- + Time within the window to start the operations. + It must be in format "HH:MM", + where HH : [00-23] and MM : [00-00] GMT. + type: string + required: + - hoursInCycle + - startTime + type: object + weeklySchedule: + description: Allows specifying a snapshot time for each day + of the week. + properties: + dayOfWeeks: + description: May contain up to seven (one for each day of + the week) snapshot times. + items: + properties: + day: + description: The day of the week to create the snapshot. + e.g. MONDAY + type: string + startTime: + description: |- + Time within the window to start the operations. + It must be in format "HH:MM", where HH : [00-23] and MM : [00-00] GMT. + type: string + required: + - day + - startTime + type: object + type: array + required: + - dayOfWeeks + type: object + type: object + snapshotProperties: + description: Properties with which the snapshots are created, such + as labels. + properties: + guestFlush: + description: Whether to perform a 'guest aware' snapshot. + type: boolean + labels: + additionalProperties: + type: string + description: A set of key-value pairs. + type: object + storageLocations: + description: Cloud Storage bucket location in which to store + the snapshot (regional or multi-regional). + items: + type: string + type: array + type: object + required: + - schedule + type: object + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computerouterinterfaces.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeRouterInterface + plural: computerouterinterfaces + shortNames: + - gcpcomputerouterinterface + - gcpcomputerouterinterfaces + singular: computerouterinterface + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + interconnectAttachmentRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + ipRange: + type: string + region: + type: string + routerRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + vpnTunnelRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - routerRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computerouternats.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeRouterNAT + plural: computerouternats + shortNames: + - gcpcomputerouternat + - gcpcomputerouternats + singular: computerouternat + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + drainNatIps: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + icmpIdleTimeoutSec: + description: Timeout (in seconds) for ICMP connections. Defaults to + 30s if not set. + type: integer + logConfig: + description: Configuration for logging on NAT + properties: + enable: + description: Indicates whether or not to export logs. + type: boolean + filter: + description: |- + Specifies the desired filtering of logs on this NAT. Valid + values are: '"ERRORS_ONLY"', '"TRANSLATIONS_ONLY"', '"ALL"' + type: string + required: + - enable + - filter + type: object + minPortsPerVm: + description: Minimum number of ports allocated to a VM from this NAT. + type: integer + natIpAllocateOption: + description: |- + How external IPs should be allocated for this NAT. Valid values are + 'AUTO_ONLY' for only allowing NAT IPs allocated by Google Cloud + Platform, or 'MANUAL_ONLY' for only user-allocated NAT IP addresses. + type: string + natIps: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + region: + description: Region where the router and NAT reside. + type: string + routerRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + sourceSubnetworkIpRangesToNat: + description: |- + How NAT should be configured per Subnetwork. + If 'ALL_SUBNETWORKS_ALL_IP_RANGES', all of the + IP ranges in every Subnetwork are allowed to Nat. + If 'ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES', all of the primary IP + ranges in every Subnetwork are allowed to Nat. + 'LIST_OF_SUBNETWORKS': A list of Subnetworks are allowed to Nat + (specified in the field subnetwork below). Note that if this field + contains ALL_SUBNETWORKS_ALL_IP_RANGES or + ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, then there should not be any + other RouterNat section in any Router for this network in this region. + type: string + subnetwork: + description: |- + One or more subnetwork NAT configurations. Only used if + 'source_subnetwork_ip_ranges_to_nat' is set to 'LIST_OF_SUBNETWORKS' + items: + properties: + secondaryIpRangeNames: + description: |- + List of the secondary ranges of the subnetwork that are allowed + to use NAT. This can be populated only if + 'LIST_OF_SECONDARY_IP_RANGES' is one of the values in + sourceIpRangesToNat + items: + type: string + type: array + sourceIpRangesToNat: + description: |- + List of options for which source IPs in the subnetwork + should have NAT enabled. Supported values include: + 'ALL_IP_RANGES', 'LIST_OF_SECONDARY_IP_RANGES', + 'PRIMARY_IP_RANGE'. + items: + type: string + type: array + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - sourceIpRangesToNat + - subnetworkRef + type: object + type: array + tcpEstablishedIdleTimeoutSec: + description: |- + Timeout (in seconds) for TCP established connections. + Defaults to 1200s if not set. + type: integer + tcpTransitoryIdleTimeoutSec: + description: |- + Timeout (in seconds) for TCP transitory connections. + Defaults to 30s if not set. + type: integer + udpIdleTimeoutSec: + description: Timeout (in seconds) for UDP connections. Defaults to 30s + if not set. + type: integer + required: + - natIpAllocateOption + - routerRef + - sourceSubnetworkIpRangesToNat + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computerouterpeers.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeRouterPeer + plural: computerouterpeers + shortNames: + - gcpcomputerouterpeer + - gcpcomputerouterpeers + singular: computerouterpeer + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + advertiseMode: + description: |- + User-specified flag to indicate which mode to use for advertisement. + Valid values of this enum field are: 'DEFAULT', 'CUSTOM' + type: string + advertisedGroups: + description: |- + User-specified list of prefix groups to advertise in custom + mode, which can take one of the following options: + + * 'ALL_SUBNETS': Advertises all available subnets, including peer VPC subnets. + * 'ALL_VPC_SUBNETS': Advertises the router's own VPC subnets. + * 'ALL_PEER_VPC_SUBNETS': Advertises peer subnets of the router's VPC network. + + + Note that this field can only be populated if advertiseMode is 'CUSTOM' + and overrides the list defined for the router (in the "bgp" message). + These groups are advertised in addition to any specified prefixes. + Leave this field blank to advertise no custom groups. + items: + type: string + type: array + advertisedIpRanges: + description: |- + User-specified list of individual IP ranges to advertise in + custom mode. This field can only be populated if advertiseMode + is 'CUSTOM' and is advertised to all peers of the router. These IP + ranges will be advertised in addition to any specified groups. + Leave this field blank to advertise no custom IP ranges. + items: + properties: + description: + description: User-specified description for the IP range. + type: string + range: + description: |- + The IP range to advertise. The value must be a + CIDR-formatted string. + type: string + required: + - range + type: object + type: array + advertisedRoutePriority: + description: |- + The priority of routes advertised to this BGP peer. + Where there is more than one matching route of maximum + length, the routes with the lowest priority value win. + type: integer + peerAsn: + description: |- + Peer BGP Autonomous System Number (ASN). + Each BGP interface may use a different value. + type: integer + peerIpAddress: + description: |- + IP address of the BGP interface outside Google Cloud Platform. + Only IPv4 is supported. + type: string + region: + description: |- + Region where the router and BgpPeer reside. + If it is not provided, the provider region is used. + type: string + routerInterfaceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + routerRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - peerAsn + - peerIpAddress + - routerInterfaceRef + - routerRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + ipAddress: + description: |- + IP address of the interface inside Google Cloud Platform. + Only IPv4 is supported. + type: string + managementType: + description: |- + The resource that configures and manages this BGP peer. + + * 'MANAGED_BY_USER' is the default value and can be managed by + you or other users + * 'MANAGED_BY_ATTACHMENT' is a BGP peer that is configured and + managed by Cloud Interconnect, specifically by an + InterconnectAttachment of type PARTNER. Google automatically + creates, updates, and deletes this type of BGP peer when the + PARTNER InterconnectAttachment is created, updated, + or deleted. + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computerouters.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeRouter + plural: computerouters + shortNames: + - gcpcomputerouter + - gcpcomputerouters + singular: computerouter + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bgp: + description: BGP information specific to this router. + properties: + advertiseMode: + description: |- + User-specified flag to indicate which mode to use for advertisement. + + Valid values of this enum field are: DEFAULT, CUSTOM + type: string + advertisedGroups: + description: |- + User-specified list of prefix groups to advertise in custom mode. + This field can only be populated if advertiseMode is CUSTOM and + is advertised to all peers of the router. These groups will be + advertised in addition to any specified prefixes. Leave this field + blank to advertise no custom groups. + + This enum field has the one valid value: ALL_SUBNETS + items: + type: string + type: array + advertisedIpRanges: + description: |- + User-specified list of individual IP ranges to advertise in + custom mode. This field can only be populated if advertiseMode + is CUSTOM and is advertised to all peers of the router. These IP + ranges will be advertised in addition to any specified groups. + Leave this field blank to advertise no custom IP ranges. + items: + properties: + description: + description: User-specified description for the IP range. + type: string + range: + description: |- + The IP range to advertise. The value must be a + CIDR-formatted string. + type: string + required: + - range + type: object + type: array + asn: + description: |- + Local BGP Autonomous System Number (ASN). Must be an RFC6996 + private ASN, either 16-bit or 32-bit. The value will be fixed for + this router resource. All VPN tunnels that link to this router + will have the same local ASN. + type: integer + required: + - asn + type: object + description: + description: An optional description of this resource. + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + region: + description: Region where the router resides. + type: string + required: + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeroutes.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeRoute + plural: computeroutes + shortNames: + - gcpcomputeroute + - gcpcomputeroutes + singular: computeroute + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: |- + An optional description of this resource. Provide this property + when you create the resource. + type: string + destRange: + description: |- + The destination range of outgoing packets that this route applies to. + Only IPv4 is supported. + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + nextHopGateway: + description: |- + URL to a gateway that should handle matching packets. + Currently, you can only specify the internet gateway, using a full or + partial valid URL: + * 'https://www.googleapis.com/compute/v1/projects/project/global/gateways/default-internet-gateway' + * 'projects/project/global/gateways/default-internet-gateway' + * 'global/gateways/default-internet-gateway' + * The string 'default-internet-gateway'. + type: string + nextHopILBRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + nextHopInstanceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + nextHopIp: + description: Network IP address of an instance that should handle matching + packets. + type: string + nextHopVPNTunnelRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + priority: + description: |- + The priority of this route. Priority is used to break ties in cases + where there is more than one matching route of equal prefix length. + + In the case of two routes with equal prefix length, the one with the + lowest-numbered priority value wins. + + Default value is 1000. Valid range is 0 through 65535. + type: integer + tags: + description: A list of instance tags to which this route applies. + items: + type: string + type: array + required: + - destRange + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + nextHopNetwork: + description: URL to a Network that should handle matching packets. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesecuritypolicies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSecurityPolicy + plural: computesecuritypolicies + shortNames: + - gcpcomputesecuritypolicy + - gcpcomputesecuritypolicies + singular: computesecuritypolicy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + type: string + rule: + items: + properties: + action: + type: string + description: + type: string + match: + properties: + config: + properties: + srcIpRanges: + items: + type: string + type: array + required: + - srcIpRanges + type: object + expr: + properties: + expression: + type: string + required: + - expression + type: object + versionedExpr: + type: string + type: object + preview: + type: boolean + priority: + type: integer + required: + - action + - match + - priority + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + fingerprint: + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesharedvpchostprojects.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSharedVPCHostProject + plural: computesharedvpchostprojects + shortNames: + - gcpcomputesharedvpchostproject + - gcpcomputesharedvpchostprojects + singular: computesharedvpchostproject + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesharedvpcserviceprojects.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSharedVPCServiceProject + plural: computesharedvpcserviceprojects + shortNames: + - gcpcomputesharedvpcserviceproject + - gcpcomputesharedvpcserviceprojects + singular: computesharedvpcserviceproject + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + projectRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - projectRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesnapshots.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSnapshot + plural: computesnapshots + shortNames: + - gcpcomputesnapshot + - gcpcomputesnapshots + singular: computesnapshot + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + snapshotEncryptionKey: + description: |- + The customer-supplied encryption key of the snapshot. Required if the + source snapshot is protected by a customer-supplied encryption key. + properties: + rawKey: + description: |- + Specifies a 256-bit customer-supplied encryption key, encoded in + RFC 4648 base64 to either encrypt or decrypt this resource. + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + sha256: + description: |- + The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied + encryption key that protects this resource. + type: string + required: + - rawKey + type: object + sourceDiskEncryptionKey: + description: |- + The customer-supplied encryption key of the source snapshot. Required + if the source snapshot is protected by a customer-supplied encryption + key. + properties: + rawKey: + description: |- + Specifies a 256-bit customer-supplied encryption key, encoded in + RFC 4648 base64 to either encrypt or decrypt this resource. + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + type: object + sourceDiskRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + zone: + description: A reference to the zone where the disk is hosted. + type: string + required: + - sourceDiskRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + diskSizeGb: + description: Size of the snapshot, specified in GB. + type: integer + labelFingerprint: + description: |- + The fingerprint used for optimistic locking of this resource. Used + internally during updates. + type: string + licenses: + description: |- + A list of public visible licenses that apply to this snapshot. This + can be because the original image had licenses attached (such as a + Windows image). snapshotEncryptionKey nested object Encrypts the + snapshot using a customer-supplied encryption key. + items: + type: string + type: array + selfLink: + type: string + snapshotId: + description: The unique identifier for the resource. + type: integer + sourceDiskLink: + type: string + storageBytes: + description: |- + A size of the storage used by the snapshot. As snapshots share + storage, this number is expected to change with snapshot + creation/deletion. + type: integer + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesslcertificates.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSSLCertificate + plural: computesslcertificates + shortNames: + - gcpcomputesslcertificate + - gcpcomputesslcertificates + singular: computesslcertificate + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + certificate: + description: |- + The certificate in PEM format. + The certificate chain must be no greater than 5 certs long. + The chain must include at least one intermediate cert. + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' is + specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if 'value' + is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in the + given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + description: + description: An optional description of this resource. + type: string + location: + description: Location represents the geographical location of the ComputeSSLCertificate. + Specify "global" for global resources. + type: string + privateKey: + description: The write-only private key in PEM format. + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' is + specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if 'value' + is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in the + given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + required: + - certificate + - location + - privateKey + type: object + status: + properties: + certificateId: + description: The unique identifier for the resource. + type: integer + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesslpolicies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSSLPolicy + plural: computesslpolicies + shortNames: + - gcpcomputesslpolicy + - gcpcomputesslpolicies + singular: computesslpolicy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + customFeatures: + description: |- + Profile specifies the set of SSL features that can be used by the + load balancer when negotiating SSL with clients. This can be one of + 'COMPATIBLE', 'MODERN', 'RESTRICTED', or 'CUSTOM'. If using 'CUSTOM', + the set of SSL features to enable must be specified in the + 'customFeatures' field. + + See the [official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies#profilefeaturesupport) + for which ciphers are available to use. **Note**: this argument + *must* be present when using the 'CUSTOM' profile. This argument + *must not* be present when using any other profile. + items: + type: string + type: array + description: + description: An optional description of this resource. + type: string + minTlsVersion: + description: |- + The minimum version of SSL protocol that can be used by the clients + to establish a connection with the load balancer. This can be one of + 'TLS_1_0', 'TLS_1_1', 'TLS_1_2'. + Default is 'TLS_1_0'. + type: string + profile: + description: |- + Profile specifies the set of SSL features that can be used by the + load balancer when negotiating SSL with clients. This can be one of + 'COMPATIBLE', 'MODERN', 'RESTRICTED', or 'CUSTOM'. If using 'CUSTOM', + the set of SSL features to enable must be specified in the + 'customFeatures' field. + + See the [official documentation](https://cloud.google.com/compute/docs/load-balancing/ssl-policies#profilefeaturesupport) + for information on what cipher suites each profile provides. If + 'CUSTOM' is used, the 'custom_features' attribute **must be set**. + Default is 'COMPATIBLE'. + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + enabledFeatures: + description: The list of features enabled in the SSL policy. + items: + type: string + type: array + fingerprint: + description: |- + Fingerprint of this resource. A hash of the contents stored in this + object. This field is used in optimistic locking. + type: string + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computesubnetworks.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeSubnetwork + plural: computesubnetworks + shortNames: + - gcpcomputesubnetwork + - gcpcomputesubnetworks + singular: computesubnetwork + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: |- + An optional description of this resource. Provide this property when + you create the resource. This field can be set only at resource + creation time. + type: string + ipCidrRange: + description: |- + The range of internal addresses that are owned by this subnetwork. + Provide this property when you create the subnetwork. For example, + 10.0.0.0/8 or 192.168.0.0/16. Ranges must be unique and + non-overlapping within a network. Only IPv4 is supported. + type: string + logConfig: + description: |- + Denotes the logging options for the subnetwork flow logs. If logging is enabled + logs will be exported to Stackdriver. This field cannot be set if the 'purpose' of this + subnetwork is 'INTERNAL_HTTPS_LOAD_BALANCER' + properties: + aggregationInterval: + description: |- + Can only be specified if VPC flow logging for this subnetwork is enabled. + Toggles the aggregation interval for collecting flow logs. Increasing the + interval time will reduce the amount of generated flow logs for long + lasting connections. Default is an interval of 5 seconds per connection. + Possible values are INTERVAL_5_SEC, INTERVAL_30_SEC, INTERVAL_1_MIN, + INTERVAL_5_MIN, INTERVAL_10_MIN, INTERVAL_15_MIN + type: string + flowSampling: + description: |- + Can only be specified if VPC flow logging for this subnetwork is enabled. + The value of the field must be in [0, 1]. Set the sampling rate of VPC + flow logs within the subnetwork where 1.0 means all collected logs are + reported and 0.0 means no logs are reported. Default is 0.5 which means + half of all collected logs are reported. + type: number + metadata: + description: |- + Can only be specified if VPC flow logging for this subnetwork is enabled. + Configures whether metadata fields should be added to the reported VPC + flow logs. Default is 'INCLUDE_ALL_METADATA'. + type: string + type: object + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + privateIpGoogleAccess: + description: |- + When enabled, VMs in this subnetwork without external IP addresses can + access Google APIs and services by using Private Google Access. + type: boolean + purpose: + description: |- + The purpose of the resource. This field can be either PRIVATE + or INTERNAL_HTTPS_LOAD_BALANCER. A subnetwork with purpose set to + INTERNAL_HTTPS_LOAD_BALANCER is a user-created subnetwork that is + reserved for Internal HTTP(S) Load Balancing. If unspecified, the + purpose defaults to PRIVATE. + + If set to INTERNAL_HTTPS_LOAD_BALANCER you must also set the role. + type: string + region: + description: URL of the GCP region for this subnetwork. + type: string + role: + description: |- + The role of subnetwork. Currently, this field is only used when + purpose = INTERNAL_HTTPS_LOAD_BALANCER. The value can be set to ACTIVE + or BACKUP. An ACTIVE subnetwork is one that is currently being used + for Internal HTTP(S) Load Balancing. A BACKUP subnetwork is one that + is ready to be promoted to ACTIVE or is currently draining. + type: string + secondaryIpRange: + items: + properties: + ipCidrRange: + description: |- + The range of IP addresses belonging to this subnetwork secondary + range. Provide this property when you create the subnetwork. + Ranges must be unique and non-overlapping with all primary and + secondary IP ranges within a network. Only IPv4 is supported. + type: string + rangeName: + description: |- + The name associated with this subnetwork secondary range, used + when adding an alias IP range to a VM instance. The name must + be 1-63 characters long, and comply with RFC1035. The name + must be unique within the subnetwork. + type: string + required: + - ipCidrRange + - rangeName + type: object + type: array + required: + - ipCidrRange + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + fingerprint: + description: DEPRECATED — This field is not useful for users, and has + been removed as an output. Fingerprint of this resource. This field + is used internally during updates of this resource. + type: string + gatewayAddress: + description: |- + The gateway address for default routes to reach destination addresses + outside this subnetwork. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargethttpproxies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetHTTPProxy + plural: computetargethttpproxies + shortNames: + - gcpcomputetargethttpproxy + - gcpcomputetargethttpproxies + singular: computetargethttpproxy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + location: + description: Location represents the geographical location of the ComputeTargetHTTPProxy. + Specify "global" for global resources. + type: string + urlMapRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - location + - urlMapRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + proxyId: + description: The unique identifier for the resource. + type: integer + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargethttpsproxies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetHTTPSProxy + plural: computetargethttpsproxies + shortNames: + - gcpcomputetargethttpsproxy + - gcpcomputetargethttpsproxies + singular: computetargethttpsproxy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + location: + description: Location represents the geographical location of the ComputeTargetHTTPSProxy. + Specify "global" for global resources. + type: string + quicOverride: + description: |- + Specifies the QUIC override policy for this resource. This determines + whether the load balancer will attempt to negotiate QUIC with clients + or not. Can specify one of NONE, ENABLE, or DISABLE. If NONE is + specified, uses the QUIC policy with no user overrides, which is + equivalent to DISABLE. Not specifying this field is equivalent to + specifying NONE. + type: string + sslCertificates: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + sslPolicyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + urlMapRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - location + - sslCertificates + - urlMapRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + proxyId: + description: The unique identifier for the resource. + type: integer + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargetinstances.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetInstance + plural: computetargetinstances + shortNames: + - gcpcomputetargetinstance + - gcpcomputetargetinstances + singular: computetargetinstance + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + instanceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + natPolicy: + description: |- + NAT option controlling how IPs are NAT'ed to the instance. + Currently only NO_NAT (default value) is supported. + type: string + zone: + description: URL of the zone where the target instance resides. + type: string + required: + - instanceRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargetpools.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetPool + plural: computetargetpools + shortNames: + - gcpcomputetargetpool + - gcpcomputetargetpools + singular: computetargetpool + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + backupTargetPoolRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + description: + type: string + failoverRatio: + type: number + healthChecks: + items: + properties: + httpHealthCheckRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + type: array + instances: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + region: + type: string + sessionAffinity: + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargetsslproxies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetSSLProxy + plural: computetargetsslproxies + shortNames: + - gcpcomputetargetsslproxy + - gcpcomputetargetsslproxies + singular: computetargetsslproxy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + description: + description: An optional description of this resource. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to + the backend, either NONE or PROXY_V1. The default is NONE. + type: string + sslCertificates: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + sslPolicyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - backendServiceRef + - sslCertificates + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + proxyId: + description: The unique identifier for the resource. + type: integer + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargettcpproxies.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetTCPProxy + plural: computetargettcpproxies + shortNames: + - gcpcomputetargettcpproxy + - gcpcomputetargettcpproxies + singular: computetargettcpproxy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + description: + description: An optional description of this resource. + type: string + proxyHeader: + description: |- + Specifies the type of proxy header to append before sending data to + the backend, either NONE or PROXY_V1. The default is NONE. + type: string + required: + - backendServiceRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + proxyId: + description: The unique identifier for the resource. + type: integer + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computetargetvpngateways.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeTargetVPNGateway + plural: computetargetvpngateways + shortNames: + - gcpcomputetargetvpngateway + - gcpcomputetargetvpngateways + singular: computetargetvpngateway + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + region: + description: The region this gateway should sit in. + type: string + required: + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + gatewayId: + description: The unique identifier for the resource. + type: integer + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computeurlmaps.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeURLMap + plural: computeurlmaps + shortNames: + - gcpcomputeurlmap + - gcpcomputeurlmaps + singular: computeurlmap + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + defaultService: + properties: + backendBucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + description: + description: |- + An optional description of this resource. Provide this property when you create + the resource. + type: string + headerAction: + description: |- + Specifies changes to request and response headers that need to take effect for + the selected backendService. The headerAction specified here take effect after + headerAction specified under pathMatcher. + properties: + requestHeadersToAdd: + description: |- + Headers to add to a matching request prior to forwarding the request to the + backendService. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + requestHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the request + prior to forwarding the request to the backendService. + items: + type: string + type: array + responseHeadersToAdd: + description: Headers to add the response prior to sending the response + back to the client. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + responseHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the response + prior to sending the response back to the client. + items: + type: string + type: array + type: object + hostRule: + description: The list of HostRules to use against the URL. + items: + properties: + description: + description: |- + An optional description of this resource. Provide this property when you create + the resource. + type: string + hosts: + description: |- + The list of host patterns to match. They must be valid hostnames, except * will + match any string of ([a-z0-9-.]*). In that case, * must be the first character + and must be followed in the pattern by either - or .. + items: + type: string + type: array + pathMatcher: + description: |- + The name of the PathMatcher to use to match the path portion of the URL if the + hostRule matches the URL's host portion. + type: string + required: + - hosts + - pathMatcher + type: object + type: array + location: + description: Location represents the geographical location of the ComputeURLMap. + Specify "global" for global resources. + type: string + pathMatcher: + description: The list of named PathMatchers to use against the URL. + items: + properties: + defaultService: + properties: + backendBucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + description: + description: |- + An optional description of this resource. Provide this property when you create + the resource. + type: string + headerAction: + description: |- + Specifies changes to request and response headers that need to take effect for + the selected backendService. HeaderAction specified here are applied after the + matching HttpRouteRule HeaderAction and before the HeaderAction in the UrlMap + properties: + requestHeadersToAdd: + description: |- + Headers to add to a matching request prior to forwarding the request to the + backendService. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + requestHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the request + prior to forwarding the request to the backendService. + items: + type: string + type: array + responseHeadersToAdd: + description: Headers to add the response prior to sending + the response back to the client. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + responseHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the response + prior to sending the response back to the client. + items: + type: string + type: array + type: object + name: + description: The name to which this PathMatcher is referred by + the HostRule. + type: string + pathRule: + description: |- + The list of path rules. Use this list instead of routeRules when routing based + on simple path matching is all that's required. The order by which path rules + are specified does not matter. Matches are always done on the longest-path-first + basis. For example: a pathRule with a path /a/b/c/* will match before /a/b/* + irrespective of the order in which those paths appear in this list. Within a + given pathMatcher, only one of pathRules or routeRules must be set. + items: + properties: + paths: + description: |- + The list of path patterns to match. Each must start with / and the only place a + * is allowed is at the end following a /. The string fed to the path matcher + does not include any text after the first ? or #, and those chars are not + allowed here. + items: + type: string + type: array + routeAction: + description: |- + In response to a matching path, the load balancer performs advanced routing + actions like URL rewrites, header transformations, etc. prior to forwarding the + request to the selected backend. If routeAction specifies any + weightedBackendServices, service must not be set. Conversely if service is set, + routeAction cannot contain any weightedBackendServices. Only one of routeAction + or urlRedirect must be set. + properties: + corsPolicy: + description: |- + The specification for allowing client side cross-origin requests. Please see W3C + Recommendation for Cross Origin Resource Sharing + properties: + allowCredentials: + description: |- + In response to a preflight request, setting this to true indicates that the + actual request can include user credentials. This translates to the Access- + Control-Allow-Credentials header. Defaults to false. + type: boolean + allowHeaders: + description: Specifies the content for the Access-Control-Allow-Headers + header. + items: + type: string + type: array + allowMethods: + description: Specifies the content for the Access-Control-Allow-Methods + header. + items: + type: string + type: array + allowOriginRegexes: + description: |- + Specifies the regualar expression patterns that match allowed origins. For + regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript + An origin is allowed if it matches either allow_origins or allow_origin_regex. + items: + type: string + type: array + allowOrigins: + description: |- + Specifies the list of origins that will be allowed to do CORS requests. An + origin is allowed if it matches either allow_origins or allow_origin_regex. + items: + type: string + type: array + disabled: + description: If true, specifies the CORS policy + is disabled. + type: boolean + exposeHeaders: + description: Specifies the content for the Access-Control-Expose-Headers + header. + items: + type: string + type: array + maxAge: + description: |- + Specifies how long the results of a preflight request can be cached. This + translates to the content for the Access-Control-Max-Age header. + type: integer + required: + - disabled + type: object + faultInjectionPolicy: + description: |- + The specification for fault injection introduced into traffic to test the + resiliency of clients to backend service failure. As part of fault injection, + when clients send requests to a backend service, delays can be introduced by + Loadbalancer on a percentage of requests before sending those request to the + backend service. Similarly requests from clients can be aborted by the + Loadbalancer for a percentage of requests. timeout and retry_policy will be + ignored by clients that are configured with a fault_injection_policy. + properties: + abort: + description: |- + The specification for how client requests are aborted as part of fault + injection. + properties: + httpStatus: + description: |- + The HTTP status code used to abort the request. The value must be between 200 + and 599 inclusive. + type: integer + percentage: + description: |- + The percentage of traffic (connections/operations/requests) which will be + aborted as part of fault injection. The value must be between 0.0 and 100.0 + inclusive. + type: number + required: + - httpStatus + - percentage + type: object + delay: + description: |- + The specification for how client requests are delayed as part of fault + injection, before being sent to a backend service. + properties: + fixedDelay: + description: Specifies the value of the fixed + delay interval. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: string + required: + - seconds + type: object + percentage: + description: |- + The percentage of traffic (connections/operations/requests) on which delay will + be introduced as part of fault injection. The value must be between 0.0 and + 100.0 inclusive. + type: number + required: + - fixedDelay + - percentage + type: object + type: object + requestMirrorPolicy: + description: |- + Specifies the policy on how requests intended for the route's backends are + shadowed to a separate mirrored backend service. Loadbalancer does not wait for + responses from the shadow service. Prior to sending traffic to the shadow + service, the host / authority header is suffixed with -shadow. + properties: + backendService: + description: The BackendService resource being mirrored + to. + type: string + required: + - backendService + type: object + retryPolicy: + description: Specifies the retry policy associated with + this route. + properties: + numRetries: + description: Specifies the allowed number retries. + This number must be > 0. + type: integer + perTryTimeout: + description: Specifies a non-zero timeout per retry + attempt. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: string + required: + - seconds + type: object + retryConditions: + description: |- + Specifies one or more conditions when this retry rule applies. Valid values are: + - 5xx: Loadbalancer will attempt a retry if the backend service responds with + any 5xx response code, or if the backend service does not respond at all, + example: disconnects, reset, read timeout, connection failure, and refused + streams. + - gateway-error: Similar to 5xx, but only applies to response codes + 502, 503 or 504. + - connect-failure: Loadbalancer will retry on failures + connecting to backend services, for example due to connection timeouts. + - retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. + Currently the only retriable error supported is 409. + - refused-stream: Loadbalancer will retry if the backend service resets the stream with a + REFUSED_STREAM error code. This reset type indicates that it is safe to retry. + - cancelled: Loadbalancer will retry if the gRPC status code in the response + header is set to cancelled + - deadline-exceeded: Loadbalancer will retry if the + gRPC status code in the response header is set to deadline-exceeded + - resource-exhausted: Loadbalancer will retry if the gRPC status code in the response + header is set to resource-exhausted + - unavailable: Loadbalancer will retry if + the gRPC status code in the response header is set to unavailable + items: + type: string + type: array + type: object + timeout: + description: |- + Specifies the timeout for the selected route. Timeout is computed from the time + the request is has been fully processed (i.e. end-of-stream) up until the + response has been completely processed. Timeout includes all retries. If not + specified, the default value is 15 seconds. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: string + required: + - seconds + type: object + urlRewrite: + description: |- + The spec to modify the URL of the request, prior to forwarding the request to + the matched service + properties: + hostRewrite: + description: |- + Prior to forwarding the request to the selected service, the request's host + header is replaced with contents of hostRewrite. The value must be between 1 and + 255 characters. + type: string + pathPrefixRewrite: + description: |- + Prior to forwarding the request to the selected backend service, the matching + portion of the request's path is replaced by pathPrefixRewrite. The value must + be between 1 and 1024 characters. + type: string + type: object + weightedBackendServices: + description: |- + A list of weighted backend services to send traffic to when a route match + occurs. The weights determine the fraction of traffic that flows to their + corresponding backend service. If all traffic needs to go to a single backend + service, there must be one weightedBackendService with weight set to a non 0 + number. Once a backendService is identified and before forwarding the request to + the backend service, advanced routing actions like Url rewrites and header + transformations are applied depending on additional settings specified in this + HttpRouteAction. + items: + properties: + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + headerAction: + description: |- + Specifies changes to request and response headers that need to take effect for + the selected backendService. headerAction specified here take effect before + headerAction in the enclosing HttpRouteRule, PathMatcher and UrlMap. + properties: + requestHeadersToAdd: + description: |- + Headers to add to a matching request prior to forwarding the request to the + backendService. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header + to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + requestHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the request + prior to forwarding the request to the backendService. + items: + type: string + type: array + responseHeadersToAdd: + description: Headers to add the response prior + to sending the response back to the client. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header + to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + responseHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the response + prior to sending the response back to the client. + items: + type: string + type: array + type: object + weight: + description: |- + Specifies the fraction of traffic sent to backendService, computed as weight / + (sum of all weightedBackendService weights in routeAction) . The selection of a + backend service is determined only for new traffic. Once a user's request has + been directed to a backendService, subsequent requests will be sent to the same + backendService as determined by the BackendService's session affinity policy. + The value must be between 0 and 1000 + type: integer + required: + - backendServiceRef + - weight + type: object + type: array + type: object + service: + properties: + backendBucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + urlRedirect: + description: |- + When a path pattern is matched, the request is redirected to a URL specified by + urlRedirect. If urlRedirect is specified, service or routeAction must not be + set. + properties: + hostRedirect: + description: |- + The host that will be used in the redirect response instead of the one that was + supplied in the request. The value must be between 1 and 255 characters. + type: string + httpsRedirect: + description: |- + If set to true, the URL scheme in the redirected request is set to https. If set + to false, the URL scheme of the redirected request will remain the same as that + of the request. This must only be set for UrlMaps used in TargetHttpProxys. + Setting this true for TargetHttpsProxy is not permitted. Defaults to false. + type: boolean + pathRedirect: + description: |- + The path that will be used in the redirect response instead of the one that was + supplied in the request. Only one of pathRedirect or prefixRedirect must be + specified. The value must be between 1 and 1024 characters. + type: string + prefixRedirect: + description: |- + The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, + retaining the remaining portion of the URL before redirecting the request. + type: string + redirectResponseCode: + description: |- + The HTTP Status code to use for this RedirectAction. Supported values are: + - MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. + - FOUND, which corresponds to 302. + - SEE_OTHER which corresponds to 303. + - TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method + will be retained. + - PERMANENT_REDIRECT, which corresponds to 308. In this case, + the request method will be retained. + type: string + stripQuery: + description: |- + If set to true, any accompanying query portion of the original URL is removed + prior to redirecting the request. If set to false, the query portion of the + original URL is retained. + type: boolean + required: + - stripQuery + type: object + required: + - paths + type: object + type: array + routeRules: + description: |- + The list of ordered HTTP route rules. Use this list instead of pathRules when + advanced route matching and routing actions are desired. The order of specifying + routeRules matters: the first rule that matches will cause its specified routing + action to take effect. Within a given pathMatcher, only one of pathRules or + routeRules must be set. routeRules are not supported in UrlMaps intended for + External load balancers. + items: + properties: + headerAction: + description: |- + Specifies changes to request and response headers that need to take effect for + the selected backendService. The headerAction specified here are applied before + the matching pathMatchers[].headerAction and after pathMatchers[].routeRules[].r + outeAction.weightedBackendService.backendServiceWeightAction[].headerAction + properties: + requestHeadersToAdd: + description: |- + Headers to add to a matching request prior to forwarding the request to the + backendService. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + requestHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the request + prior to forwarding the request to the backendService. + items: + type: string + type: array + responseHeadersToAdd: + description: Headers to add the response prior to sending + the response back to the client. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + responseHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the response + prior to sending the response back to the client. + items: + type: string + type: array + type: object + matchRules: + description: The rules for determining a match. + items: + properties: + fullPathMatch: + description: |- + For satifying the matchRule condition, the path of the request must exactly + match the value specified in fullPathMatch after removing any query parameters + and anchor that may be part of the original URL. FullPathMatch must be between 1 + and 1024 characters. Only one of prefixMatch, fullPathMatch or regexMatch must + be specified. + type: string + headerMatches: + description: |- + Specifies a list of header match criteria, all of which must match corresponding + headers in the request. + items: + properties: + exactMatch: + description: |- + The value should exactly match contents of exactMatch. Only one of exactMatch, + prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. + type: string + headerName: + description: |- + The name of the HTTP header to match. For matching against the HTTP request's + authority, use a headerMatch with the header name ":authority". For matching a + request's method, use the headerName ":method". + type: string + invertMatch: + description: |- + If set to false, the headerMatch is considered a match if the match criteria + above are met. If set to true, the headerMatch is considered a match if the + match criteria above are NOT met. Defaults to false. + type: boolean + prefixMatch: + description: |- + The value of the header must start with the contents of prefixMatch. Only one of + exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch + must be set. + type: string + presentMatch: + description: |- + A header with the contents of headerName must exist. The match takes place + whether or not the request's header has a value or not. Only one of exactMatch, + prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set. + type: boolean + rangeMatch: + description: |- + The header value must be an integer and its value must be in the range specified + in rangeMatch. If the header does not contain an integer, number or is empty, + the match fails. For example for a range [-5, 0] - -3 will match. - 0 will + not match. - 0.25 will not match. - -3someString will not match. Only one of + exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch + must be set. + properties: + rangeEnd: + description: The end of the range (exclusive). + type: integer + rangeStart: + description: The start of the range (inclusive). + type: integer + required: + - rangeEnd + - rangeStart + type: object + regexMatch: + description: |- + The value of the header must match the regualar expression specified in + regexMatch. For regular expression grammar, please see: + en.cppreference.com/w/cpp/regex/ecmascript For matching against a port + specified in the HTTP request, use a headerMatch with headerName set to PORT and + a regular expression that satisfies the RFC2616 Host header's port specifier. + Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or + rangeMatch must be set. + type: string + suffixMatch: + description: |- + The value of the header must end with the contents of suffixMatch. Only one of + exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch + must be set. + type: string + required: + - headerName + type: object + type: array + ignoreCase: + description: |- + Specifies that prefixMatch and fullPathMatch matches are case sensitive. + Defaults to false. + type: boolean + metadataFilters: + description: |- + Opaque filter criteria used by Loadbalancer to restrict routing configuration to + a limited set xDS compliant clients. In their xDS requests to Loadbalancer, xDS + clients present node metadata. If a match takes place, the relevant routing + configuration is made available to those proxies. For each metadataFilter in + this list, if its filterMatchCriteria is set to MATCH_ANY, at least one of the + filterLabels must match the corresponding label provided in the metadata. If its + filterMatchCriteria is set to MATCH_ALL, then all of its filterLabels must match + with corresponding labels in the provided metadata. metadataFilters specified + here can be overrides those specified in ForwardingRule that refers to this + UrlMap. metadataFilters only applies to Loadbalancers that have their + loadBalancingScheme set to INTERNAL_SELF_MANAGED. + items: + properties: + filterLabels: + description: |- + The list of label value pairs that must match labels in the provided metadata + based on filterMatchCriteria This list must not be empty and can have at the + most 64 entries. + items: + properties: + name: + description: |- + Name of metadata label. The name can have a maximum length of 1024 characters + and must be at least 1 character long. + type: string + value: + description: |- + The value of the label must match the specified value. value can have a maximum + length of 1024 characters. + type: string + required: + - name + - value + type: object + type: array + filterMatchCriteria: + description: |- + Specifies how individual filterLabel matches within the list of filterLabels + contribute towards the overall metadataFilter match. Supported values are: + - MATCH_ANY: At least one of the filterLabels must have a matching label in the + provided metadata. + - MATCH_ALL: All filterLabels must have matching labels in + the provided metadata. + type: string + required: + - filterLabels + - filterMatchCriteria + type: object + type: array + prefixMatch: + description: |- + For satifying the matchRule condition, the request's path must begin with the + specified prefixMatch. prefixMatch must begin with a /. The value must be + between 1 and 1024 characters. Only one of prefixMatch, fullPathMatch or + regexMatch must be specified. + type: string + queryParameterMatches: + description: |- + Specifies a list of query parameter match criteria, all of which must match + corresponding query parameters in the request. + items: + properties: + exactMatch: + description: |- + The queryParameterMatch matches if the value of the parameter exactly matches + the contents of exactMatch. Only one of presentMatch, exactMatch and regexMatch + must be set. + type: string + name: + description: |- + The name of the query parameter to match. The query parameter must exist in the + request, in the absence of which the request match fails. + type: string + presentMatch: + description: |- + Specifies that the queryParameterMatch matches if the request contains the query + parameter, irrespective of whether the parameter has a value or not. Only one of + presentMatch, exactMatch and regexMatch must be set. + type: boolean + regexMatch: + description: |- + The queryParameterMatch matches if the value of the parameter matches the + regular expression specified by regexMatch. For the regular expression grammar, + please see en.cppreference.com/w/cpp/regex/ecmascript Only one of presentMatch, + exactMatch and regexMatch must be set. + type: string + required: + - name + type: object + type: array + regexMatch: + description: |- + For satifying the matchRule condition, the path of the request must satisfy the + regular expression specified in regexMatch after removing any query parameters + and anchor supplied with the original URL. For regular expression grammar please + see en.cppreference.com/w/cpp/regex/ecmascript Only one of prefixMatch, + fullPathMatch or regexMatch must be specified. + type: string + type: object + type: array + priority: + description: |- + For routeRules within a given pathMatcher, priority determines the order + in which load balancer will interpret routeRules. RouteRules are evaluated + in order of priority, from the lowest to highest number. The priority of + a rule decreases as its number increases (1, 2, 3, N+1). The first rule + that matches the request is applied. + + You cannot configure two or more routeRules with the same priority. + Priority for each rule must be set to a number between 0 and + 2147483647 inclusive. + + Priority numbers can have gaps, which enable you to add or remove rules + in the future without affecting the rest of the rules. For example, + 1, 2, 3, 4, 5, 9, 12, 16 is a valid series of priority numbers to which + you could add rules numbered from 6 to 8, 10 to 11, and 13 to 15 in the + future without any impact on existing rules. + type: integer + routeAction: + description: |- + In response to a matching matchRule, the load balancer performs advanced routing + actions like URL rewrites, header transformations, etc. prior to forwarding the + request to the selected backend. If routeAction specifies any + weightedBackendServices, service must not be set. Conversely if service is set, + routeAction cannot contain any weightedBackendServices. Only one of routeAction + or urlRedirect must be set. + properties: + corsPolicy: + description: |- + The specification for allowing client side cross-origin requests. Please see W3C + Recommendation for Cross Origin Resource Sharing + properties: + allowCredentials: + description: |- + In response to a preflight request, setting this to true indicates that the + actual request can include user credentials. This translates to the Access- + Control-Allow-Credentials header. Defaults to false. + type: boolean + allowHeaders: + description: Specifies the content for the Access-Control-Allow-Headers + header. + items: + type: string + type: array + allowMethods: + description: Specifies the content for the Access-Control-Allow-Methods + header. + items: + type: string + type: array + allowOriginRegexes: + description: |- + Specifies the regualar expression patterns that match allowed origins. For + regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript + An origin is allowed if it matches either allow_origins or allow_origin_regex. + items: + type: string + type: array + allowOrigins: + description: |- + Specifies the list of origins that will be allowed to do CORS requests. An + origin is allowed if it matches either allow_origins or allow_origin_regex. + items: + type: string + type: array + disabled: + description: |- + If true, specifies the CORS policy is disabled. + which indicates that the CORS policy is in effect. Defaults to false. + type: boolean + exposeHeaders: + description: Specifies the content for the Access-Control-Expose-Headers + header. + items: + type: string + type: array + maxAge: + description: |- + Specifies how long the results of a preflight request can be cached. This + translates to the content for the Access-Control-Max-Age header. + type: integer + type: object + faultInjectionPolicy: + description: |- + The specification for fault injection introduced into traffic to test the + resiliency of clients to backend service failure. As part of fault injection, + when clients send requests to a backend service, delays can be introduced by + Loadbalancer on a percentage of requests before sending those request to the + backend service. Similarly requests from clients can be aborted by the + Loadbalancer for a percentage of requests. timeout and retry_policy will be + ignored by clients that are configured with a fault_injection_policy. + properties: + abort: + description: |- + The specification for how client requests are aborted as part of fault + injection. + properties: + httpStatus: + description: |- + The HTTP status code used to abort the request. The value must be between 200 + and 599 inclusive. + type: integer + percentage: + description: |- + The percentage of traffic (connections/operations/requests) which will be + aborted as part of fault injection. The value must be between 0.0 and 100.0 + inclusive. + type: number + type: object + delay: + description: |- + The specification for how client requests are delayed as part of fault + injection, before being sent to a backend service. + properties: + fixedDelay: + description: Specifies the value of the fixed + delay interval. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: string + required: + - seconds + type: object + percentage: + description: |- + The percentage of traffic (connections/operations/requests) on which delay will + be introduced as part of fault injection. The value must be between 0.0 and + 100.0 inclusive. + type: number + type: object + type: object + requestMirrorPolicy: + description: |- + Specifies the policy on how requests intended for the route's backends are + shadowed to a separate mirrored backend service. Loadbalancer does not wait for + responses from the shadow service. Prior to sending traffic to the shadow + service, the host / authority header is suffixed with -shadow. + properties: + backendService: + description: The BackendService resource being mirrored + to. + type: string + required: + - backendService + type: object + retryPolicy: + description: Specifies the retry policy associated with + this route. + properties: + numRetries: + description: Specifies the allowed number retries. + This number must be > 0. + type: integer + perTryTimeout: + description: |- + Specifies a non-zero timeout per retry attempt. + If not specified, will use the timeout set in HttpRouteAction. If timeout in HttpRouteAction + is not set, will use the largest timeout among all backend services associated with the route. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: string + required: + - seconds + type: object + retryConditions: + description: |- + Specfies one or more conditions when this retry rule applies. Valid values are: + - 5xx: Loadbalancer will attempt a retry if the backend service responds with + any 5xx response code, or if the backend service does not respond at all, + example: disconnects, reset, read timeout, connection failure, and refused + streams. + - gateway-error: Similar to 5xx, but only applies to response codes + 502, 503 or 504. + - connect-failure: Loadbalancer will retry on failures + connecting to backend services, for example due to connection timeouts. + - retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. + Currently the only retriable error supported is 409. + - refused-stream: Loadbalancer will retry if the backend service resets the stream with a + REFUSED_STREAM error code. This reset type indicates that it is safe to retry. + - cancelled: Loadbalancer will retry if the gRPC status code in the response + header is set to cancelled + - deadline-exceeded: Loadbalancer will retry if the + gRPC status code in the response header is set to deadline-exceeded + - resource-exhausted: Loadbalancer will retry if the gRPC status code in the response + header is set to resource-exhausted + - unavailable: Loadbalancer will retry if the gRPC status code in + the response header is set to unavailable + items: + type: string + type: array + required: + - numRetries + type: object + timeout: + description: |- + Specifies the timeout for the selected route. Timeout is computed from the time + the request is has been fully processed (i.e. end-of-stream) up until the + response has been completely processed. Timeout includes all retries. If not + specified, the default value is 15 seconds. + properties: + nanos: + description: |- + Span of time that's a fraction of a second at nanosecond resolution. Durations + less than one second are represented with a 0 'seconds' field and a positive + 'nanos' field. Must be from 0 to 999,999,999 inclusive. + type: integer + seconds: + description: |- + Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 + inclusive. + type: string + required: + - seconds + type: object + urlRewrite: + description: |- + The spec to modify the URL of the request, prior to forwarding the request to + the matched service + properties: + hostRewrite: + description: |- + Prior to forwarding the request to the selected service, the request's host + header is replaced with contents of hostRewrite. The value must be between 1 and + 255 characters. + type: string + pathPrefixRewrite: + description: |- + Prior to forwarding the request to the selected backend service, the matching + portion of the request's path is replaced by pathPrefixRewrite. The value must + be between 1 and 1024 characters. + type: string + type: object + weightedBackendServices: + description: |- + A list of weighted backend services to send traffic to when a route match + occurs. The weights determine the fraction of traffic that flows to their + corresponding backend service. If all traffic needs to go to a single backend + service, there must be one weightedBackendService with weight set to a non 0 + number. Once a backendService is identified and before forwarding the request to + the backend service, advanced routing actions like Url rewrites and header + transformations are applied depending on additional settings specified in this + HttpRouteAction. + items: + properties: + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + headerAction: + description: |- + Specifies changes to request and response headers that need to take effect for + the selected backendService. headerAction specified here take effect before + headerAction in the enclosing HttpRouteRule, PathMatcher and UrlMap. + properties: + requestHeadersToAdd: + description: |- + Headers to add to a matching request prior to forwarding the request to the + backendService. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header + to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + requestHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the request + prior to forwarding the request to the backendService. + items: + type: string + type: array + responseHeadersToAdd: + description: Headers to add the response prior + to sending the response back to the client. + items: + properties: + headerName: + description: The name of the header. + type: string + headerValue: + description: The value of the header + to add. + type: string + replace: + description: |- + If false, headerValue is appended to any values that already exist for the + header. If true, headerValue is set for the header, discarding any values that + were set for that header. + type: boolean + required: + - headerName + - headerValue + - replace + type: object + type: array + responseHeadersToRemove: + description: |- + A list of header names for headers that need to be removed from the response + prior to sending the response back to the client. + items: + type: string + type: array + type: object + weight: + description: |- + Specifies the fraction of traffic sent to backendService, computed as weight / + (sum of all weightedBackendService weights in routeAction) . The selection of a + backend service is determined only for new traffic. Once a user's request has + been directed to a backendService, subsequent requests will be sent to the same + backendService as determined by the BackendService's session affinity policy. + The value must be between 0 and 1000 + type: integer + required: + - backendServiceRef + - weight + type: object + type: array + type: object + service: + description: |- + The backend service resource to which traffic is + directed if this rule is matched. If routeAction is additionally specified, + advanced routing actions like URL Rewrites, etc. take effect prior to sending + the request to the backend. However, if service is specified, routeAction cannot + contain any weightedBackendService s. Conversely, if routeAction specifies any + weightedBackendServices, service must not be specified. Only one of urlRedirect, + service or routeAction.weightedBackendService must be set. + type: string + urlRedirect: + description: |- + When this rule is matched, the request is redirected to a URL specified by + urlRedirect. If urlRedirect is specified, service or routeAction must not be + set. + properties: + hostRedirect: + description: |- + The host that will be used in the redirect response instead of the one that was + supplied in the request. The value must be between 1 and 255 characters. + type: string + httpsRedirect: + description: |- + If set to true, the URL scheme in the redirected request is set to https. If set + to false, the URL scheme of the redirected request will remain the same as that + of the request. This must only be set for UrlMaps used in TargetHttpProxys. + Setting this true for TargetHttpsProxy is not permitted. Defaults to false. + type: boolean + pathRedirect: + description: |- + The path that will be used in the redirect response instead of the one that was + supplied in the request. Only one of pathRedirect or prefixRedirect must be + specified. The value must be between 1 and 1024 characters. + type: string + prefixRedirect: + description: |- + The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, + retaining the remaining portion of the URL before redirecting the request. + type: string + redirectResponseCode: + description: |- + The HTTP Status code to use for this RedirectAction. Supported values are: - + MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. - + FOUND, which corresponds to 302. - SEE_OTHER which corresponds to 303. - + TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method + will be retained. - PERMANENT_REDIRECT, which corresponds to 308. In this case, + the request method will be retained. + type: string + stripQuery: + description: |- + If set to true, any accompanying query portion of the original URL is removed + prior to redirecting the request. If set to false, the query portion of the + original URL is retained. Defaults to false. + type: boolean + type: object + required: + - priority + type: object + type: array + required: + - name + type: object + type: array + test: + description: |- + The list of expected URL mapping tests. Request to update this UrlMap will + succeed only if all of the test cases pass. You can specify a maximum of 100 + tests per UrlMap. + items: + properties: + description: + description: Description of this test case. + type: string + host: + description: Host portion of the URL. + type: string + path: + description: Path portion of the URL. + type: string + service: + properties: + backendBucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + backendServiceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + required: + - host + - path + - service + type: object + type: array + required: + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + fingerprint: + description: |- + Fingerprint of this resource. A hash of the contents stored in this object. This + field is used in optimistic locking. + type: string + mapId: + description: The unique identifier for the resource. + type: integer + selfLink: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computevpngateways.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeVPNGateway + plural: computevpngateways + shortNames: + - gcpcomputevpngateway + - gcpcomputevpngateways + singular: computevpngateway + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + region: + description: The region this gateway should sit in. + type: string + required: + - networkRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + vpnInterfaces: + description: A list of interfaces on this VPN gateway. + items: + properties: + id: + description: The numeric ID of this VPN gateway interface. + type: integer + ipAddress: + description: The external IP address for this VPN gateway interface. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: computevpntunnels.compute.cnrm.cloud.google.com +spec: + group: compute.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ComputeVPNTunnel + plural: computevpntunnels + shortNames: + - gcpcomputevpntunnel + - gcpcomputevpntunnels + singular: computevpntunnel + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + description: An optional description of this resource. + type: string + ikeVersion: + description: |- + IKE protocol version to use when establishing the VPN tunnel with + peer VPN gateway. + Acceptable IKE versions are 1 or 2. Default version is 2. + type: integer + localTrafficSelector: + description: |- + Local traffic selector to use when establishing the VPN tunnel with + peer VPN gateway. The value should be a CIDR formatted string, + for example '192.168.0.0/16'. The ranges should be disjoint. + Only IPv4 is supported. + items: + type: string + type: array + peerExternalGatewayInterface: + description: The interface ID of the external VPN gateway to which this + VPN tunnel is connected. + type: integer + peerExternalGatewayRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + peerGCPGatewayRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + peerIp: + description: IP address of the peer VPN gateway. Only IPv4 is supported. + type: string + region: + description: The region where the tunnel is located. If unset, is set + to the region of 'target_vpn_gateway'. + type: string + remoteTrafficSelector: + description: |- + Remote traffic selector to use when establishing the VPN tunnel with + peer VPN gateway. The value should be a CIDR formatted string, + for example '192.168.0.0/16'. The ranges should be disjoint. + Only IPv4 is supported. + items: + type: string + type: array + routerRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + sharedSecret: + description: |- + Shared secret used to set the secure session between the Cloud VPN + gateway and the peer VPN gateway. + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' is + specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if 'value' + is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in the + given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + targetVPNGatewayRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + vpnGatewayInterface: + description: The interface ID of the VPN gateway with which this VPN + tunnel is associated. + type: integer + vpnGatewayRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - sharedSecret + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + creationTimestamp: + description: Creation timestamp in RFC3339 text format. + type: string + detailedStatus: + description: Detailed status message for the VPN tunnel. + type: string + labelFingerprint: + description: |- + The fingerprint used for optimistic locking of this resource. Used + internally during updates. + type: string + selfLink: + type: string + sharedSecretHash: + description: Hash of the shared secret. + type: string + tunnelId: + description: The unique identifier for the resource. This identifier + is defined by the server. + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: containerclusters.container.cnrm.cloud.google.com +spec: + group: container.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ContainerCluster + plural: containerclusters + shortNames: + - gcpcontainercluster + - gcpcontainerclusters + singular: containercluster + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + addonsConfig: + properties: + cloudrunConfig: + properties: + disabled: + type: boolean + required: + - disabled + type: object + horizontalPodAutoscaling: + properties: + disabled: + type: boolean + required: + - disabled + type: object + httpLoadBalancing: + properties: + disabled: + type: boolean + required: + - disabled + type: object + istioConfig: + properties: + auth: + type: string + disabled: + type: boolean + required: + - disabled + type: object + networkPolicyConfig: + properties: + disabled: + type: boolean + required: + - disabled + type: object + type: object + authenticatorGroupsConfig: + properties: + securityGroup: + type: string + required: + - securityGroup + type: object + clusterAutoscaling: + properties: + autoProvisioningDefaults: + properties: + oauthScopes: + items: + type: string + type: array + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: object + enabled: + type: boolean + resourceLimits: + items: + properties: + maximum: + type: integer + minimum: + type: integer + resourceType: + type: string + required: + - resourceType + type: object + type: array + required: + - enabled + type: object + clusterIpv4Cidr: + type: string + databaseEncryption: + properties: + keyName: + type: string + state: + type: string + required: + - state + type: object + defaultMaxPodsPerNode: + type: integer + description: + type: string + enableBinaryAuthorization: + type: boolean + enableIntranodeVisibility: + type: boolean + enableKubernetesAlpha: + type: boolean + enableLegacyAbac: + type: boolean + enableShieldedNodes: + type: boolean + enableTpu: + type: boolean + initialNodeCount: + type: integer + ipAllocationPolicy: + properties: + clusterIpv4CidrBlock: + type: string + clusterSecondaryRangeName: + type: string + servicesIpv4CidrBlock: + type: string + servicesSecondaryRangeName: + type: string + type: object + location: + type: string + loggingService: + type: string + maintenancePolicy: + properties: + dailyMaintenanceWindow: + properties: + duration: + type: string + startTime: + type: string + required: + - startTime + type: object + recurringWindow: + properties: + endTime: + type: string + recurrence: + type: string + startTime: + type: string + required: + - endTime + - recurrence + - startTime + type: object + type: object + masterAuth: + properties: + clientCertificate: + type: string + clientCertificateConfig: + properties: + issueClientCertificate: + type: boolean + required: + - issueClientCertificate + type: object + clientKey: + type: string + clusterCaCertificate: + type: string + password: + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + username: + type: string + type: object + masterAuthorizedNetworksConfig: + properties: + cidrBlocks: + items: + properties: + cidrBlock: + type: string + displayName: + type: string + required: + - cidrBlock + type: object + type: array + type: object + minMasterVersion: + type: string + monitoringService: + type: string + networkPolicy: + properties: + enabled: + type: boolean + provider: + type: string + required: + - enabled + type: object + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + nodeConfig: + properties: + diskSizeGb: + type: integer + diskType: + type: string + guestAccelerator: + items: + properties: + count: + type: integer + type: + type: string + required: + - count + - type + type: object + type: array + imageType: + type: string + labels: + additionalProperties: + type: string + type: object + localSsdCount: + type: integer + machineType: + type: string + metadata: + additionalProperties: + type: string + type: object + minCpuPlatform: + type: string + oauthScopes: + items: + type: string + type: array + preemptible: + type: boolean + sandboxConfig: + properties: + sandboxType: + type: string + required: + - sandboxType + type: object + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + shieldedInstanceConfig: + properties: + enableIntegrityMonitoring: + type: boolean + enableSecureBoot: + type: boolean + type: object + tags: + items: + type: string + type: array + taint: + items: + properties: + effect: + type: string + key: + type: string + value: + type: string + required: + - effect + - key + - value + type: object + type: array + workloadMetadataConfig: + properties: + nodeMetadata: + type: string + required: + - nodeMetadata + type: object + type: object + nodeLocations: + items: + type: string + type: array + nodeVersion: + type: string + podSecurityPolicyConfig: + properties: + enabled: + type: boolean + required: + - enabled + type: object + privateClusterConfig: + properties: + enablePrivateEndpoint: + type: boolean + enablePrivateNodes: + type: boolean + masterIpv4CidrBlock: + type: string + peeringName: + type: string + privateEndpoint: + type: string + publicEndpoint: + type: string + required: + - enablePrivateEndpoint + type: object + releaseChannel: + properties: + channel: + type: string + required: + - channel + type: object + resourceUsageExportConfig: + properties: + bigqueryDestination: + properties: + datasetId: + type: string + required: + - datasetId + type: object + enableNetworkEgressMetering: + type: boolean + required: + - bigqueryDestination + type: object + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + verticalPodAutoscaling: + properties: + enabled: + type: boolean + required: + - enabled + type: object + workloadIdentityConfig: + properties: + identityNamespace: + type: string + required: + - identityNamespace + type: object + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + endpoint: + type: string + instanceGroupUrls: + items: + type: string + type: array + labelFingerprint: + type: string + masterVersion: + type: string + operation: + type: string + servicesIpv4Cidr: + type: string + tpuIpv4CidrBlock: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: containernodepools.container.cnrm.cloud.google.com +spec: + group: container.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ContainerNodePool + plural: containernodepools + shortNames: + - gcpcontainernodepool + - gcpcontainernodepools + singular: containernodepool + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + autoscaling: + properties: + maxNodeCount: + type: integer + minNodeCount: + type: integer + required: + - maxNodeCount + - minNodeCount + type: object + clusterRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + initialNodeCount: + type: integer + location: + type: string + management: + properties: + autoRepair: + type: boolean + autoUpgrade: + type: boolean + type: object + maxPodsPerNode: + type: integer + namePrefix: + type: string + nodeConfig: + properties: + diskSizeGb: + type: integer + diskType: + type: string + guestAccelerator: + items: + properties: + count: + type: integer + type: + type: string + required: + - count + - type + type: object + type: array + imageType: + type: string + labels: + additionalProperties: + type: string + type: object + localSsdCount: + type: integer + machineType: + type: string + metadata: + additionalProperties: + type: string + type: object + minCpuPlatform: + type: string + oauthScopes: + items: + type: string + type: array + preemptible: + type: boolean + sandboxConfig: + properties: + sandboxType: + type: string + required: + - sandboxType + type: object + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + shieldedInstanceConfig: + properties: + enableIntegrityMonitoring: + type: boolean + enableSecureBoot: + type: boolean + type: object + tags: + items: + type: string + type: array + taint: + items: + properties: + effect: + type: string + key: + type: string + value: + type: string + required: + - effect + - key + - value + type: object + type: array + workloadMetadataConfig: + properties: + nodeMetadata: + type: string + required: + - nodeMetadata + type: object + type: object + nodeCount: + type: integer + nodeLocations: + items: + type: string + type: array + upgradeSettings: + properties: + maxSurge: + type: integer + maxUnavailable: + type: integer + required: + - maxSurge + - maxUnavailable + type: object + version: + type: string + required: + - clusterRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + instanceGroupUrls: + items: + type: string + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: dataflowjobs.dataflow.cnrm.cloud.google.com +spec: + group: dataflow.cnrm.cloud.google.com + names: + categories: + - gcp + kind: DataflowJob + plural: dataflowjobs + shortNames: + - gcpdataflowjob + - gcpdataflowjobs + singular: dataflowjob + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + ipConfiguration: + type: string + machineType: + type: string + maxWorkers: + type: integer + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + parameters: + type: object + region: + type: string + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + subnetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + tempGcsLocation: + type: string + templateGcsPath: + type: string + zone: + type: string + required: + - tempGcsLocation + - templateGcsPath + - zone + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + jobId: + type: string + state: + type: string + type: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: dnsmanagedzones.dns.cnrm.cloud.google.com +spec: + group: dns.cnrm.cloud.google.com + names: + categories: + - gcp + kind: DNSManagedZone + plural: dnsmanagedzones + shortNames: + - gcpdnsmanagedzone + - gcpdnsmanagedzones + singular: dnsmanagedzone + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + type: string + dnsName: + description: The DNS name of this managed zone, for instance "example.com.". + type: string + dnssecConfig: + description: DNSSEC configuration + properties: + defaultKeySpecs: + description: |- + Specifies parameters that will be used for generating initial DnsKeys + for this ManagedZone. If you provide a spec for keySigning or zoneSigning, + you must also provide one for the other. + items: + properties: + algorithm: + description: String mnemonic specifying the DNSSEC algorithm + of this key + type: string + keyLength: + description: Length of the keys in bits + type: integer + keyType: + description: |- + Specifies whether this is a key signing key (KSK) or a zone + signing key (ZSK). Key signing keys have the Secure Entry + Point flag set and, when active, will only be used to sign + resource record sets of type DNSKEY. Zone signing keys do + not have the Secure Entry Point flag set and will be used + to sign all other types of resource record sets. + type: string + kind: + description: Identifies what kind of resource this is + type: string + type: object + type: array + kind: + description: Identifies what kind of resource this is + type: string + nonExistence: + description: Specifies the mechanism used to provide authenticated + denial-of-existence responses. + type: string + state: + description: Specifies whether DNSSEC is enabled, and what mode + it is in + type: string + type: object + forwardingConfig: + description: |- + The presence for this field indicates that outbound forwarding is enabled + for this zone. The value of this field contains the set of destinations + to forward to. + properties: + targetNameServers: + description: |- + List of target name servers to forward to. Cloud DNS will + select the best available name server if more than + one target is given. + items: + properties: + ipv4Address: + description: IPv4 address of a target name server. + type: string + required: + - ipv4Address + type: object + type: array + required: + - targetNameServers + type: object + peeringConfig: + description: |- + The presence of this field indicates that DNS Peering is enabled for this + zone. The value of this field contains the network to peer with. + properties: + targetNetwork: + description: The network with which to peer. + properties: + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - networkRef + type: object + required: + - targetNetwork + type: object + privateVisibilityConfig: + description: |- + For privately visible zones, the set of Virtual Private Cloud + resources that the zone is visible from. + properties: + networks: + items: + properties: + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - networkRef + type: object + type: array + required: + - networks + type: object + visibility: + description: |- + The zone's visibility: public zones are exposed to the Internet, + while private zones are visible only to Virtual Private Cloud resources. + Must be one of: 'public', 'private'. + type: string + required: + - dnsName + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + nameServers: + description: |- + Delegate your managed_zone to these virtual name servers; + defined by the server + items: + type: string + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: dnspolicies.dns.cnrm.cloud.google.com +spec: + group: dns.cnrm.cloud.google.com + names: + categories: + - gcp + kind: DNSPolicy + plural: dnspolicies + shortNames: + - gcpdnspolicy + - gcpdnspolicies + singular: dnspolicy + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + alternativeNameServerConfig: + description: |- + Sets an alternative name server for the associated networks. + When specified, all DNS queries are forwarded to a name server that you choose. + Names such as .internal are not available when an alternative name server is specified. + properties: + targetNameServers: + description: |- + Sets an alternative name server for the associated networks. When specified, + all DNS queries are forwarded to a name server that you choose. Names such as .internal + are not available when an alternative name server is specified. + items: + properties: + ipv4Address: + description: IPv4 address to forward to. + type: string + required: + - ipv4Address + type: object + type: array + required: + - targetNameServers + type: object + description: + type: string + enableInboundForwarding: + description: |- + Allows networks bound to this policy to receive DNS queries sent + by VMs or applications over VPN connections. When enabled, a + virtual IP address will be allocated from each of the sub-networks + that are bound to this policy. + type: boolean + enableLogging: + description: |- + Controls whether logging is enabled for the networks bound to this policy. + Defaults to no logging if not set. + type: boolean + networks: + description: List of network names specifying networks to which this + policy is applied. + items: + properties: + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - networkRef + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: dnsrecordsets.dns.cnrm.cloud.google.com +spec: + group: dns.cnrm.cloud.google.com + names: + categories: + - gcp + kind: DNSRecordSet + plural: dnsrecordsets + shortNames: + - gcpdnsrecordset + - gcpdnsrecordsets + singular: dnsrecordset + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + managedZoneRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + name: + type: string + rrdatas: + items: + type: string + type: array + ttl: + type: integer + type: + type: string + required: + - managedZoneRef + - name + - rrdatas + - ttl + - type + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: firestoreindexes.firestore.cnrm.cloud.google.com +spec: + group: firestore.cnrm.cloud.google.com + names: + categories: + - gcp + kind: FirestoreIndex + plural: firestoreindexes + shortNames: + - gcpfirestoreindex + - gcpfirestoreindexes + singular: firestoreindex + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + collection: + description: The collection being indexed. + type: string + database: + description: The Firestore database id. Defaults to '"(default)"'. + type: string + fields: + description: |- + The fields supported by this index. The last field entry is always for + the field path '__name__'. If, on creation, '__name__' was not + specified as the last field, it will be added automatically with the + same direction as that of the last field defined. If the final field + in a composite index is not directional, the '__name__' will be + ordered '"ASCENDING"' (unless explicitly specified otherwise). + items: + properties: + arrayConfig: + description: |- + Indicates that this field supports operations on arrayValues. Only one of 'order' and 'arrayConfig' can + be specified. + type: string + fieldPath: + description: Name of the field. + type: string + order: + description: |- + Indicates that this field supports ordering by the specified order or comparing using =, <, <=, >, >=. + Only one of 'order' and 'arrayConfig' can be specified. + type: string + type: object + type: array + queryScope: + description: |- + The scope at which a query is run. One of '"COLLECTION"' or + '"COLLECTION_GROUP"'. Defaults to '"COLLECTION"'. + type: string + required: + - collection + - fields + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + name: + description: |- + A server defined name for this index. Format: + 'projects/{{project}}/databases/{{database}}/collectionGroups/{{collection}}/indexes/{{server_generated_id}}' + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: folders.resourcemanager.cnrm.cloud.google.com +spec: + group: resourcemanager.cnrm.cloud.google.com + names: + categories: + - gcp + kind: Folder + plural: folders + shortNames: + - gcpfolder + - gcpfolders + singular: folder + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + displayName: + type: string + required: + - displayName + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + createTime: + type: string + lifecycleState: + type: string + name: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: iamcustomroles.iam.cnrm.cloud.google.com +spec: + group: iam.cnrm.cloud.google.com + names: + categories: + - gcp + kind: IAMCustomRole + plural: iamcustomroles + shortNames: + - gcpiamcustomrole + - gcpiamcustomroles + singular: iamcustomrole + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + type: string + permissions: + items: + type: string + type: array + stage: + type: string + title: + type: string + required: + - permissions + - title + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + deleted: + type: boolean + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + controller-tools.k8s.io: "1.0" + name: iampolicies.iam.cnrm.cloud.google.com +spec: + group: iam.cnrm.cloud.google.com + names: + kind: IAMPolicy + plural: iampolicies + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bindings: + description: Optional. The list of IAM bindings. + items: + properties: + condition: + description: Optional. The condition under which the binding applies. + properties: + description: + type: string + expression: + type: string + title: + type: string + required: + - title + - expression + type: object + members: + description: Optional. The list of IAM users to be bound to the + role. + items: + pattern: ^(user|serviceAccount|group|domain):.+|allUsers|allAuthenticatedUsers$ + type: string + pattern: ^(user|serviceAccount|group|domain):.+|allUsers|allAuthenticatedUsers$ + type: array + role: + description: Required. The role to bind the users to. + pattern: ^roles/[\w\.]+$ + type: string + required: + - role + type: object + type: array + resourceRef: + description: Required. The GCP resource to set the IAM policy on. + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + - not: + anyOf: + - required: + - name + - required: + - namespace + - required: + - apiVersion + - required: + - external + properties: + apiVersion: + type: string + external: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + type: object + required: + - resourceRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observations + of the IAM policy's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + controller-tools.k8s.io: "1.0" + name: iampolicymembers.iam.cnrm.cloud.google.com +spec: + group: iam.cnrm.cloud.google.com + names: + kind: IAMPolicyMember + plural: iampolicymembers + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + condition: + description: Optional. The condition under which the binding applies. + properties: + description: + type: string + expression: + type: string + title: + type: string + required: + - title + - expression + type: object + member: + description: Required. The list of IAM identities to be bound to the + role + pattern: ^(user|serviceAccount|group|domain):.+|allUsers|allAuthenticatedUsers$ + type: string + resourceRef: + description: Required. The GCP resource to set the IAM policy on. + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + - not: + anyOf: + - required: + - name + - required: + - namespace + - required: + - apiVersion + - required: + - external + properties: + apiVersion: + type: string + external: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + type: object + role: + description: Required. The role for which the Member will be bound. + pattern: ^roles/[\w\.]+$ + type: string + required: + - resourceRef + - member + - role + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observations + of the IAM policy's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: iamserviceaccountkeys.iam.cnrm.cloud.google.com +spec: + group: iam.cnrm.cloud.google.com + names: + categories: + - gcp + kind: IAMServiceAccountKey + plural: iamserviceaccountkeys + shortNames: + - gcpiamserviceaccountkey + - gcpiamserviceaccountkeys + singular: iamserviceaccountkey + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + keyAlgorithm: + type: string + privateKeyType: + type: string + publicKeyType: + type: string + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - serviceAccountRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + name: + type: string + privateKey: + type: string + publicKey: + type: string + validAfter: + type: string + validBefore: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: iamserviceaccounts.iam.cnrm.cloud.google.com +spec: + group: iam.cnrm.cloud.google.com + names: + categories: + - gcp + kind: IAMServiceAccount + plural: iamserviceaccounts + shortNames: + - gcpiamserviceaccount + - gcpiamserviceaccounts + singular: iamserviceaccount + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + type: string + displayName: + type: string + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + email: + type: string + name: + type: string + uniqueId: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: kmscryptokeys.kms.cnrm.cloud.google.com +spec: + group: kms.cnrm.cloud.google.com + names: + categories: + - gcp + kind: KMSCryptoKey + plural: kmscryptokeys + shortNames: + - gcpkmscryptokey + - gcpkmscryptokeys + singular: kmscryptokey + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + keyRingRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + purpose: + description: |- + The immutable purpose of this CryptoKey. See the + [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) + for possible inputs. + type: string + rotationPeriod: + description: |- + Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. + The first rotation will take place after the specified period. The rotation period has + the format of a decimal number with up to 9 fractional digits, followed by the + letter 's' (seconds). It must be greater than a day (ie, 86400). + type: string + versionTemplate: + description: A template describing settings for new crypto key versions. + properties: + algorithm: + description: |- + The algorithm to use when creating a version based on this template. + See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs. + type: string + protectionLevel: + description: The protection level to use when creating a version + based on this template. + type: string + required: + - algorithm + type: object + required: + - keyRingRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: kmskeyrings.kms.cnrm.cloud.google.com +spec: + group: kms.cnrm.cloud.google.com + names: + categories: + - gcp + kind: KMSKeyRing + plural: kmskeyrings + shortNames: + - gcpkmskeyring + - gcpkmskeyrings + singular: kmskeyring + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + location: + description: |- + The location for the KeyRing. + A full list of valid locations can be found by running 'gcloud kms locations list'. + type: string + required: + - location + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: projects.resourcemanager.cnrm.cloud.google.com +spec: + group: resourcemanager.cnrm.cloud.google.com + names: + categories: + - gcp + kind: Project + plural: projects + shortNames: + - gcpproject + - gcpprojects + singular: project + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + billingAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + name: + type: string + required: + - name + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + number: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: pubsubsubscriptions.pubsub.cnrm.cloud.google.com +spec: + group: pubsub.cnrm.cloud.google.com + names: + categories: + - gcp + kind: PubSubSubscription + plural: pubsubsubscriptions + shortNames: + - gcppubsubsubscription + - gcppubsubsubscriptions + singular: pubsubsubscription + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + ackDeadlineSeconds: + description: |- + This value is the maximum time after a subscriber receives a message + before the subscriber should acknowledge the message. After message + delivery but before the ack deadline expires and before the message is + acknowledged, it is an outstanding message and will not be delivered + again during that time (on a best-effort basis). + + For pull subscriptions, this value is used as the initial value for + the ack deadline. To override this value for a given message, call + subscriptions.modifyAckDeadline with the corresponding ackId if using + pull. The minimum custom deadline you can specify is 10 seconds. The + maximum custom deadline you can specify is 600 seconds (10 minutes). + If this parameter is 0, a default value of 10 seconds is used. + + For push delivery, this value is also used to set the request timeout + for the call to the push endpoint. + + If the subscriber never acknowledges the message, the Pub/Sub system + will eventually redeliver the message. + type: integer + expirationPolicy: + description: |- + A policy that specifies the conditions for this subscription's expiration. + A subscription is considered active as long as any connected subscriber + is successfully consuming messages from the subscription or is issuing + operations on the subscription. If expirationPolicy is not set, a default + policy with ttl of 31 days will be used. If it is set but ttl is "", the + resource never expires. The minimum allowed value for expirationPolicy.ttl + is 1 day. + properties: + ttl: + description: |- + Specifies the "time-to-live" duration for an associated resource. The + resource expires if it is not active for a period of ttl. + If ttl is not set, the associated resource never expires. + A duration in seconds with up to nine fractional digits, terminated by 's'. + Example - "3.5s". + type: string + required: + - ttl + type: object + messageRetentionDuration: + description: |- + How long to retain unacknowledged messages in the subscription's + backlog, from the moment a message is published. If + retainAckedMessages is true, then this also configures the retention + of acknowledged messages, and thus configures how far back in time a + subscriptions.seek can be done. Defaults to 7 days. Cannot be more + than 7 days ('"604800s"') or less than 10 minutes ('"600s"'). + + A duration in seconds with up to nine fractional digits, terminated + by 's'. Example: '"600.5s"'. + type: string + pushConfig: + description: |- + If push delivery is used with this subscription, this field is used to + configure it. An empty pushConfig signifies that the subscriber will + pull and ack messages using API methods. + properties: + attributes: + additionalProperties: + type: string + description: |- + Endpoint configuration attributes. + + Every endpoint has a set of API supported attributes that can + be used to control different aspects of the message delivery. + + The currently supported attribute is x-goog-version, which you + can use to change the format of the pushed message. This + attribute indicates the version of the data expected by + the endpoint. This controls the shape of the pushed message + (i.e., its fields and metadata). The endpoint version is + based on the version of the Pub/Sub API. + + If not present during the subscriptions.create call, + it will default to the version of the API used to make + such call. If not present during a subscriptions.modifyPushConfig + call, its value will not be changed. subscriptions.get + calls will always return a valid version, even if the + subscription was created without this attribute. + + The possible values for this attribute are: + + - v1beta1: uses the push format defined in the v1beta1 Pub/Sub API. + - v1 or v1beta2: uses the push format defined in the v1 Pub/Sub API. + type: object + oidcToken: + description: |- + If specified, Pub/Sub will generate and attach an OIDC JWT token as + an Authorization header in the HTTP request for every pushed message. + properties: + audience: + description: |- + Audience to be used when generating OIDC token. The audience claim + identifies the recipients that the JWT is intended for. The audience + value is a single case-sensitive string. Having multiple values (array) + for the audience field is not supported. More info about the OIDC JWT + token audience here: https://tools.ietf.org/html/rfc7519#section-4.1.3 + Note: if not specified, the Push endpoint URL will be used. + type: string + serviceAccountEmail: + description: |- + Service account email to be used for generating the OIDC token. + The caller (for subscriptions.create, subscriptions.patch, and + subscriptions.modifyPushConfig RPCs) must have the + iam.serviceAccounts.actAs permission for the service account. + type: string + required: + - serviceAccountEmail + type: object + pushEndpoint: + description: |- + A URL locating the endpoint to which messages should be pushed. + For example, a Webhook endpoint might use + "https://example.com/push". + type: string + required: + - pushEndpoint + type: object + retainAckedMessages: + description: |- + Indicates whether to retain acknowledged messages. If 'true', then + messages are not expunged from the subscription's backlog, even if + they are acknowledged, until they fall out of the + messageRetentionDuration window. + type: boolean + topicRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - topicRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + path: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: pubsubtopics.pubsub.cnrm.cloud.google.com +spec: + group: pubsub.cnrm.cloud.google.com + names: + categories: + - gcp + kind: PubSubTopic + plural: pubsubtopics + shortNames: + - gcppubsubtopic + - gcppubsubtopics + singular: pubsubtopic + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + messageStoragePolicy: + description: |- + Policy constraining the set of Google Cloud Platform regions where + messages published to the topic may be stored. If not present, then no + constraints are in effect. + properties: + allowedPersistenceRegions: + description: |- + A list of IDs of GCP regions where messages that are published to + the topic may be persisted in storage. Messages published by + publishers running in non-allowed GCP regions (or running outside + of GCP altogether) will be routed for storage in one of the + allowed regions. An empty list means that no regions are allowed, + and is not a valid configuration. + items: + type: string + type: array + required: + - allowedPersistenceRegions + type: object + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: redisinstances.redis.cnrm.cloud.google.com +spec: + group: redis.cnrm.cloud.google.com + names: + categories: + - gcp + kind: RedisInstance + plural: redisinstances + shortNames: + - gcpredisinstance + - gcpredisinstances + singular: redisinstance + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + alternativeLocationId: + description: |- + Only applicable to STANDARD_HA tier which protects the instance + against zonal failures by provisioning it across two zones. + If provided, it must be a different zone from the one provided in + [locationId]. + type: string + authorizedNetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + displayName: + description: An arbitrary and optional user-provided name for the instance. + type: string + locationId: + description: |- + The zone where the instance will be provisioned. If not provided, + the service will choose a zone for the instance. For STANDARD_HA tier, + instances will be created across two zones for protection against + zonal failures. If [alternativeLocationId] is also provided, it must + be different from [locationId]. + type: string + memorySizeGb: + description: Redis memory size in GiB. + type: integer + redisConfigs: + additionalProperties: + type: string + description: |- + Redis configuration parameters, according to http://redis.io/topics/config. + Please check Memorystore documentation for the list of supported parameters: + https://cloud.google.com/memorystore/docs/redis/reference/rest/v1/projects.locations.instances#Instance.FIELDS.redis_configs + type: object + redisVersion: + description: |- + The version of Redis software. If not provided, latest supported + version will be used. Currently, the supported values are: + + - REDIS_4_0 for Redis 4.0 compatibility + - REDIS_3_2 for Redis 3.2 compatibility + type: string + region: + description: The name of the Redis region of the instance. + type: string + reservedIpRange: + description: |- + The CIDR range of internal addresses that are reserved for this + instance. If not provided, the service will choose an unused /29 + block, for example, 10.0.0.0/29 or 192.168.0.0/29. Ranges must be + unique and non-overlapping with existing subnets in an authorized + network. + type: string + tier: + description: |- + The service tier of the instance. Must be one of these values: + + - BASIC: standalone instance + - STANDARD_HA: highly available primary/replica instances + type: string + required: + - memorySizeGb + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + createTime: + description: |- + The time the instance was created in RFC3339 UTC "Zulu" format, + accurate to nanoseconds. + type: string + currentLocationId: + description: |- + The current zone where the Redis endpoint is placed. + For Basic Tier instances, this will always be the same as the + [locationId] provided by the user at creation time. For Standard Tier + instances, this can be either [locationId] or [alternativeLocationId] + and can change after a failover event. + type: string + host: + description: |- + Hostname or IP address of the exposed Redis endpoint used by clients + to connect to the service. + type: string + port: + description: The port number of the exposed Redis endpoint. + type: integer + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + controller-tools.k8s.io: "1.0" + name: servicemappings.core.cnrm.cloud.google.com +spec: + group: core.cnrm.cloud.google.com + names: + kind: ServiceMapping + plural: servicemappings + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceMappingSpec defines the aspects common to all resources + of a particular service being mapped from the Terraform provider to Kubernetes + Resource Model (KRM). + properties: + name: + description: Name is the name of the service being mapped (e.g. Spanner, + PubSub). This is used for the construction of the generated CRDs' + API group and kind. + type: string + resources: + description: Resources is a list of configurations specifying how to + map a specific resource from the Terraform provider to KRM. + items: + properties: + containers: + description: Containers describes all the container mappings this + resource understands. Config Connector maps Kubernetes namespaces + to the abstract GCP container objects they are scoped by via + namespaces. For most resource types, this is a project, but + certain resources live outside the scope of a project, like + folders or projects themselves. Containers are expressed as + annotations on a given Namespace, though users may provide resource-level + overrides. + items: + properties: + tfField: + description: TFField is the path to the field in the underlying + Terraform provider that represents the implicit reference + to the container object. Use periods to delimit the fields + in the path. For example, if the field is "bar" nested + inside "foo" ("foo" being either an object or a list of + objects), the associated TFField should be "foo.bar") + type: string + type: + description: Type is the type of container this represents. + type: string + valueTemplate: + description: ValueTemplate is a template by which the value + of the container annotation should be interpreted before + being passed to the Terraform provider. {{value}} is used + in place of this sourced value. e.g. If the value sourced + from the container annotation is "123456789", a valueTemplate + of "folders/{{value}}" would mean the final value passed + to the provider is "folders/123456789" + type: string + required: + - type + - tfField + type: object + type: array + directives: + description: Directives is a list of Terraform fields that perform + unique behaviors on top of the resource which are not part of + a GET response. If the KCC annotation's key contains a directive + from this list (e.g. `cnrm.cloud.google.com/force-destroy`), + the value from the annotation is stored/overwritten in the TF + config (e.g. force_destroy -> true) + items: + type: string + type: array + iamConfig: + description: IAMConfig contains the mappings from a given resource + onto its associated terraform IAM resources (policies, bindings, + and members) + properties: + policyMemberName: + description: PolicyMemberName is the terraform name of the + associated IAM Policy Member resource (e.g. google_spanner_instance_iam_member) + type: string + policyName: + description: PolicyName is the terraform name of the associated + IAM Policy resource (e.g. google_spanner_instance_iam_policy) + type: string + referenceField: + description: A description of the manner in which the IAM + Policy references its resource. + properties: + name: + description: The name of the field in the policy or binding + which references the resource. For 'google_spanner_instance_iam_policy' + this value is 'instance'. + type: string + type: + description: The type of value that should be used in + this field. It can be one of { name, id }. For 'google_spanner_instance_iam_policy' + it would be 'name' for 'google_kms_key_ring_iam_policy' + it would be 'id'. + type: string + required: + - name + - type + type: object + supportsConditions: + description: SupportsConditions indicates whether or not the + resource supports IAM Conditions. + type: boolean + required: + - policyName + - policyMemberName + - supportsConditions + type: object + idTemplate: + description: IDTemplate defines the format in which the ID fed + into the TF resource's importer should look. Fields may be sourced + from the TF resource by using the `{{foo}}` syntax. (e.g. {{project}}/{{location}}/{{name}}. + If SkipImport is true, this must be specified, and its expanded + form will be directly used as the TF resource's `id` field. + type: string + ignoredFields: + description: IgnoredFields is a list of fields that should be + dropped from the underlying Terraform resource. + items: + type: string + type: array + kind: + description: Kind is the Kubernetes kind you wish the resource + to have. + type: string + locationality: + description: 'Locationality categorizes the GCP resources as global, + regional, or zonal. It''s only applicable to the effort of unifying + multiple locational TF resources into one, e.g. KCC could have + a single ComputeAddress CRD to represent two TF/GCE resources + - compute address and global compute address. The location field + in ComputeAddress CRD is used to specify whether it is a global + address or regional address. If unset, it''s assumed that there + is no multiple TF locational resources mapping to the same compute + resource schema. Currently, this supports the following values: + global, regional, zonal.' + type: string + metadataMapping: + description: MetadataMapping determines how to map Kubernetes + metadata fields to the Terraform resource's configuration. + properties: + labels: + description: Labels is a JSONPath to the field in the TF resource + where the KRM "metadata.labels" field will be mapped to. + By default, this is mapped to the "labels" field, if that + field is found in the TF resource schema. + type: string + name: + description: Name is a JSONPath to the field in the TF resource + where the KRM "metadata.name" field will be mapped to. By + default, this is mapped to the "name" field, if that field + is found in the TF resource schema. + type: string + nameValueTemplate: + description: NameValueTemplate is a template by which the + value of the metadata.name value should be interpreted before + being passed to the Terraform provider. {{value}} is used + in place of this sourced value. e.g. If the value sourced + from metadata.name is "foo_bar", a nameValueTemplate of + "resource/{{value}}" would mean the final value passed to + the provider is "resource/foo_bar" + type: string + type: object + name: + description: Name is the Terraform name of the resource (e.g. + google_spanner_instance) + type: string + resourceReferences: + description: ResourceReferences configures the mapping of fields + in the Terraform resource that implicitly define references + to other GCP resources into explicit Kubernetes-style references. + items: + properties: + group: + description: Group is the Kubernetes group of the resource + being referenced. If not is set, it is implied that the + kind specified is unique across all groups. + type: string + jsonSchemaType: + description: JSONSchemaType specifies the type as understood + by JSON schema validation of this reference field. Should + never be specified for a TypeConfig inlined in the ReferenceConfig. This + field is mutually exclusive with Kind and TargetField. + type: string + key: + description: 'Key is the field name that will be exposed + through the KRM resource''s spec. It should follow the + Kubernetes reference naming semantics: `fooRef`, where + foo is some describer of what is being referenced (e.g. instanceRef, + healthCheckRef) Complex references (those with a "Types" + list defined) or lists of references should not specify + a key.' + type: string + kind: + description: Kind is the Kubernetes kind of the resource + being referenced. The API group and version are assumed + to match the referencing resource's. This field is mutually + exclusive with JSONSchemaType. + type: string + parent: + description: Parent specifies whether the referenced resource + is a parent. If the parent is successfully deleted, this + resource may be deleted without any call to the underlying + API. Only one parent may be present. A parent reference's + TFField must not be a nested path. + type: boolean + targetField: + description: TargetField is the referenced resource's Terraform + field that will be extracted and set as the value of the + TFField. For example, a ComputeSubnetwork can reference + a ComputeNetwork's self link by setting TargetField to + "self_link", a field defined on the google_compute_network + resource. + type: string + tfField: + description: TFField is the path to the field in the underlying + Terraform provider that is the implicit reference. Use + periods to delimit the fields in the path. For example, + if the reference field is "bar" nested inside "foo" ("foo" + being either an object or a list of objects), the associated + TFField should be "foo.bar") + type: string + types: + description: Types is the supported types this resource + reference supports. Must not be specified if the inlined + TypeConfig is filled out. If the value for the reference + is not specified in the KRM spec, it is possible that + a default value may be set by GCP. This default reference + value will be populated in the KRM resource's spec. In + cases where a resource reference has multiple types, the + first type in this list will become the default TypeConfig + for that value. + items: + properties: + group: + description: Group is the Kubernetes group of the + resource being referenced. If not is set, it is + implied that the kind specified is unique across + all groups. + type: string + jsonSchemaType: + description: JSONSchemaType specifies the type as + understood by JSON schema validation of this reference + field. Should never be specified for a TypeConfig + inlined in the ReferenceConfig. This field is mutually + exclusive with Kind and TargetField. + type: string + key: + description: 'Key is the field name that will be exposed + through the KRM resource''s spec. It should follow + the Kubernetes reference naming semantics: `fooRef`, + where foo is some describer of what is being referenced + (e.g. instanceRef, healthCheckRef) Complex references + (those with a "Types" list defined) or lists of + references should not specify a key.' + type: string + kind: + description: Kind is the Kubernetes kind of the resource + being referenced. The API group and version are + assumed to match the referencing resource's. This + field is mutually exclusive with JSONSchemaType. + type: string + parent: + description: Parent specifies whether the referenced + resource is a parent. If the parent is successfully + deleted, this resource may be deleted without any + call to the underlying API. Only one parent may + be present. A parent reference's TFField must not + be a nested path. + type: boolean + targetField: + description: TargetField is the referenced resource's + Terraform field that will be extracted and set as + the value of the TFField. For example, a ComputeSubnetwork + can reference a ComputeNetwork's self link by setting + TargetField to "self_link", a field defined on the + google_compute_network resource. + type: string + valueTemplate: + description: ValueTemplate is a template by which + the value sourced from the reference should be interpreted + before being passed to the Terraform provider. {{value}} + is used in place of this sourced value. e.g. If + the value sourced from the reference is "foo@domain.com", + a valueTemplate of "serviceAccount:{{value}}" would + mean the final value passed to the provider is "serviceAccount:foo@domain.com" + type: string + type: object + type: array + valueTemplate: + description: ValueTemplate is a template by which the value + sourced from the reference should be interpreted before + being passed to the Terraform provider. {{value}} is used + in place of this sourced value. e.g. If the value sourced + from the reference is "foo@domain.com", a valueTemplate + of "serviceAccount:{{value}}" would mean the final value + passed to the provider is "serviceAccount:foo@domain.com" + type: string + required: + - tfField + type: object + type: array + serverGeneratedIDField: + description: ServerGeneratedIDField is the field in the resource's + status that corresponds to the server-generated resource ID. + If unset, it's assumed the resource ID is specified by the user. + Resources with this set do not support acquisition. + type: string + skipImport: + description: SkipImport skips the import step when fetching the + live state of the underlying resource. If specified, IDTemplate + must also be specified, and its expanded form will be used as + the TF resource's `id` field. + type: boolean + required: + - name + - kind + type: object + type: array + version: + description: Version is the API version for all the resource CRDs being + generated. + type: string + required: + - name + - version + - resources + type: object + type: object + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: servicenetworkingconnections.servicenetworking.cnrm.cloud.google.com +spec: + group: servicenetworking.cnrm.cloud.google.com + names: + categories: + - gcp + kind: ServiceNetworkingConnection + plural: servicenetworkingconnections + shortNames: + - gcpservicenetworkingconnection + - gcpservicenetworkingconnections + singular: servicenetworkingconnection + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + networkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + reservedPeeringRanges: + items: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + type: array + service: + type: string + required: + - networkRef + - reservedPeeringRanges + - service + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + peering: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: services.serviceusage.cnrm.cloud.google.com +spec: + group: serviceusage.cnrm.cloud.google.com + names: + categories: + - gcp + kind: Service + plural: services + shortNames: + - gcpservice + - gcpservices + singular: service + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: sourcereporepositories.sourcerepo.cnrm.cloud.google.com +spec: + group: sourcerepo.cnrm.cloud.google.com + names: + categories: + - gcp + kind: SourceRepoRepository + plural: sourcereporepositories + shortNames: + - gcpsourcereporepository + - gcpsourcereporepositories + singular: sourcereporepository + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + pubsubConfigs: + description: |- + How this repository publishes a change in the repository through Cloud Pub/Sub. + Keyed by the topic names. + items: + properties: + messageFormat: + description: |- + The format of the Cloud Pub/Sub messages. + - PROTOBUF: The message payload is a serialized protocol buffer of SourceRepoEvent. + - JSON: The message payload is a JSON string of SourceRepoEvent. + type: string + serviceAccountRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + topicRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - messageFormat + - topicRef + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + size: + description: The disk usage of the repo, in bytes. + type: integer + url: + description: URL to clone the repository from Google Cloud Source Repositories. + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: spannerdatabases.spanner.cnrm.cloud.google.com +spec: + group: spanner.cnrm.cloud.google.com + names: + categories: + - gcp + kind: SpannerDatabase + plural: spannerdatabases + shortNames: + - gcpspannerdatabase + - gcpspannerdatabases + singular: spannerdatabase + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + ddl: + description: |- + An optional list of DDL statements to run inside the newly created + database. Statements can create tables, indexes, etc. These statements + execute atomically with the creation of the database: if there is an + error in any statement, the database is not created. + items: + type: string + type: array + instanceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - instanceRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + state: + description: An explanation of the status of the database. + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: spannerinstances.spanner.cnrm.cloud.google.com +spec: + group: spanner.cnrm.cloud.google.com + names: + categories: + - gcp + kind: SpannerInstance + plural: spannerinstances + shortNames: + - gcpspannerinstance + - gcpspannerinstances + singular: spannerinstance + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + config: + description: |- + The name of the instance's configuration (similar but not + quite the same as a region) which defines defines the geographic placement and + replication of your databases in this instance. It determines where your data + is stored. Values are typically of the form 'regional-europe-west1' , 'us-central' etc. + In order to obtain a valid list please consult the + [Configuration section of the docs](https://cloud.google.com/spanner/docs/instances). + type: string + displayName: + description: |- + The descriptive name for this instance as it appears in UIs. Must be + unique per project and between 4 and 30 characters in length. + type: string + numNodes: + description: The number of nodes allocated to this instance. + type: integer + required: + - config + - displayName + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + state: + description: 'Instance status: ''CREATING'' or ''READY''.' + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: sqldatabases.sql.cnrm.cloud.google.com +spec: + group: sql.cnrm.cloud.google.com + names: + categories: + - gcp + kind: SQLDatabase + plural: sqldatabases + shortNames: + - gcpsqldatabase + - gcpsqldatabases + singular: sqldatabase + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + charset: + description: |- + The charset value. See MySQL's + [Supported Character Sets and Collations](https://dev.mysql.com/doc/refman/5.7/en/charset-charsets.html) + and Postgres' [Character Set Support](https://www.postgresql.org/docs/9.6/static/multibyte.html) + for more details and supported values. Postgres databases only support + a value of 'UTF8' at creation time. + type: string + collation: + description: |- + The collation value. See MySQL's + [Supported Character Sets and Collations](https://dev.mysql.com/doc/refman/5.7/en/charset-charsets.html) + and Postgres' [Collation Support](https://www.postgresql.org/docs/9.6/static/collation.html) + for more details and supported values. Postgres databases only support + a value of 'en_US.UTF8' at creation time. + type: string + instanceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - instanceRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: sqlinstances.sql.cnrm.cloud.google.com +spec: + group: sql.cnrm.cloud.google.com + names: + categories: + - gcp + kind: SQLInstance + plural: sqlinstances + shortNames: + - gcpsqlinstance + - gcpsqlinstances + singular: sqlinstance + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + databaseVersion: + type: string + masterInstanceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + region: + type: string + replicaConfiguration: + properties: + caCertificate: + type: string + clientCertificate: + type: string + clientKey: + type: string + connectRetryInterval: + type: integer + dumpFilePath: + type: string + failoverTarget: + type: boolean + masterHeartbeatPeriod: + type: integer + password: + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' + is specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if + 'value' is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in + the given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + sslCipher: + type: string + username: + type: string + verifyServerCertificate: + type: boolean + type: object + rootPassword: + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' is + specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if 'value' + is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in the + given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + settings: + properties: + activationPolicy: + type: string + authorizedGaeApplications: + items: + type: string + type: array + availabilityType: + type: string + backupConfiguration: + properties: + binaryLogEnabled: + type: boolean + enabled: + type: boolean + location: + type: string + startTime: + type: string + type: object + crashSafeReplication: + type: boolean + databaseFlags: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + diskAutoresize: + type: boolean + diskSize: + type: integer + diskType: + type: string + ipConfiguration: + properties: + authorizedNetworks: + items: + properties: + expirationTime: + type: string + name: + type: string + value: + type: string + required: + - value + type: object + type: array + ipv4Enabled: + type: boolean + privateNetworkRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + requireSsl: + type: boolean + type: object + locationPreference: + properties: + followGaeApplication: + type: string + zone: + type: string + type: object + maintenanceWindow: + properties: + day: + type: integer + hour: + type: integer + updateTrack: + type: string + type: object + pricingPlan: + type: string + replicationType: + type: string + tier: + type: string + required: + - tier + type: object + required: + - settings + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + connectionName: + type: string + firstIpAddress: + type: string + ipAddress: + items: + properties: + ipAddress: + type: string + timeToRetire: + type: string + type: + type: string + type: object + type: array + privateIpAddress: + type: string + publicIpAddress: + type: string + selfLink: + type: string + serverCaCert: + properties: + cert: + type: string + commonName: + type: string + createTime: + type: string + expirationTime: + type: string + sha1Fingerprint: + type: string + type: object + serviceAccountEmailAddress: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: sqlusers.sql.cnrm.cloud.google.com +spec: + group: sql.cnrm.cloud.google.com + names: + categories: + - gcp + kind: SQLUser + plural: sqlusers + shortNames: + - gcpsqluser + - gcpsqlusers + singular: sqluser + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + host: + type: string + instanceRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + password: + oneOf: + - not: + required: + - valueFrom + required: + - value + - not: + required: + - value + required: + - valueFrom + properties: + value: + description: Value of the field. Cannot be used if 'valueFrom' is + specified. + type: string + valueFrom: + description: Source for the field's value. Cannot be used if 'value' + is specified. + properties: + secretKeyRef: + description: Reference to a value with the given key in the + given Secret in the resource's namespace. + properties: + key: + description: Key that identifies the value to be extracted. + type: string + name: + description: Name of the Secret to extract a value from. + type: string + required: + - name + - key + type: object + type: object + type: object + required: + - instanceRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: storagebucketaccesscontrols.storage.cnrm.cloud.google.com +spec: + group: storage.cnrm.cloud.google.com + names: + categories: + - gcp + kind: StorageBucketAccessControl + plural: storagebucketaccesscontrols + shortNames: + - gcpstoragebucketaccesscontrol + - gcpstoragebucketaccesscontrols + singular: storagebucketaccesscontrol + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + entity: + description: |- + The entity holding the permission, in one of the following forms: + user-userId + user-email + group-groupId + group-email + domain-domain + project-team-projectId + allUsers + allAuthenticatedUsers + Examples: + The user liz@example.com would be user-liz@example.com. + The group example@googlegroups.com would be + group-example@googlegroups.com. + To refer to all members of the Google Apps for Business domain + example.com, the entity would be domain-example.com. + type: string + role: + description: The access permission for the entity. + type: string + required: + - bucketRef + - entity + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + domain: + description: The domain associated with the entity. + type: string + email: + description: The email address associated with the entity. + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: storagebuckets.storage.cnrm.cloud.google.com +spec: + group: storage.cnrm.cloud.google.com + names: + categories: + - gcp + kind: StorageBucket + plural: storagebuckets + shortNames: + - gcpstoragebucket + - gcpstoragebuckets + singular: storagebucket + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bucketPolicyOnly: + type: boolean + cors: + items: + properties: + maxAgeSeconds: + type: integer + method: + items: + type: string + type: array + origin: + items: + type: string + type: array + responseHeader: + items: + type: string + type: array + type: object + type: array + encryption: + properties: + kmsKeyRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - kmsKeyRef + type: object + lifecycleRule: + items: + properties: + action: + properties: + storageClass: + type: string + type: + type: string + required: + - type + type: object + condition: + properties: + age: + type: integer + createdBefore: + type: string + matchesStorageClass: + items: + type: string + type: array + numNewerVersions: + type: integer + withState: + type: string + type: object + required: + - action + - condition + type: object + type: array + location: + type: string + logging: + properties: + logBucket: + type: string + logObjectPrefix: + type: string + required: + - logBucket + type: object + requesterPays: + type: boolean + retentionPolicy: + properties: + isLocked: + type: boolean + retentionPeriod: + type: integer + required: + - retentionPeriod + type: object + storageClass: + type: string + versioning: + properties: + enabled: + type: boolean + required: + - enabled + type: object + website: + properties: + mainPageSuffix: + type: string + notFoundPage: + type: string + type: object + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + selfLink: + type: string + url: + type: string + type: object + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: storagedefaultobjectaccesscontrols.storage.cnrm.cloud.google.com +spec: + group: storage.cnrm.cloud.google.com + names: + categories: + - gcp + kind: StorageDefaultObjectAccessControl + plural: storagedefaultobjectaccesscontrols + shortNames: + - gcpstoragedefaultobjectaccesscontrol + - gcpstoragedefaultobjectaccesscontrols + singular: storagedefaultobjectaccesscontrol + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + entity: + description: |- + The entity holding the permission, in one of the following forms: + * user-{{userId}} + * user-{{email}} (such as "user-liz@example.com") + * group-{{groupId}} + * group-{{email}} (such as "group-example@googlegroups.com") + * domain-{{domain}} (such as "domain-example.com") + * project-team-{{projectId}} + * allUsers + * allAuthenticatedUsers + type: string + object: + description: The name of the object, if applied to an object. + type: string + role: + description: The access permission for the entity. + type: string + required: + - bucketRef + - entity + - role + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + domain: + description: The domain associated with the entity. + type: string + email: + description: The email address associated with the entity. + type: string + entityId: + description: The ID for the entity + type: string + generation: + description: The content generation of the object, if applied to an + object. + type: integer + projectTeam: + description: The project team associated with the entity + properties: + projectNumber: + description: The project team associated with the entity + type: string + team: + description: The team. + type: string + type: object + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cnrm.cloud.google.com/version: 1.7.1 + creationTimestamp: null + labels: + cnrm.cloud.google.com/managed-by-kcc: "true" + cnrm.cloud.google.com/system: "true" + cnrm.cloud.google.com/tf2crd: "true" + name: storagenotifications.storage.cnrm.cloud.google.com +spec: + group: storage.cnrm.cloud.google.com + names: + categories: + - gcp + kind: StorageNotification + plural: storagenotifications + shortNames: + - gcpstoragenotification + - gcpstoragenotifications + singular: storagenotification + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'apiVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + bucketRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + customAttributes: + additionalProperties: + type: string + type: object + eventTypes: + items: + type: string + type: array + objectNamePrefix: + type: string + payloadFormat: + type: string + topicRef: + oneOf: + - not: + required: + - external + required: + - name + - not: + anyOf: + - required: + - name + - required: + - namespace + required: + - external + properties: + external: + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + type: object + required: + - bucketRef + - payloadFormat + - topicRef + type: object + status: + properties: + conditions: + description: Conditions represents the latest available observation + of the resource's current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + type: string + message: + description: Human-readable message indicating details about last + transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. Can be True, + False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + notificationId: + type: string + selfLink: + type: string + type: object + required: + - spec + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/kustomization.yaml new file mode 100644 index 0000000000..3d6bbd8ba8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/management/cnrm-install/install-system/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- 0-cnrm-system.yaml +- crds.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/compute-network.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/compute-network.yaml new file mode 100644 index 0000000000..2a8bc418d0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/compute-network.yaml @@ -0,0 +1,39 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeNetwork +metadata: + name: gke-no-internet-network +spec: + routingMode: GLOBAL + autoCreateSubnetworks: false + deleteDefaultRoutesOnCreate: true +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeSubnetwork +metadata: + name: priv-cluster-01 +spec: + ipCidrRange: 10.10.10.0/24 + region: us-central1 + description: kubeflow private subnet + privateIpGoogleAccess: true + networkRef: + name: gke-no-internet-network + logConfig: + aggregationInterval: INTERVAL_10_MIN + flowSampling: 0.5 + metadata: INCLUDE_ALL_METADATA + secondaryIpRange: + - ipCidrRange: 10.10.11.0/24 + rangeName: services + - ipCidrRange: 10.1.0.0/16 + rangeName: pods +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeRoute +metadata: + name: google-apis +spec: + destRange: 199.36.153.4/30 + networkRef: + name: gke-no-internet-network + nextHopGateway: default-internet-gateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-gcr.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-gcr.yaml new file mode 100644 index 0000000000..d0ea7d122a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-gcr.yaml @@ -0,0 +1,41 @@ +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSManagedZone +metadata: + name: gcr-io +spec: + description: "private zone for GCR.io" + dnsName: "gcr.io." + visibility: private + privateVisibilityConfig: + networks: + - networkRef: + name: gke-no-internet-network +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: gcr-io-cname +spec: + name: "*.gcr.io." + type: "CNAME" + ttl: 300 + managedZoneRef: + name: gcr-io + rrdatas: + - "gcr.io." +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: gcr-io-a +spec: + name: "gcr.io." + type: "A" + ttl: 300 + managedZoneRef: + name: gcr-io + rrdatas: + - "199.36.153.4" + - "199.36.153.5" + - "199.36.153.6" + - "199.36.153.7" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-google-apis.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-google-apis.yaml new file mode 100644 index 0000000000..a31a977b10 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/dns-google-apis.yaml @@ -0,0 +1,41 @@ +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSManagedZone +metadata: + name: google-apis +spec: + description: "private zone for Google APIs" + dnsName: "googleapis.com." + visibility: private + privateVisibilityConfig: + networks: + - networkRef: + name: gke-no-internet-network +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: restricted-google-apis-cname +spec: + name: "*.googleapis.com." + type: "CNAME" + ttl: 300 + managedZoneRef: + name: google-apis + rrdatas: + - "restricted.googleapis.com." +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: restricted-google-apis-a +spec: + name: "restricted.googleapis.com." + type: "A" + ttl: 300 + managedZoneRef: + name: google-apis + rrdatas: + - "199.36.153.4" + - "199.36.153.5" + - "199.36.153.6" + - "199.36.153.7" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/firewall.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/firewall.yaml new file mode 100644 index 0000000000..d652605d53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/firewall.yaml @@ -0,0 +1,95 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: deny-egress +spec: + deny: + - protocol: tcp + ports: + - "0-65535" + destinationRanges: + - 0.0.0.0/0 + direction: EGRESS + priority: 1100 + networkRef: + name: gke-no-internet-network +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: allow-healthcheck-ingress +spec: + allow: + - protocol: tcp + ports: + - "80" + - "443" + sourceRanges: + - 130.211.0.0/22 + - 35.191.0.0/16 + direction: INGRESS + networkRef: + name: gke-no-internet-network +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: allow-healthcheck-egress +spec: + allow: + - protocol: tcp + ports: + - "80" + - "443" + destinationRanges: + - 130.211.0.0/22 + - 35.191.0.0/16 + direction: EGRESS + networkRef: + name: gke-no-internet-network +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: allow-google-apis-egress +spec: + allow: + - protocol: tcp + ports: + - "0-65535" + destinationRanges: + - 199.36.153.4/30 + direction: EGRESS + networkRef: + name: gke-no-internet-network +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: allow-master-node-egress +spec: + allow: + - protocol: tcp + ports: + - "443" + - "10250" + destinationRanges: + - 172.16.0.0/28 + direction: EGRESS + networkRef: + name: gke-no-internet-network +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: allow-internal-egress +spec: + allow: + - protocol: tcp + ports: + - "0-65535" + destinationRanges: + - 10.0.0.0/8 + direction: EGRESS + networkRef: + name: gke-no-internet-network diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/kustomization.yaml new file mode 100644 index 0000000000..dac51198e2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/gcp/v2/privateGKE/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- compute-network.yaml +- dns-gcr.yaml +- dns-google-apis.yaml +- firewall.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/go.mod b/kubeflow_clusters/code-intelligence/upstream/manifests/go.mod new file mode 100644 index 0000000000..bd5eb6cfdc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/go.mod @@ -0,0 +1,5 @@ +module github.com/kubeflow/manifests + +go 1.12 + +require sigs.k8s.io/kustomize/kustomize/v3 v3.2.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/go.sum b/kubeflow_clusters/code-intelligence/upstream/manifests/go.sum new file mode 100644 index 0000000000..dfc2d31f80 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/go.sum @@ -0,0 +1,167 @@ +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.6+incompatible h1:tfrHha8zJ01ywiOEC1miGY8st1/igzWB8OmvPgoYX7w= +github.com/emicklei/go-restful v2.9.6+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M= +github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2 h1:A9+F4Dc/MCNB5jibxf6rRvOvR/iFgQdyNx9eIhnGqq0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2 h1:o20suLFB4Ri0tuzpWtyHlh7E7HnkqTNLq6aR6WVNS1w= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.2 h1:SStNd1jRcYtfKCN7R0laGNs80WYYvn5CbBjM2sOmCrE= +github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2 h1:jvO6bCMBEilGwMfHhrd61zIID4oIFdwb76V17SM88dE= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/googleapis/gnostic v0.0.0-20170426233943-68f4ded48ba9/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.3.0 h1:CcQijm0XKekKjP/YCz28LXVSpgguuB+nCxaSjCe09y0= +github.com/googleapis/gnostic v0.3.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190620125010-da37f6c1e481 h1:IaSjLMT6WvkoZZjspGxy3rdaTEmWLoRm49WbtVUi9sA= +github.com/mailru/easyjson v0.0.0-20190620125010-da37f6c1e481/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.2/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190621203818-d432491b9138 h1:t8BZD9RDjkm9/h7yYN6kE8oaeov5r9aztkB7zKA5Tkg= +golang.org/x/sys v0.0.0-20190621203818-d432491b9138/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +k8s.io/api v0.0.0-20190313235455-40a48860b5ab h1:DG9A67baNpoeweOy2spF1OWHhnVY5KR7/Ek/+U1lVZc= +k8s.io/api v0.0.0-20190313235455-40a48860b5ab/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA= +k8s.io/apimachinery v0.0.0-20190313205120-d7deff9243b1 h1:IS7K02iBkQXpCeieSiyJjGoLSdVOv2DbPaWHJ+ZtgKg= +k8s.io/apimachinery v0.0.0-20190313205120-d7deff9243b1/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0= +k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o= +k8s.io/client-go v11.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.3 h1:niceAagH1tzskmaie/icWd7ci1wbG7Bf2c6YGcQv+3c= +k8s.io/klog v0.3.3/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208 h1:5sW+fEHvlJI3Ngolx30CmubFulwH28DhKjGf70Xmtco= +k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208/go.mod h1:nfDlWeOsu3pUf4yWGL+ERqohP4YsZcBJXWMK+gkzOA4= +sigs.k8s.io/kustomize/kustomize/v3 v3.2.1/go.mod h1:jXW5RpjfoZtLLrpCKVCZ6AHs8iV3+nkRl084TFFsWLE= +sigs.k8s.io/kustomize/v3 v3.2.0 h1:EKcEubO29vCbigcMoNynfyZH+ANWkML2UHWibt1Do7o= +sigs.k8s.io/kustomize/v3 v3.2.0/go.mod h1:ztX4zYc/QIww3gSripwF7TBOarBTm5BvyAMem0kCzOE= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/hack/build_kfdef_specs.py b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/build_kfdef_specs.py new file mode 100644 index 0000000000..c47da6a1f5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/build_kfdef_specs.py @@ -0,0 +1,75 @@ +"""Generate KFDef YAML from kustomize packages. + +This is a helper tool aimed at generating the RAW Yaml for KFDef specs into +kubeflow/manifests. + +We use kustomize to make it easier to generate KFDef YAML files corresponding +to different KF versions but we don't want users to be exposed to that. +""" + +import fire +import logging +import os +import subprocess +import tempfile +import yaml + +RESOURCE_PREFIX = "kfdef.apps.kubeflow.org_v1_kfdef_" + +class KFDefBuilder: + @staticmethod + def run(): + root = os.path.abspath(os.path.join(os.path.dirname(__file__), "..")) + + kfdef_dir = os.path.join(root, "kfdef") + source_dir = os.path.join(root, "kfdef", "source") + + # Walk over all versions + for base, dirs, _ in os.walk(source_dir): + for version in dirs: + package_dir = os.path.join(base, version) + + # Create a temporary directory to write all the kustomize output to + temp_dir = tempfile.mkdtemp() + + subprocess.check_call(["kustomize", "build", package_dir, "-o", + temp_dir]) + + for f in os.listdir(temp_dir): + new_name = f[len(RESOURCE_PREFIX):] + + # To preserve the existing pattern for now master files are just + # named kfctl_?.Yaml + # whereas version files are named kfctl_?.version.yaml + # in subsequent PRs we might change that + + if version == "master": + ext = ".yaml" + else: + ext = "." + version + ".yaml" + + basename, _ = os.path.splitext(new_name) + new_name = basename + ext + + new_file = os.path.join(kfdef_dir, new_name.replace("-", "_")) + logging.info(f"Processing file: {f} -> {new_file}") + + with open(os.path.join(temp_dir, f)) as hf: + spec = yaml.load(hf) + + # Remove the name. Kustomize requires a name but we don't want + # a name so that kfctl will fill it in based on the app directory + del spec["metadata"]["name"] + + with open(new_file, "w") as hf: + yaml.safe_dump(spec, hf, default_flow_style = False) + +if __name__ == "__main__": + + logging.basicConfig(level=logging.INFO, + format=('%(levelname)s|%(asctime)s' + '|%(message)s|%(pathname)s|%(lineno)d|'), + datefmt='%Y-%m-%dT%H:%M:%S', + ) + + fire.Fire(KFDefBuilder) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/hack/gen-tree.sh b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/gen-tree.sh new file mode 100755 index 0000000000..373b106ab0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/gen-tree.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +if [[ $(basename $PWD) != "manifests" ]]; then + echo "must be at manifests root directory to run $0" + exit 1 +fi + +source hack/utils.sh + +manifests-tree $@ diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_legacy_kustomizations.py b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_legacy_kustomizations.py new file mode 100644 index 0000000000..4d3f60bb52 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_legacy_kustomizations.py @@ -0,0 +1,185 @@ +"""Generate legacy kustomization YAMLs. + +This script generates kustomization YAMLs based on the kustomizations created +by kfctl to be used in unittests. + +Prior to the big kustomize v3 refactor (see http://bit.ly/kf_kustomize_v3 and +https://github.com/kubeflow/manifests/issues/774) the kustomization.yaml +files were generated by kfctl as opposed to checked into kubeflow/manifests. + +Therefore to generate unittests we wanted to create kustomization.yaml files +that are similar to those generated by kfctl. These kustomization.yaml files +can then be used to generate the golden set of expected output by +running kustomize build. + +Here's how this works. + +1. The script takes as input to the path to a ${KFAPP}/${KFDEF}.yaml + for which kfctl build was run. + +2. The script recourses over all the directories in ${KFAPP}/kustomize + +3. For each ${KFAPP}/kustomize/{APP}/kustomization.yaml the script + creates an a corresponding to test in + ${GIT_MANIFESTS}/tests/legacy/${APP}/kustomization.yaml + +This is primarily intended as onetime script. Once the kustomization.yaml +files are generated and checked in there should be no reason to rerun it. + +Related issues:https://github.com/kubeflow/manifests/issues/1014 +""" +import fire +import logging +import os +import shutil +import yaml + +# Which apps to skip. These are apps which had some edge case that it wasn't +# worth dealing with. It would just make more sense to generate +# the tests manually +# +# mysql and minio don't work because we need to combine the configMapGenerators +# in base and in an overlay to properly define all the parameters. +# We are in the process of getting rid of all the KFDef magic ( +# https://github.com/kubeflow/manifests/issues/774) and checking in the +# actual kustomization.yaml files. So fixing it for these two packages didn't +# seem worth it. +APPS_TO_SKIP = ["mysql", "minio"] + +def build_configmap_generators(kustomize_dir): + """Return a dictionary mapping configMapGenerator name to files. + + The dictionary will be used to copy over the files to the test directory + and generate an updated configMapGenerator in the kustomization.yaml + + Returns: + dict: config map name to list of files used for the configmap generator + """ + kustomize_file = os.path.join(kustomize_dir, "kustomization.yaml") + + with open(kustomize_file) as hf: + kustomize = yaml.load(hf) + + generators = {} + for g in kustomize.get("configMapGenerator", []): + p_files = g.get("envs", []) + + if "env" in g: + p_files.append(g["env"]) + + generators[g["name"]] = [os.path.join(kustomize_dir, f) for f in p_files] + + return generators + +class GenerateLegacyTests: + @staticmethod + def generate(kfdef, test_path): + """Generate the kustomization.yaml files. + + Args: + kfdef: Path to the kfdef file. + test_path: The path where the tests should be written. + """ + this_dir = os.path.dirname(__file__) + repo_root = os.path.abspath(os.path.join(this_dir, "..")) + + test_path = os.path.abspath(test_path) + + # Figure out how many ".." we will need to add to the resource specs + # to get to the root of the repo. + if not test_path.startswith(repo_root): + raise ValueError("Test path {test_path} is not under {repo_root}") + + rtest_path = test_path[len(repo_root):] + + # Add 1 for the kustomize dir + num_parents = len(rtest_path.split(os.path.sep)) + + # Open up the kfdef file. + with open(os.path.join(kfdef)) as fh: + kfdef_spec = yaml.load(fh) + + # Map each application to its relative path. + apps = {} + for a in kfdef_spec["spec"]["applications"]: + apps[a["name"]] = a["kustomizeConfig"]["repoRef"]["path"] + + kfapp_dir = os.path.dirname(kfdef) + kustomize_dir = os.path.join(kfapp_dir, "kustomize") + for d in os.listdir(kustomize_dir): + if d in APPS_TO_SKIP: + logging.info(f"Skipping {d}") + continue + kustomize_file = os.path.join(kustomize_dir, d, "kustomization.yaml") + + if not d in apps: + logging.info(f"Skipping {d}; not an application") + + if not os.path.exists(kustomize_file): + logging.info(f"Skipping {d}; {kustomize_file} does not exist.") + continue + + with open(kustomize_file) as fh: + kustomization = yaml.load(fh) + + # Rewrite the paths to resources to source resources from the manifests + # tree + for f in ["bases", "configurations", "resources", "patches", + "patchesStrategicMerge"]: + new = [] + for b in kustomization.get(f, []): + pieces = [".."] * num_parents + pieces.append(apps[d]) + pieces.append(b) + + new.append(os.path.join(*pieces)) + + kustomization[f] = new + + # Build any patches for configmaps + generators = build_configmap_generators(os.path.join(kustomize_dir, d, "base")) + + app_test_dir = os.path.join(test_path, d) + if not os.path.exists(app_test_dir): + os.makedirs(app_test_dir) + + # write the generators + params_index = 0 + kustomization["configMapGenerator"] = [] + for name, files in generators.items(): + g = { + "name": name, + "envs": [], + "behavior": "merge" + } + + for f in files: + pfile = f"params_{params_index}.env" + g["envs"].append(pfile) + shutil.copy2(f, os.path.join(app_test_dir, pfile)) + + params_index += 1 + + kustomization["configMapGenerator"].append(g) + + new_path = os.path.join(app_test_dir, "kustomization.yaml") + logging.info(f"Writing {new_path}") + + # Delete any secret in the kustomization.yaml. + for f in ["secretGenerator"]: + if f in kustomization: + del kustomization[f] + + with open(new_path, "w") as fh: + yaml.dump(kustomization, fh) + +if __name__ == "__main__": + logging.basicConfig( + level=logging.INFO, + format=('%(levelname)s|%(asctime)s' + '|%(pathname)s|%(lineno)d| %(message)s'), + datefmt='%Y-%m-%dT%H:%M:%S', + ) + logging.getLogger().setLevel(logging.INFO) + + fire.Fire(GenerateLegacyTests) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_tests.py b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_tests.py new file mode 100755 index 0000000000..0263e731d5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/generate_tests.py @@ -0,0 +1,170 @@ +"""Regenerate tests for only the files that have changed.""" + +import argparse +import jinja2 +import logging +import os +import shutil +import subprocess + +# Search dirs should be directories to search for kustomization packages +# that we want to test. These should be kustomization's that are doing +# non-trivial transformations (e.g. combining multiple packages, applying +# patches) etc... The point of the unittests is to make it easy for reviewers +# to verify that the expected output is correct and verify the actual output +# matches the expected output. +SEARCH_DIRS = [ + "stacks", + # TODO(https://github.com/kubeflow/manifests/issues/1052): Remove this + # after the move to v3 is done. + "tests/legacy_kustomizations", + "katib/installs", + ] + +# The subdirectory to story the expected manifests in +# We use a subdirectory of test_data because we could potentially +# have more than one version of a manifest. +KUSTOMIZE_OUTPUT_DIR = "test_data/expected" + +TEST_NAME = "kustomize_test.go" + +def generate_test_path(repo_root, kustomize_rpath): + """Generate the full path of the test.go file for a particular package + + Args: + repo_root: Root of the repository + kustomize_rpath: The relative path (relative to repo root) of the + kustomize package to generate the test for. + """ + + test_path = os.path.join(repo_root, "tests", kustomize_rpath, + TEST_NAME) + return test_path + +def run_kustomize_build(repo_root, package_dir): + """Run kustomize build and store the output in the test directory.""" + + rpath = os.path.relpath(package_dir, repo_root) + + output_dir = os.path.join(repo_root, "tests", rpath, KUSTOMIZE_OUTPUT_DIR) + + if os.path.exists(output_dir): + # Remove any previous version of the directory so that we ensure + # that all files in that directory are from the new run + # of kustomize build -o + logging.info("Removing directory %s", output_dir) + shutil.rmtree(output_dir) + + logging.info("Creating directory %s", output_dir) + os.makedirs(output_dir) + + subprocess.check_call([os.environ.get("KUSTOMIZE_BIN", "kustomize"), "build", "--load_restrictor", "none", + "-o", output_dir], cwd=os.path.join(repo_root, + package_dir)) +def find_kustomize_dirs(search_dirs): + """Find all kustomization directories in search_dirs. + + Args: + search_dirs: A list of directories to recursively search for + kustomization.yaml files which will be used to + 1. generate expected output + 2. generate tests + """ + + changed_dirs = set() + + for s in search_dirs: + for child, _, files in os.walk(s): + for f in files: + if f == "kustomization.yaml": + changed_dirs.add(child) + + return changed_dirs + +def write_go_test(test_path, package_name, package_dir): + """Write the go test file. + + Args: + test_path: Path for the go file + package_name: The name for the go package the test should live in + package_dir: The path to the kustomize package being tested; this + should be the relative path to the kustomize directory. + """ + test_contents = template.render({"package": package_name, + "package_dir":package_dir}) + + + logging.info("Writing file: %s", test_path) + with open(test_path, "w") as test_file: + test_file.write(test_contents) + +if __name__ == "__main__": + + logging.basicConfig( + level=logging.INFO, + format=('%(levelname)s|%(asctime)s' + '|%(pathname)s|%(lineno)d| %(message)s'), + datefmt='%Y-%m-%dT%H:%M:%S', + ) + logging.getLogger().setLevel(logging.INFO) + + parser = argparse.ArgumentParser() + + parser.add_argument( + "--all", + dest = "all_tests", + action = "store_true", + help="(Deprecated) this parameter has no effect") + + parser.set_defaults(all_tests=False) + + args = parser.parse_args() + + repo_root = subprocess.check_output(["git", "rev-parse", "--show-toplevel"]) + repo_root = repo_root.decode() + repo_root = repo_root.strip() + + # Get a list of package directories + full_search_dirs = [os.path.join(repo_root, s) for s in SEARCH_DIRS] + package_dirs = find_kustomize_dirs(full_search_dirs) + + changed_dirs = package_dirs + + this_dir = os.path.dirname(__file__) + loader = jinja2.FileSystemLoader(searchpath=os.path.join( + this_dir, "templates")) + env = jinja2.Environment(loader=loader) + template = env.get_template("kustomize_test.go.template") + + for full_dir in changed_dirs: + # Get the relative path of the kustomize directory. + # This is the path relative to the repo root. + rpath = os.path.relpath(full_dir, repo_root) + + test_path = generate_test_path(repo_root, rpath) + logging.info("Regenerating test %s for %s ", test_path, full_dir) + + # Generate the kustomize output + run_kustomize_build(repo_root, full_dir) + + # Create the go test file. + # TODO(jlewi): We really shouldn't need to redo this if it already + # exists. + + # The go package name will be the final directory in the path + package_name = os.path.basename(full_dir) + # Go package names replace hyphens with underscores + package_name = package_name.replace("-", "_") + + # We need to construct the path relative to the _test.go file of + # the kustomize package. This path with consist of ".." entries repeated + # enough times to get to the root of the repo. We then add the relative + # path to the kustomize package. + pieces = rpath.split(os.path.sep) + + p = [".."] * len(pieces) + p.append("..") + p.append(rpath) + package_dir = os.path.join(*p) + + write_go_test(test_path, package_name, package_dir) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/hack/templates/kustomize_test.go.template b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/templates/kustomize_test.go.template new file mode 100644 index 0000000000..093c301d4e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/templates/kustomize_test.go.template @@ -0,0 +1,15 @@ +package {{package}} + +import ( + "github.com/kubeflow/manifests/tests" + "testing" +) + +func TestKustomize(t *testing.T) { + testCase := &tests.KustomizeTestCase{ + Package: "{{package_dir}}", + Expected: "test_data/expected", + } + + tests.RunTestCase(t, testCase) +} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/hack/utils.sh b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/utils.sh new file mode 100644 index 0000000000..fdd5388ef8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/hack/utils.sh @@ -0,0 +1,122 @@ +# +# utils.sh has common scripts used by the gen-test-targets, gen-test-target and gen-tree. +# + +# +# manifests-tree will produce a listing that can be included in the README.md that shows +# what directories hold kustomization.yamls. +# +tmpfile="" +cleanup() { + if [[ -f $tmpfile ]]; then + rm -f $tmpfile + fi +} +trap cleanup EXIT + +manifests-tree() { + local dir='*' + if (($# >= 1)); then + dir=$1 + shift + fi + tmpfile=$(mktemp -q -t tree) + for i in $(find * -type d -exec sh -c '(ls -p "{}"|grep />/dev/null)||echo "{}"' \; | egrep -v 'docs|tests|hack'); do + d=$(dirname $i) + b=$(basename $i) + echo /manifests/$d/🎯$b >> $tmpfile + done + cat $tmpfile | tree $@ -N --fromfile --noreport +} + +# +# get-target will return the 'root' of the manifest given the full path to where the kustomization.yaml is. +# For example +# +# tf-job-operator +# ├── base +# └── overlays +# ├── cluster +# ├── cluster-gangscheduled +# ├── namespaced +# └── namespaced-gangscheduled +# +# Given the path /manifests/tf-training/tf-job-operator/overlays/namespaced-gangscheduled +# get-target will return /manifests/tf-training/tf-job-operator +# +# Given the path /manifests/tf-training/tf-job-operator/base +# get-target will return /manifests/tf-training/tf-job-operator +# +get-target() { + local b=$(basename $1) + case $b in + base) + echo $(dirname $1) + ;; + *) + echo $(dirname $(dirname $1)) + ;; + esac +} + +# +# get-target-name will return the basename of the manifest given the full path to where the kustomization.yaml is. +# For example +# +# tf-job-operator +# ├── base +# └── overlays +# ├── cluster +# ├── cluster-gangscheduled +# ├── namespaced +# └── namespaced-gangscheduled +# +# Given the path /manifests/tf-training/tf-job-operator/base +# get-target-name will return tf-job-operator-base +# +# Given the path /manifests/tf-training/tf-job-operator/overlays/namespaced-gangscheduled +# get-target-name will return tf-job-operator-overlays-namespaced-gangscheduled +# +get-target-name() { + local b=$(basename $1) + case $b in + base) + echo $(basename $(dirname $1))-$b + ;; + *) + overlaydir=$(dirname $1) + overlay=$(basename $overlaydir) + echo $(basename $(dirname $overlaydir))-$overlay-$b + ;; + esac +} + +# +# get-target-dirname will return the dirs between the root and the kustomization.yaml +# For example +# +# tf-job-operator +# ├── base +# └── overlays +# ├── cluster +# ├── cluster-gangscheduled +# ├── namespaced +# └── namespaced-gangscheduled +# +# Given the path /manifests/tf-training/tf-job-operator/overlays/namespaced-gangscheduled +# get-target-dirname will return overlays/namespaced-gangscheduled +# +# Given the path /manifests/tf-training/tf-job-operator/base +# get-target-dirname will return base +# +get-target-dirname() { + local b=$(basename $1) + case $b in + base) + echo base + ;; + *) + echo overlays/$b + ;; + esac +} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/OWNERS new file mode 100644 index 0000000000..861d7292ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/OWNERS @@ -0,0 +1,3 @@ +approvers: + - krishnadurai + - lluunn diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..a1cfb48ddc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role.yaml new file mode 100644 index 0000000000..b92c9ef8b4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/cluster-role.yaml @@ -0,0 +1,11 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/deployment.yaml new file mode 100644 index 0000000000..aeb1e0438a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/deployment.yaml @@ -0,0 +1,181 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-local-gateway + labels: + app: cluster-local-gateway + istio: cluster-local-gateway +spec: + replicas: 1 + selector: + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway + strategy: + rollingUpdate: + maxSurge: + maxUnavailable: + template: + metadata: + labels: + app: cluster-local-gateway + istio: cluster-local-gateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: cluster-local-gateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.3.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - cluster-local-gateway + - --zipkinAddress + - zipkin.$(namespace):9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot.$(namespace):15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" + - name: ISTIO_META_WORKLOAD_NAME + value: cluster-local-gateway + - name: ISTIO_META_OWNER + value: kubernetes://api/apps/v1/namespaces/$(namespace)/deployments/cluster-local-gateway + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: clusterlocalgateway-certs + mountPath: "/etc/istio/clusterlocalgateway-certs" + readOnly: true + - name: clusterlocalgateway-ca-certs + mountPath: "/etc/istio/clusterlocalgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.cluster-local-gateway-service-account + optional: true + - name: clusterlocalgateway-certs + secret: + secretName: "istio-clusterlocalgateway-certs" + optional: true + - name: clusterlocalgateway-ca-certs + secret: + secretName: "istio-clusterlocalgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - "amd64" + - "ppc64le" + - "s390x" + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - "amd64" + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - "ppc64le" + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - "s390x" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/horizontal-pod-autoscaler.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/horizontal-pod-autoscaler.yaml new file mode 100644 index 0000000000..f7c784f1c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/horizontal-pod-autoscaler.yaml @@ -0,0 +1,19 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: cluster-local-gateway + istio: cluster-local-gateway + name: cluster-local-gateway +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: cluster-local-gateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/kustomization.yaml new file mode 100644 index 0000000000..d6d242a49b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: +- name: cluster-local-gateway-parameters + envs: + - params.env + +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- horizontal-pod-autoscaler.yaml +- namespace.yaml +- pod-disruption-budget.yaml +- service-account.yaml +- service.yaml + +vars: +- name: namespace + objref: + kind: ConfigMap + name: cluster-local-gateway-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace + +commonLabels: + kustomize.component: cluster-local-gateway + +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/namespace.yaml new file mode 100644 index 0000000000..4a7da48228 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: $(namespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.env new file mode 100644 index 0000000000..ad99a1362c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.env @@ -0,0 +1 @@ +namespace=istio-system diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.yaml new file mode 100644 index 0000000000..1f3425fcfc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/name + kind: Namespace diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/pod-disruption-budget.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/pod-disruption-budget.yaml new file mode 100644 index 0000000000..7fafe185bc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/pod-disruption-budget.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: cluster-local-gateway + labels: + app: cluster-local-gateway + istio: cluster-local-gateway +spec: + + minAvailable: 1 + selector: + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service-account.yaml new file mode 100644 index 0000000000..4afe8e0cb8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service-account.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-local-gateway-service-account + labels: + app: cluster-local-gateway +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service.yaml new file mode 100644 index 0000000000..276c9b8604 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/cluster-local-gateway-1-3-1/base/service.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Service +metadata: + name: cluster-local-gateway + labels: + app: cluster-local-gateway + istio: cluster-local-gateway +spec: + type: ClusterIP + selector: + app: cluster-local-gateway + istio: cluster-local-gateway + ports: + - + name: http2 + port: 80 + targetPort: 80 + - + name: https + port: 443 + - + name: tcp + port: 31400 + - + name: tcp-pilot-grpc-tls + port: 15011 + targetPort: 15011 + - + name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - + name: http2-kiali + port: 15029 + targetPort: 15029 + - + name: http2-prometheus + port: 15030 + targetPort: 15030 + - + name: http2-grafana + port: 15031 + targetPort: 15031 + - + name: http2-tracing + port: 15032 + targetPort: 15032 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/crd.yaml new file mode 100644 index 0000000000..533c5d9806 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/crd.yaml @@ -0,0 +1,723 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + versions: + - name: v1alpha3 + served: true + storage: true + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + versions: + - name: v1alpha3 + served: true + storage: true + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + versions: + - name: v1alpha3 + served: true + storage: true + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + versions: + - name: v1alpha3 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + versions: + - name: v1alpha3 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + versions: + - name: v1alpha3 + served: true + storage: true +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizationpolicies.rbac.istio.io + labels: + app: istio-pilot + istio: rbac +spec: + group: rbac.istio.io + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager +spec: + group: certmanager.k8s.io + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager +spec: + group: certmanager.k8s.io + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + versions: + - name: v1alpha1 + served: true + storage: true + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: Challenge + plural: challenges + scope: Namespaced +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/kustomization.yaml new file mode 100644 index 0000000000..444ffe294c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-crds-1-3-1/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml + +commonLabels: + kustomize.component: istio-crds diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/attribute-manifest.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/attribute-manifest.yaml new file mode 100644 index 0000000000..5ba9438a64 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/attribute-manifest.yaml @@ -0,0 +1,199 @@ +apiVersion: config.istio.io/v1alpha2 +kind: attributemanifest +metadata: + labels: + app: mixer + name: istioproxy +spec: + attributes: + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + check.cache_hit: + valueType: BOOL + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + connection.duration: + valueType: DURATION + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.mtls: + valueType: BOOL + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.requested_server_name: + valueType: STRING + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + context.protocol: + valueType: STRING + context.proxy_error_code: + valueType: STRING + context.proxy_version: + valueType: STRING + context.reporter.kind: + valueType: STRING + context.reporter.local: + valueType: BOOL + context.reporter.uid: + valueType: STRING + context.time: + valueType: TIMESTAMP + context.timestamp: + valueType: TIMESTAMP + destination.port: + valueType: INT64 + destination.principal: + valueType: STRING + destination.uid: + valueType: STRING + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + quota.cache_hit: + valueType: BOOL + rbac.permissive.effective_policy_id: + valueType: STRING + rbac.permissive.response_code: + valueType: STRING + request.api_key: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.presenter: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.raw_claims: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.host: + valueType: STRING + request.id: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.query_params: + valueType: STRING_MAP + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.total_size: + valueType: INT64 + request.url_path: + valueType: STRING + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.grpc_message: + valueType: STRING + response.grpc_status: + valueType: STRING + response.headers: + valueType: STRING_MAP + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + response.total_size: + valueType: INT64 + source.principal: + valueType: STRING + source.uid: + valueType: STRING + source.user: + valueType: STRING + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: attributemanifest +metadata: + labels: + app: mixer + name: kubernetes +spec: + attributes: + destination.container.name: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.owner: + valueType: STRING + destination.service.host: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.uid: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING + destination.workload.uid: + valueType: STRING + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + source.workload.uid: + valueType: STRING diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..d25e455f2a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role-binding.yaml @@ -0,0 +1,149 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: security + name: istio-citadel-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-citadel-service-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: galley + name: istio-galley-admin-role-binding-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-galley-service-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: mixer + name: istio-mixer-admin-role-binding-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-mixer-service-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: nodeagent + name: istio-nodeagent-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-nodeagent-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: pilot + name: istio-pilot-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-pilot-service-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: security + name: istio-security-post-install-role-binding-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-security-post-install-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + name: istio-sidecar-injector-admin-role-binding-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-$(namespace) +subjects: +- kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: prometheus + name: prometheus-$(namespace) +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-$(namespace) +subjects: +- kind: ServiceAccount + name: prometheus + namespace: $(namespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role.yaml new file mode 100644 index 0000000000..5114383151 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/cluster-role.yaml @@ -0,0 +1,401 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: security + name: istio-citadel-$(namespace) +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - watch + - list + - update + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - namespaces + verbs: + - get + - watch + - list +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: galley + name: istio-galley-$(namespace) +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - apps + resourceNames: + - istio-galley + resources: + - deployments + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - nodes + - services + - endpoints + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resourceNames: + - istio-galley + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: mixer + name: istio-mixer-$(namespace) +rules: +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - create + - get + - list + - watch + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - pods + - services + - namespaces + - secrets + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: nodeagent + name: istio-nodeagent-$(namespace) +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: pilot + name: istio-pilot-$(namespace) +rules: +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - extensions + resources: + - ingresses + - ingresses/status + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - endpoints + - pods + - services + - namespaces + - nodes + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - services + - endpoints + - replicationcontrollers + verbs: + - get + - watch + - list +- apiGroups: + - extensions + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: security + name: istio-security-post-install-$(namespace) +rules: +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get +- apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + name: istio-sidecar-injector-$(namespace) +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: prometheus + name: prometheus-$(namespace) +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/config-map.yaml new file mode 100644 index 0000000000..170bb5a52c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/config-map.yaml @@ -0,0 +1,1000 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + labels: + app: istio +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: true + # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server + reportBatchMaxEntries: 100 + # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server + reportBatchMaxTime: 1s + + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "" + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: "" + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: 'TEXT' + + enableEnvoyAccessLogService: false + mixerCheckServer: istio-policy.$(namespace).svc.cluster.local:15004 + mixerReportServer: istio-telemetry.$(namespace).svc.cluster.local:15004 + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway + + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # Automatic protocol detection uses a set of heuristics to + # determine whether the connection is using TLS or not (on the + # server side), as well as the application protocol being used + # (e.g., http vs tcp). These heuristics rely on the client sending + # the first bits of data. For server first protocols like MySQL, + # MongoDB, etc., Envoy will timeout on the protocol detection after + # the specified period, defaulting to non mTLS plain TCP + # traffic. Set this field to tweak the period that Envoy will wait + # for the client to send the first bits of data. (MUST BE >=1ms) + protocolDetectionTimeout: 100ms + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: 300s + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "unix:/var/run/sds/uds_path" + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "" + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: ALLOW_ANY + localityLbSetting: + enabled: true + # The namespace to treat as the administrative root namespace for istio + # configuration. + rootNamespace: $(namespace) + configSources: + - address: istio-galley.$(namespace).svc:9901 + tlsSettings: + mode: ISTIO_MUTUAL + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.$(namespace):9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.$(namespace):15011 + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + +--- +# Source: istio/templates/sidecar-injector-configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + labels: + app: istio + istio: sidecar-injector +data: + values: |- + {"certmanager":{"enabled":false},"galley":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"image":"galley","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"gateways":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"istio-egressgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"labels":{"app":"istio-egressgateway","istio":"egressgateway"},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"ClusterIP"},"istio-ilbgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"labels":{"app":"istio-ilbgateway","istio":"ilbgateway"},"loadBalancerIP":"","nodeSelector":{},"podAnnotations":{},"ports":[{"name":"grpc-pilot-mtls","port":15011},{"name":"grpc-pilot","port":15010},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns","port":5353}],"resources":{"requests":{"cpu":"800m","memory":"512Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/ilbgateway-certs","name":"ilbgateway-certs","secretName":"istio-ilbgateway-certs"},{"mountPath":"/etc/istio/ilbgateway-ca-certs","name":"ilbgateway-ca-certs","secretName":"istio-ilbgateway-ca-certs"}],"serviceAnnotations":{"cloud.google.com/load-balancer-type":"internal"},"tolerations":[],"type":"LoadBalancer"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"externalIPs":[],"labels":{"app":"istio-ingressgateway","istio":"ingressgateway"},"loadBalancerIP":"","loadBalancerSourceRanges":[],"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-mixer-grpc-tls","port":15004,"targetPort":15004},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","nodePort":31380,"port":80,"targetPort":80},{"name":"https","nodePort":31390,"port":443},{"name":"tcp","nodePort":31400,"port":31400},{"name":"https-kiali","port":15029,"targetPort":15029},{"name":"https-prometheus","port":15030,"targetPort":15030},{"name":"https-grafana","port":15031,"targetPort":15031},{"name":"https-tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"LoadBalancer"}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"grafana":{"enabled":false},"istio_cni":{"enabled":false},"istiocoredns":{"enabled":false},"kiali":{"enabled":false},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stdio":{"enabled":false,"outputAsJson":true},"useAdapterCRDs":false},"env":{"GODEBUG":"gctrace=1","GOMAXPROCS":"6"},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"image":"mixer","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%"},"telemetry":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","resources":{"limits":{"cpu":"4800m","memory":"4G"},"requests":{"cpu":"1000m","memory":"1G"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sessionAffinityEnabled":false},"tolerations":[]},"nodeagent":{"enabled":true,"env":{"CA_ADDR":"istio-citadel:8060","CA_PROVIDER":"Citadel","PLUGINS":"","VALID_TOKEN":true},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"image":"node-agent-k8s","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"tolerations":[]},"pilot":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{"GODEBUG":"gctrace=1","PILOT_PUSH_THROTTLE":100},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"image":"pilot","keepaliveMaxServerConnectionAge":"30m","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"resources":{"requests":{"cpu":"500m","memory":"2048Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sidecar":true,"tolerations":[],"traceSampling":1},"prometheus":{"contextPath":"/prometheus","enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"hub":"docker.io/prom","image":"prometheus","ingress":{"annotations":null,"enabled":false,"hosts":["prometheus.local"],"tls":null},"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"service":{"annotations":{},"nodePort":{"enabled":false,"port":32090}},"tag":"v2.8.0","tolerations":[]},"security":{"citadelHealthCheck":false,"createMeshPolicy":true,"enableNamespacesByDefault":true,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"image":"citadel","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":true,"tolerations":[],"workloadCertTtl":"2160h"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"gcr.io/istio-release","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"oneNamespace":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxy_init"},"sds":{"enabled":true,"token":{"aud":"istio-ca"},"udsPath":"unix:/var/run/sds/uds_path"},"tag":"release-1.3-latest-daily","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"","useMCP":true},"image":"sidecar_injector","neverInjectSelector":[],"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"tracing":{"enabled":false}} + + config: |- + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + template: |- + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + {{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{- if not .Values.istio_cni.enabled }} + - name: istio-init + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - 1337 + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + {{- if .Values.global.proxy.init.resources }} + resources: + {{ toYaml .Values.global.proxy.init.resources | indent 4 }} + {{- else }} + resources: {} + {{- end }} + securityContext: + runAsUser: 0 + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN + {{- if .Values.global.proxy.privileged }} + privileged: true + {{- end }} + restartPolicy: Always + {{- end }} + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh + image: {{ $.Values.global.proxy.enableCoreDumpImage }} + imagePullPolicy: IfNotPresent + resources: {} + securityContext: + runAsUser: 0 + runAsNonRoot: false + privileged: true + {{ end }} + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --configPath + - "{{ .ProxyConfig.ConfigPath }}" + - --binaryPath + - "{{ .ProxyConfig.BinaryPath }}" + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --drainDuration + - "{{ formatDuration .ProxyConfig.DrainDuration }}" + - --parentShutdownDuration + - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" + - --discoveryAddress + - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" + {{- if eq .Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" + - --lightstepAccessToken + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" + - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} + - --lightstepCacertPath + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + - --zipkinAddress + - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" + {{- else if eq .Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" + {{- end }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + - --dnsRefreshRate + - {{ .Values.global.proxy.dnsRefreshRate }} + - --connectTimeout + - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" + {{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - "{{ .ProxyConfig.StatsdUdpAddress }}" + {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" + {{- end }} + {{- if .Values.global.proxy.envoyAccessLogService.enabled }} + - --envoyAccessLogService + - '{{ structToJSON .ProxyConfig.EnvoyAccessLogService }}' + {{- end }} + - --proxyAdminPort + - "{{ .ProxyConfig.ProxyAdminPort }}" + {{ if gt .ProxyConfig.Concurrency 0 -}} + - --concurrency + - "{{ .ProxyConfig.Concurrency }}" + {{ end -}} + - --controlPlaneAuthPolicy + - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}" + {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} + - --statusPort + - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" + - --applicationPorts + - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multicluster.clusterName `Kubernetes` }}" + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if eq .Values.global.proxy.tracer "datadog" }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- end }} + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SDS_ENABLED + value: {{ $.Values.global.sds.enabled }} + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{ if .ObjectMeta.Labels }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ toJSON .ObjectMeta.Labels }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{ .DeploymentMeta.Name }} + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://api/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: ISTIO_META_SDS_TOKEN_PATH + value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if .Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.trustDomain }}" + {{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if .Values.global.proxy.privileged }} + privileged: true + {{- end }} + {{- if ne .Values.global.proxy.enableCoreDump true }} + readOnlyRootFilesystem: true + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + {{ else -}} + {{ if .Values.global.sds.enabled }} + runAsGroup: 1337 + {{- end }} + runAsUser: 1337 + {{- end }} + resources: + {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end}} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{ else -}} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{ end -}} + volumeMounts: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.sds.customTokenDirectory }} + - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" + name: custom-sds-token + readOnly: true + {{- end }} + {{- else }} + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + - emptyDir: + medium: Memory + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - name: sds-uds-path + hostPath: + path: /var/run/sds + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: custom-sds-token + secret: + secretName: sdstokensecret + {{- end }} + {{- else }} + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.podDNSSearchNamespaces }} + dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ render . }} + {{- end }} + {{- end }} + podRedirectAnnot: + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{- end }} + traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus +data: + prometheus.yaml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - $(namespace) + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'istio-policy' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - $(namespace) + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - $(namespace) + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - $(namespace) + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - $(namespace) + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - $(namespace) + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration +data: + validating-webhook-configuration.yaml: | + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + labels: + app: galley + istio: galley + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: $(namespace) + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + sideEffects: None + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: $(namespace) + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + - adapters + - handlers + - instances + - templates + - zipkins + failurePolicy: Fail + sideEffects: None + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources +data: + istio-security-custom-resources.yaml: | + # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. + apiVersion: "authentication.istio.io/v1alpha1" + kind: "MeshPolicy" + metadata: + name: "default" + labels: + app: security + spec: + peers: + - mtls: + mode: PERMISSIVE + istio-security-run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n $(namespace) get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n $(namespace) rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/daemon-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/daemon-set.yaml new file mode 100644 index 0000000000..333e72f40c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/daemon-set.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: nodeagent + istio: nodeagent + name: istio-nodeagent +spec: + selector: + matchLabels: + istio: nodeagent + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: nodeagent + istio: nodeagent + spec: + tolerations: + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - env: + - name: CA_ADDR + value: istio-citadel:8060 + - name: CA_PROVIDER + value: Citadel + - name: PLUGINS + value: "" + - name: VALID_TOKEN + value: "true" + - name: TRUST_DOMAIN + value: "" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/istio-release/node-agent-k8s:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: nodeagent + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + serviceAccountName: istio-nodeagent-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sdsudspath + updateStrategy: + type: RollingUpdate diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/deployment.yaml new file mode 100644 index 0000000000..e37b43966e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/deployment.yaml @@ -0,0 +1,1164 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: security + istio: citadel + name: istio-citadel +spec: + replicas: 1 + selector: + matchLabels: + istio: citadel + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: security + istio: citadel + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --sds-enabled=true + - --append-dns-names=true + - --grpc-port=8060 + - --citadel-storage-namespace=$(namespace) + - --custom-dns-names=istio-pilot-service-account.$(namespace):istio-pilot.$(namespace) + - --monitoring-port=15014 + - --self-signed-ca=true + - --workload-cert-ttl=2160h + env: + - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT + value: "true" + image: gcr.io/istio-release/citadel:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: citadel + resources: + requests: + cpu: 10m + serviceAccountName: istio-citadel-service-account + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: galley + istio: galley + name: istio-galley +spec: + replicas: 1 + selector: + matchLabels: + istio: galley + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: galley + istio: galley + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s + - --deployment-namespace=$(namespace) + - --insecure=false + - --validation-webhook-config-file + - /etc/config/validating-webhook-configuration.yaml + - --monitoringPort=15014 + - --log_output_level=default:info + image: gcr.io/istio-release/galley:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + name: galley + ports: + - containerPort: 443 + - containerPort: 15014 + - containerPort: 9901 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/certs + name: certs + readOnly: true + - mountPath: /etc/config + name: config + readOnly: true + - mountPath: /etc/mesh-config + name: mesh-config + readOnly: true + serviceAccountName: istio-galley-service-account + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - configMap: + name: istio-galley-configuration + name: config + - configMap: + name: istio + name: mesh-config + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + name: istio-ingressgateway +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + istio: ingressgateway + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --connectTimeout + - 10s + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + - istio-pilot:15011 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "true" + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://api/apps/v1/namespaces/$(namespace)/deployments/istio-ingressgateway + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + image: gcr.io/istio-release/proxyv2:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15020 + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15443 + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + serviceAccountName: istio-ingressgateway-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sdsudspath + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istio-certs + secret: + optional: true + secretName: istio.istio-ingressgateway-service-account + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 + labels: + app: pilot + istio: pilot + name: istio-pilot +spec: + selector: + matchLabels: + istio: pilot + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: pilot + istio: pilot + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --secureGrpcAddr + - "" + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: GODEBUG + value: gctrace=1 + - name: PILOT_PUSH_THROTTLE + value: "100" + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "true" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "false" + image: gcr.io/istio-release/pilot:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: discovery + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + resources: + requests: + cpu: 500m + memory: 2048Mi + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/istio-release/proxyv2:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + serviceAccountName: istio-pilot-service-account + volumes: + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + name: config-volume + - name: istio-certs + secret: + optional: true + secretName: istio.istio-pilot-service-account + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-mixer + istio: mixer + name: istio-policy +spec: + selector: + matchLabels: + istio: mixer + istio-mixer-type: policy + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: policy + istio: mixer + istio-mixer-type: policy + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcps://istio-galley.$(namespace).svc:9901 + - --configDefaultNamespace=$(namespace) + - --useAdapterCRDs=false + - --useTemplateCRDs=false + - --trace_zipkin_url=http://zipkin.$(namespace):9411/api/v1/spans + env: + - name: GODEBUG + value: gctrace=1 + - name: GOMAXPROCS + value: "6" + image: gcr.io/istio-release/mixer:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + name: mixer + ports: + - containerPort: 15014 + - containerPort: 42422 + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - mountPath: /sock + name: uds-socket + - args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/istio-release/proxyv2:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /sock + name: uds-socket + - mountPath: /var/run/secrets/istio.io/policy/adapter + name: policy-adapter-secret + readOnly: true + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + optional: true + secretName: istio.istio-mixer-service-account + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: uds-socket + - name: policy-adapter-secret + secret: + optional: true + secretName: policy-adapter-secret + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + name: istio-sidecar-injector +spec: + replicas: 1 + selector: + matchLabels: + istio: sidecar-injector + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + image: gcr.io/istio-release/sidecar_injector:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + name: sidecar-injector-webhook + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + readOnly: true + - mountPath: /etc/istio/certs + name: certs + readOnly: true + - mountPath: /etc/istio/inject + name: inject-config + readOnly: true + serviceAccountName: istio-sidecar-injector-service-account + volumes: + - configMap: + name: istio + name: config-volume + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - configMap: + items: + - key: config + path: config + - key: values + path: values + name: istio-sidecar-injector + name: inject-config + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-mixer + istio: mixer + name: istio-telemetry +spec: + selector: + matchLabels: + istio: mixer + istio-mixer-type: telemetry + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: telemetry + istio: mixer + istio-mixer-type: telemetry + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcps://istio-galley.$(namespace).svc:9901 + - --certFile=/etc/certs/cert-chain.pem + - --keyFile=/etc/certs/key.pem + - --caCertFile=/etc/certs/root-cert.pem + - --configDefaultNamespace=$(namespace) + - --useAdapterCRDs=false + - --trace_zipkin_url=http://zipkin.$(namespace):9411/api/v1/spans + - --averageLatencyThreshold + - 100ms + - --loadsheddingMode + - enforce + env: + - name: GODEBUG + value: gctrace=1 + - name: GOMAXPROCS + value: "6" + image: gcr.io/istio-release/mixer:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + name: mixer + ports: + - containerPort: 15014 + - containerPort: 42422 + resources: + limits: + cpu: 4800m + memory: 4G + requests: + cpu: 1000m + memory: 1G + volumeMounts: + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - mountPath: /var/run/secrets/istio.io/telemetry/adapter + name: telemetry-adapter-secret + readOnly: true + - mountPath: /sock + name: uds-socket + - args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: SDS_ENABLED + value: "true" + image: gcr.io/istio-release/proxyv2:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - mountPath: /etc/certs + name: istio-certs + readOnly: true + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /sock + name: uds-socket + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + optional: true + secretName: istio.istio-mixer-service-account + - hostPath: + path: /var/run/sds + name: sds-uds-path + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: uds-socket + - name: telemetry-adapter-secret + secret: + optional: true + secretName: telemetry-adapter-secret + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: prometheus + name: prometheus +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: prometheus + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - args: + - --storage.tsdb.retention=6h + - --config.file=/etc/prometheus/prometheus.yaml + image: docker.io/prom/prometheus:v2.8.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + name: prometheus + ports: + - containerPort: 9090 + name: http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/prometheus + name: config-volume + - mountPath: /etc/istio-certs + name: istio-certs + serviceAccountName: prometheus + volumes: + - configMap: + name: prometheus + name: config-volume + - name: istio-certs + secret: + defaultMode: 420 + secretName: istio.default diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/handler.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/handler.yaml new file mode 100644 index 0000000000..4977746a3a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/handler.yaml @@ -0,0 +1,223 @@ +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + labels: + app: mixer + name: kubernetesenv +spec: + compiledAdapter: kubernetesenv + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + labels: + app: mixer + name: prometheus +spec: + compiledAdapter: prometheus + params: + metrics: + - instance_name: requestcount.instance.$(namespace) + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + name: requests_total + - buckets: + explicit_buckets: + bounds: + - 0.005 + - 0.01 + - 0.025 + - 0.05 + - 0.1 + - 0.25 + - 0.5 + - 1 + - 2.5 + - 5 + - 10 + instance_name: requestduration.instance.$(namespace) + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + name: request_duration_seconds + - buckets: + exponentialBuckets: + growthFactor: 10 + numFiniteBuckets: 8 + scale: 1 + instance_name: requestsize.instance.$(namespace) + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + name: request_bytes + - buckets: + exponentialBuckets: + growthFactor: 10 + numFiniteBuckets: 8 + scale: 1 + instance_name: responsesize.instance.$(namespace) + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + name: response_bytes + - instance_name: tcpbytesent.instance.$(namespace) + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + name: tcp_sent_bytes_total + - instance_name: tcpbytereceived.instance.$(namespace) + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + name: tcp_received_bytes_total + - instance_name: tcpconnectionsopened.instance.$(namespace) + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + name: tcp_connections_opened_total + - instance_name: tcpconnectionsclosed.instance.$(namespace) + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + name: tcp_connections_closed_total + metricsExpirationPolicy: + metricsExpiryDuration: 10m diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/horizontal-pod-autoscaler.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/horizontal-pod-autoscaler.yaml new file mode 100644 index 0000000000..6612fda5d5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/horizontal-pod-autoscaler.yaml @@ -0,0 +1,82 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + name: istio-ingressgateway +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + +--- + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: pilot + name: istio-pilot +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + +--- + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: mixer + name: istio-policy +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-policy + +--- + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: mixer + name: istio-telemetry +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-telemetry diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/instance.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/instance.yaml new file mode 100644 index 0000000000..7164cfa8ed --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/instance.yaml @@ -0,0 +1,323 @@ +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: attributes +spec: + attributeBindings: + destination.container.name: $out.destination_container_name | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.uid: $out.destination_pod_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.uid: $out.source_pod_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + compiledTemplate: kubernetes + params: + destination_port: destination.port | 0 + destination_uid: destination.uid | "" + source_ip: source.ip | ip("0.0.0.0") + source_uid: source.uid | "" + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: requestcount +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | request.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: "1" + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: requestduration +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | request.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: response.duration | "0ms" + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: requestsize +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | request.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: request.size | 0 + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: responsesize +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | request.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: response.size | 0 + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: tcpbytereceived +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: connection.received.bytes | 0 + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: tcpbytesent +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: connection.sent.bytes | 0 + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: tcpconnectionsclosed +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: "1" + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + labels: + app: mixer + name: tcpconnectionsopened +spec: + compiledTemplate: metric + params: + dimensions: + connection_security_policy: conditional((context.reporter.kind | "inbound") + == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", + "none")) + destination_app: destination.labels["app"] | "unknown" + destination_principal: destination.principal | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", + "destination") + response_flags: context.proxy_error_code | "-" + source_app: source.labels["app"] | "unknown" + source_principal: source.principal | "unknown" + source_version: source.labels["version"] | "unknown" + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + monitored_resource_type: '"UNSPECIFIED"' + value: "1" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/job.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/job.yaml new file mode 100644 index 0000000000..af2aeb7980 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/job.yaml @@ -0,0 +1,63 @@ +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app: security + name: istio-security-post-install-release-1.3-latest-daily +spec: + template: + metadata: + labels: + app: security + name: istio-security-post-install + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + weight: 2 + - preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + weight: 2 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + containers: + - command: + - /bin/bash + - /tmp/security/istio-security-run.sh + - /tmp/security/istio-security-custom-resources.yaml + image: gcr.io/istio-release/kubectl:release-1.3-latest-daily + imagePullPolicy: IfNotPresent + name: kubectl + volumeMounts: + - mountPath: /tmp/security + name: tmp-configmap-security + restartPolicy: OnFailure + serviceAccountName: istio-security-post-install-account + volumes: + - configMap: + name: istio-security-custom-resources + name: tmp-configmap-security diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/kustomization.yaml new file mode 100644 index 0000000000..5c9e2d85d9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/kustomization.yaml @@ -0,0 +1,61 @@ +# Each entry in this list results in the creation of +# one ConfigMap resource (it's a generator of n maps). +configMapGenerator: +- name: istio-install-parameters + env: params.env + +# Images modify the tags for images without +# creating patches. +images: +- name: docker.io/prom/prometheus + newTag: v2.8.0 +- name: gcr.io/istio-release/citadel + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/galley + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/kubectl + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/mixer + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/node-agent-k8s + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/pilot + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/proxyv2 + newTag: release-1.3-latest-daily +- name: gcr.io/istio-release/sidecar_injector + newTag: release-1.3-latest-daily + +resources: +- namespace.yaml +- attribute-manifest.yaml +- config-map.yaml +- cluster-role.yaml +- cluster-role-binding.yaml +- daemon-set.yaml +- deployment.yaml +- handler.yaml +- horizontal-pod-autoscaler.yaml +- instance.yaml +- job.yaml +- mutating-webhook-configuration.yaml +- pod-disruption-budget.yaml +- role.yaml +- role-binding.yaml +- rule.yaml +- service.yaml +- service-account.yaml +- service-role.yaml +- service-role-binding.yaml + +vars: +- name: namespace + objref: + kind: ConfigMap + name: istio-install-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace + +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/mutating-webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/mutating-webhook-configuration.yaml new file mode 100644 index 0000000000..281b94eb28 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/mutating-webhook-configuration.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: sidecarInjectorWebhook + name: istio-sidecar-injector +webhooks: +- clientConfig: + caBundle: "" + service: + name: istio-sidecar-injector + namespace: $(namespace) + path: /inject + failurePolicy: Fail + name: sidecar-injector.istio.io + namespaceSelector: + matchLabels: + istio-injection: enabled + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/namespace.yaml new file mode 100644 index 0000000000..4a7da48228 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: $(namespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.env new file mode 100644 index 0000000000..ad99a1362c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.env @@ -0,0 +1 @@ +namespace=istio-system diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.yaml new file mode 100644 index 0000000000..0e5dc93832 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/params.yaml @@ -0,0 +1,35 @@ +varReference: +- path: metadata/name + kind: Namespace +- path: data/validatingwebhookconfiguration.yaml + kind: ConfigMap +- path: metadata/name + kind: ClusterRole +- path: webhooks/clientConfig/service/namespace + kind: MutatingWebhookConfiguration +- path: metadata/name + kind: ClusterRoleBinding +- path: roleRef/name + kind: ClusterRoleBinding +- path: data/istio-performance-dashboard.json + kind: ConfigMap +- path: data/mesh + kind: ConfigMap +- path: data/config.yaml + kind: ConfigMap +- path: data/prometheus.yaml + kind: ConfigMap +- path: spec/params/metrics/instance_name + kind: handler +- path: spec/host + kind: DestinationRule +- path: spec/rules/services + kind: ServiceRole +- path: data/istio-security-custom-resources.yaml + kind: ConfigMap +- path: data/istio-security-run.sh + kind: ConfigMap +- path: data/validating-webhook-configuration.yaml + kind: ConfigMap +- path: subjects/namespace + kind: ClusterRoleBinding diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/pod-disruption-budget.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/pod-disruption-budget.yaml new file mode 100644 index 0000000000..214ba3b682 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/pod-disruption-budget.yaml @@ -0,0 +1,99 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: galley + istio: galley + name: istio-galley +spec: + minAvailable: 1 + selector: + matchLabels: + app: galley + istio: galley + +--- + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + name: istio-ingressgateway +spec: + minAvailable: 1 + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + +--- + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: pilot + istio: pilot + name: istio-pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: pilot + istio: pilot + +--- + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: policy + istio: mixer + istio-mixer-type: policy + version: 1.1.0 + name: istio-policy +spec: + minAvailable: 1 + selector: + matchLabels: + app: policy + istio: mixer + istio-mixer-type: policy + +--- + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + name: istio-sidecar-injector +spec: + minAvailable: 1 + selector: + matchLabels: + app: sidecarInjectorWebhook + istio: sidecar-injector + +--- + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: telemetry + istio: mixer + istio-mixer-type: telemetry + version: 1.1.0 + name: istio-telemetry +spec: + minAvailable: 1 + selector: + matchLabels: + app: telemetry + istio: mixer + istio-mixer-type: telemetry diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role-binding.yaml new file mode 100644 index 0000000000..9a34d16f98 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role.yaml new file mode 100644 index 0000000000..7cfeb1cb2a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/rule.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/rule.yaml new file mode 100644 index 0000000000..fd302b5415 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/rule.yaml @@ -0,0 +1,134 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + labels: + app: mixer + name: istio-policy +spec: + host: istio-policy.$(namespace).svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + labels: + app: mixer + name: istio-telemetry +spec: + host: istio-telemetry.$(namespace).svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + labels: + app: mixer + name: kubeattrgenrulerule +spec: + actions: + - handler: kubernetesenv + instances: + - attributes + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + labels: + app: mixer + name: promhttp +spec: + actions: + - handler: prometheus + instances: + - requestcount + - requestduration + - requestsize + - responsesize + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent + | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") + == false) + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + labels: + app: mixer + name: promtcp +spec: + actions: + - handler: prometheus + instances: + - tcpbytesent + - tcpbytereceived + match: context.protocol == "tcp" + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + labels: + app: mixer + name: promtcpconnectionclosed +spec: + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + labels: + app: mixer + name: promtcpconnectionopen +spec: + actions: + - handler: prometheus + instances: + - tcpconnectionsopened + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + +--- + +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + labels: + app: mixer + name: tcpkubeattrgenrulerule +spec: + actions: + - handler: kubernetesenv + instances: + - attributes + match: context.protocol == "tcp" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-account.yaml new file mode 100644 index 0000000000..15892ba91e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-account.yaml @@ -0,0 +1,86 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: security + name: istio-citadel-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: galley + name: istio-galley-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istio-ingressgateway + name: istio-ingressgateway-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: mixer + name: istio-mixer-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: nodeagent + name: istio-nodeagent-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: pilot + name: istio-pilot-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: security + name: istio-security-post-install-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + name: istio-sidecar-injector-service-account + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: prometheus + name: prometheus diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role-binding.yaml new file mode 100644 index 0000000000..91f218c373 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role-binding.yaml @@ -0,0 +1,13 @@ +# Added to allow all requests to istio-ingressgateway +# Refer issue: https://github.com/istio/istio/issues/14885 +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: istio-ingressgateway +spec: + subjects: + - user: "*" + + roleRef: + kind: ServiceRole + name: "istio-ingressgateway" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role.yaml new file mode 100644 index 0000000000..51c3a44a25 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service-role.yaml @@ -0,0 +1,10 @@ +# Added to allow all requests to istio-ingressgateway +# Refer issue: https://github.com/istio/istio/issues/14885 +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: istio-ingressgateway +spec: + rules: + - services: + - istio-ingressgateway.$(namespace).svc.cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service.yaml new file mode 100644 index 0000000000..64dbc955d1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio-1-3-1/istio-install-1-3-1/base/service.yaml @@ -0,0 +1,189 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: security + istio: citadel + name: istio-citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + protocol: TCP + targetPort: 8060 + - name: http-monitoring + port: 15014 + selector: + istio: citadel + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: galley + istio: galley + name: istio-galley +spec: + ports: + - name: https-validation + port: 443 + - name: http-monitoring + port: 15014 + - name: grpc-mcp + port: 9901 + selector: + istio: galley + +--- + +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + labels: + app: istio-ingressgateway + istio: ingressgateway +spec: + type: NodePort + selector: + app: istio-ingressgateway + istio: ingressgateway + ports: + - name: status-port + port: 15020 + targetPort: 15020 + - name: http2 + nodePort: 31380 + port: 80 + targetPort: 80 + - name: https + nodePort: 31390 + port: 443 + - name: tcp + nodePort: 31400 + port: 31400 + - name: https-kiali + port: 15029 + targetPort: 15029 + - name: https-prometheus + port: 15030 + targetPort: 15030 + - name: https-grafana + port: 15031 + targetPort: 15031 + - name: https-tracing + port: 15032 + targetPort: 15032 + - name: tls + port: 15443 + targetPort: 15443 + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: pilot + istio: pilot + name: istio-pilot +spec: + ports: + - name: grpc-xds + port: 15010 + - name: https-xds + port: 15011 + - name: http-legacy-discovery + port: 8080 + - name: http-monitoring + port: 15014 + selector: + istio: pilot + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + networking.istio.io/exportTo: '*' + labels: + app: mixer + istio: mixer + name: istio-policy +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + selector: + istio: mixer + istio-mixer-type: policy + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: sidecarInjectorWebhook + istio: sidecar-injector + name: istio-sidecar-injector +spec: + ports: + - name: https-inject + port: 443 + - name: http-monitoring + port: 15014 + selector: + istio: sidecar-injector + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + networking.istio.io/exportTo: '*' + labels: + app: mixer + istio: mixer + name: istio-telemetry +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + selector: + istio: mixer + istio-mixer-type: telemetry + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/scrape: "true" + labels: + app: prometheus + name: prometheus +spec: + ports: + - name: http-prometheus + port: 9090 + protocol: TCP + selector: + app: prometheus diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/OWNERS new file mode 100644 index 0000000000..861d7292ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/OWNERS @@ -0,0 +1,3 @@ +approvers: + - krishnadurai + - lluunn diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/envoy-filter.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/envoy-filter.yaml new file mode 100644 index 0000000000..04e344bb7b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/envoy-filter.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: add-user-filter +spec: + workloadLabels: + app: istio-ingressgateway + filters: + - listenerMatch: + listenerType: GATEWAY + filterName: envoy.lua + filterType: HTTP + insertPosition: + index: FIRST + filterConfig: + inlineCode: | + function envoy_on_request(request_handle) + request_handle:headers():add("kubeflow-userid","anonymous@kubeflow.org") + end diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/kustomization.yaml new file mode 100644 index 0000000000..45e61bd377 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/add-anonymous-user-filter/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: istio-system +resources: +- envoy-filter.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..eb9ecdc3aa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-local-gateway-istio-system + labels: + app: cluster-local-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-local-gateway-istio-system +subjects: +- kind: ServiceAccount + name: cluster-local-gateway-service-account + namespace: $(namespace) \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role.yaml new file mode 100644 index 0000000000..7e07b2436d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/cluster-role.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-local-gateway-istio-system + labels: + app: cluster-local-gateway +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/deployment.yaml new file mode 100644 index 0000000000..b2b0de6350 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/deployment.yaml @@ -0,0 +1,158 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-local-gateway + labels: + app: cluster-local-gateway + istio: cluster-local-gateway +spec: + replicas: 1 + template: + metadata: + labels: + app: cluster-local-gateway + istio: cluster-local-gateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: cluster-local-gateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - cluster-local-gateway + - --zipkinAddress + - zipkin.$(namespace):9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot.$(namespace):15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: clusterlocalgateway-certs + mountPath: "/etc/istio/clusterlocalgateway-certs" + readOnly: true + - name: clusterlocalgateway-ca-certs + mountPath: "/etc/istio/clusterlocalgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.cluster-local-gateway-service-account + optional: true + - name: clusterlocalgateway-certs + secret: + secretName: "istio-clusterlocalgateway-certs" + optional: true + - name: clusterlocalgateway-ca-certs + secret: + secretName: "istio-clusterlocalgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/horizontal-pod-autoscaler.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/horizontal-pod-autoscaler.yaml new file mode 100644 index 0000000000..e6a01cd2d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/horizontal-pod-autoscaler.yaml @@ -0,0 +1,19 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: cluster-local-gateway + istio: cluster-local-gateway + name: cluster-local-gateway +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + targetAverageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: cluster-local-gateway \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/kustomization.yaml new file mode 100644 index 0000000000..d6d242a49b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: +- name: cluster-local-gateway-parameters + envs: + - params.env + +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- horizontal-pod-autoscaler.yaml +- namespace.yaml +- pod-disruption-budget.yaml +- service-account.yaml +- service.yaml + +vars: +- name: namespace + objref: + kind: ConfigMap + name: cluster-local-gateway-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace + +commonLabels: + kustomize.component: cluster-local-gateway + +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/namespace.yaml new file mode 100644 index 0000000000..4a7da48228 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: $(namespace) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.env new file mode 100644 index 0000000000..ad99a1362c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.env @@ -0,0 +1 @@ +namespace=istio-system diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.yaml new file mode 100644 index 0000000000..35a0a93706 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: metadata/name + kind: Namespace +- path: subjects/namespace + kind: ClusterRoleBinding diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/pod-disruption-budget.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/pod-disruption-budget.yaml new file mode 100644 index 0000000000..22645de44f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/pod-disruption-budget.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: cluster-local-gateway + labels: + app: cluster-local-gateway + istio: cluster-local-gateway +spec: + + minAvailable: 1 + selector: + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service-account.yaml new file mode 100644 index 0000000000..c8262a4790 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service-account.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-local-gateway-service-account + labels: + app: cluster-local-gateway +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service.yaml new file mode 100644 index 0000000000..6783abeaa4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/cluster-local-gateway/base/service.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Service +metadata: + name: cluster-local-gateway + labels: + app: cluster-local-gateway + istio: cluster-local-gateway +spec: + type: ClusterIP + selector: + app: cluster-local-gateway + istio: cluster-local-gateway + ports: + - + name: http2 + port: 80 + targetPort: 80 + - + name: https + port: 443 + - + name: tcp + port: 31400 + - + name: tcp-pilot-grpc-tls + port: 15011 + targetPort: 15011 + - + name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - + name: http2-kiali + port: 15029 + targetPort: 15029 + - + name: http2-prometheus + port: 15030 + targetPort: 15030 + - + name: http2-grafana + port: 15031 + targetPort: 15031 + - + name: http2-tracing + port: 15032 + targetPort: 15032 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/OWNERS new file mode 100644 index 0000000000..56d24e8c44 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/OWNERS @@ -0,0 +1,4 @@ +approvers: +- jlewi +- kunmingg +- zhenghuiwang diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/README.md new file mode 100644 index 0000000000..f05ae02cd0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/README.md @@ -0,0 +1,8 @@ +# ISTIO GCP + +This is the top-level kustomization.yaml file for installing ISTIO 1.1.6 +on GCP. + +This packacge only installs ISTIO; not Kubeflwo specific resources (E.g gateways for Kubeflow) + +This will be replaced soon with managed ISTIO. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/kustomization.yaml new file mode 100644 index 0000000000..aacaf6a0b6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/gcp-1-1-6/kustomization.yaml @@ -0,0 +1,8 @@ +# This packacge only installs ISTIO; not Kubeflwo specific resources (E.g gateways for Kubeflow) +# Installs ISTIO 1-1-6 +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: istio-system +resources: +- ../istio-crds/base +- ../istio-install/base \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/istio-ingressgateway.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/istio-ingressgateway.yaml new file mode 100644 index 0000000000..330a8e8200 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/istio-ingressgateway.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + labels: + app: istio-ingressgateway + istio: ingressgateway + release: istio +spec: + # TODO(jlewi): Why are we hardcoding the ports here? With ASM I believe the service + # gets created by the gateway defined by ASM. + # + ports: + - name: status-port + port: 15020 + protocol: TCP + targetPort: 15020 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: kiali + port: 15029 + protocol: TCP + targetPort: 15029 + - name: prometheus + port: 15030 + protocol: TCP + targetPort: 15030 + - name: grafana + port: 15031 + protocol: TCP + targetPort: 15031 + - name: tracing + port: 15032 + protocol: TCP + targetPort: 15032 + - name: tls + port: 15443 + protocol: TCP + targetPort: 15443 + selector: + app: istio-ingressgateway + istio: ingressgateway + sessionAffinity: None + type: NodePort +--- +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default +spec: + mode: ON_WITH_EXCLUSION + exclusion: + namespaces: + - istio-system diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/kustomization.yaml new file mode 100644 index 0000000000..8b4480ebe8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/iap-gateway/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - istio-ingressgateway.yaml +namespace: istio-system diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/certificate.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/certificate.yaml new file mode 100644 index 0000000000..c4a0fe5999 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: istio-ingress-crt +spec: + secretName: istio-ingressgateway-certs + domains: + - $(domain) + commonName: "istio-ingressgateway-root-ca" + isCA: true + issuerRef: + name: kubeflow-self-signing-issuer + kind: ClusterIssuer diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/kustomization.yaml new file mode 100644 index 0000000000..cda8975d99 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/kustomization.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: istio-system +resources: +- certificate.yaml + +configMapGenerator: +- name: ingressgateway-self-signed-cert-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true + +vars: +- name: domain + objref: + kind: ConfigMap + name: ingressgateway-self-signed-cert-parameters + apiVersion: v1 + fieldref: + fieldpath: data.domain +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.env new file mode 100644 index 0000000000..4e3351bcdd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.env @@ -0,0 +1 @@ +domain=example.org diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.yaml new file mode 100644 index 0000000000..982e52affc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/ingressgateway-self-signed-cert/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/domains + kind: Certificate diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/crds.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/crds.yaml new file mode 100644 index 0000000000..f58a3c2e7d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/crds.yaml @@ -0,0 +1,1535 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + labels: + app: mixer + package: bypass + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + labels: + app: mixer + package: circonus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + labels: + app: mixer + package: denier + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + labels: + app: mixer + package: fluentd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + labels: + app: mixer + package: listchecker + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + labels: + app: mixer + package: memquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + labels: + app: mixer + package: noop + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + labels: + app: mixer + package: opa + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + labels: + app: mixer + package: prometheus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + labels: + app: mixer + package: rbac + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + labels: + app: mixer + package: redisquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + labels: + app: mixer + package: signalfx + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + labels: + app: mixer + package: solarwinds + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + labels: + app: mixer + package: stackdriver + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + labels: + app: mixer + package: statsd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + labels: + app: mixer + package: stdio + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + labels: + app: mixer + package: apikey + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + labels: + app: mixer + package: authorization + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + labels: + app: mixer + package: checknothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + labels: + app: mixer + package: listentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + labels: + app: mixer + package: logentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + additionalPrinterColumns: + - JSONPath: .spec.severity + description: The importance of the log entry + name: Severity + type: string + - JSONPath: .spec.timestamp + description: The time value for the log entry + name: Timestamp + type: string + - JSONPath: .spec.monitored_resource_type + description: Optional expression to compute the type of the monitored resource this log entry is being recorded on + name: Res Type + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + labels: + app: mixer + package: edge + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + labels: + app: mixer + package: metric + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + labels: + app: mixer + package: quota + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + labels: + app: mixer + package: reportnothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + labels: + app: mixer + package: tracespan + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: cloudwatches.config.istio.io + labels: + app: mixer + package: cloudwatch + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: cloudwatch + plural: cloudwatches + singular: cloudwatch + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: dogstatsds.config.istio.io + labels: + app: mixer + package: dogstatsd + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: dogstatsd + plural: dogstatsds + singular: dogstatsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: zipkins.config.istio.io + labels: + app: mixer + package: zipkin + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: zipkin + plural: zipkins + singular: zipkin + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/kustomization.yaml new file mode 100644 index 0000000000..ca49cac674 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-crds/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crds.yaml +namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/istio-noauth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/istio-noauth.yaml new file mode 100644 index 0000000000..8a1aedfca0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/istio-noauth.yaml @@ -0,0 +1,17384 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-injection: disabled +--- +# Source: istio/charts/kiali/templates/demosecret.yaml + +apiVersion: v1 +kind: Secret +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +type: Opaque +data: + username: YWRtaW4= # admin + passphrase: YWRtaW4= # admin + +--- +# Source: istio/charts/galley/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + failurePolicy: Fail +--- +# Source: istio/charts/grafana/templates/configmap-custom-resources.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + custom-resources.yaml: |- + apiVersion: authentication.istio.io/v1alpha1 + kind: Policy + metadata: + name: grafana-ports-mtls-disabled + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + spec: + targets: + - name: grafana + ports: + - number: 3000 + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/charts/grafana/templates/configmap-dashboards.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-galley-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + galley-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 46, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"galley\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Galley Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 40, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 36, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "A" + }, + { + "expr": "process_resident_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "B" + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "C" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F" + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "G" + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "H" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Total (kis)", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 38, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "galley (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 12, + "y": 6 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Open FDs (galley)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} ", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 6 + }, + "id": 44, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "goroutines_total", + "refId": "A" + }, + { + "expr": "galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "clients_total", + "refId": "B" + }, + { + "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "avg_goroutines_per_client", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 10, + "panels": [], + "title": "Runtime", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 15 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Strategy Change Events", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Processed Events", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Snapshot Published", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Event Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 15 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Max Time Reached", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Quiesce Reached", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Timer Resets", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Timer Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 15 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 3, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P95", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Events Per Snapshot", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ typeURL }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "State Type Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Count", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 34, + "panels": [], + "title": "Validation", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 28 + }, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 28 + }, + "id": 30, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 28 + }, + "id": 32, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 34 + }, + "id": 12, + "panels": [], + "title": "Kubernetes Source", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Success", + "refId": "A" + }, + { + "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Source Event Rate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 16, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Successes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Conversions/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Failures/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 41 + }, + "id": 18, + "panels": [], + "title": "Mesh Configuration Protocol", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_mcp_source_clients_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Clients", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Connected Clients", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request ACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "ACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 42 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request NACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "NACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "TSEY6jLmk", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-mesh-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-mesh-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "content": "

\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 111, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-performance-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-performance-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.", + "gridPos": { + "h": 4, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 11, + "links": [], + "mode": "markdown", + "title": "Istio Performance Dashboard Readme", + "type": "text" + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-service-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-service-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "iteration": 1536442501501, + "links": [], + "panels": [ + { + "content": "
\nSERVICE: $service\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Received Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Sent Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nCLIENT WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "
\nSERVICE WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-workload-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-workload-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
\nWORKLOAD: $workload.$namespace\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nINBOUND WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
\nOUTBOUND SERVICES\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-mixer-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + mixer-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1543881232533, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 62, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 64, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Mixer Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Mixer Overview

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 21 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_server_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 21 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 21 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 21 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Adapters and Config

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 37 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 37 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 37 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 37 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Individual Adapters

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 44 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 48 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 48 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Mixer Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-pilot-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + pilot-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 58, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Pilot Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

xDS

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 21 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 21 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Pilot Dashboard", + "version": 4 +} +' +--- + +--- +# Source: istio/charts/grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + +--- +# Source: istio/charts/kiali/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +data: + config.yaml: | + istio_namespace: istio-system + server: + port: 20001 + external_services: + istio: + url_service_version: http://istio-pilot:8080/version + jaeger: + url: + grafana: + url: + +--- +# Source: istio/charts/prometheus/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +data: + prometheus.yml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + + - job_name: 'istio-policy' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name +--- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +data: + custom-resources.yaml: |- + # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. + apiVersion: "authentication.istio.io/v1alpha1" + kind: "MeshPolicy" + metadata: + name: "default" + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + peers: + - mtls: + mode: PERMISSIVE + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/templates/configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + labels: + app: istio + chart: istio + heritage: Tiller + release: istio +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: false + + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: "" + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: 'TEXT' + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway + + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: 5s + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: + + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # will be used to generate key/cert eventually. This isn't supported for non-k8s case. + enableSdsTokenMount: false + + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. + # this flag is ignored if enableSdsTokenMount is set. + # This isn't supported for non-k8s case. + sdsUseK8sSaJwt: false + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: ALLOW_ANY + + localityLbSetting: + {} + + + # The namespace to treat as the administrative root namespace for istio + # configuration. + rootNamespace: istio-system + configSources: + - address: istio-galley.istio-system.svc:9901 + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15010 + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + +--- +# Source: istio/templates/sidecar-injector-configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + labels: + app: istio + chart: istio + heritage: Tiller + release: istio + istio: sidecar-injector +data: + config: |- + policy: enabled + template: |- + rewriteAppHTTPProbe: false + initContainers: + [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]] + - name: istio-init + image: "docker.io/istio/proxy_init:1.1.6" + args: + - "-p" + - [[ .MeshConfig.ProxyListenPort ]] + - "-u" + - 1337 + - "-m" + - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]] + - "-i" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]" + - "-x" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]" + - "-b" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]" + - "-d" + - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]" + [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]] + - "-k" + - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]" + [[ end -]] + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 100m + memory: 50Mi + securityContext: + runAsUser: 0 + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN + restartPolicy: Always + [[ end -]] + containers: + - name: istio-proxy + image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "docker.io/istio/proxyv2:1.1.6" ]] + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - [[ .ProxyConfig.ConfigPath ]] + - --binaryPath + - [[ .ProxyConfig.BinaryPath ]] + - --serviceCluster + [[ if ne "" (index .ObjectMeta.Labels "app") -]] + - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE) + [[ else -]] + - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]] + [[ end -]] + - --drainDuration + - [[ formatDuration .ProxyConfig.DrainDuration ]] + - --parentShutdownDuration + - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] + - --discoveryAddress + - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]] + - --zipkinAddress + - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]] + - --connectTimeout + - [[ formatDuration .ProxyConfig.ConnectTimeout ]] + - --proxyAdminPort + - [[ .ProxyConfig.ProxyAdminPort ]] + [[ if gt .ProxyConfig.Concurrency 0 -]] + - --concurrency + - [[ .ProxyConfig.Concurrency ]] + [[ end -]] + - --controlPlaneAuthPolicy + - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]] + [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] + - --statusPort + - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] + - --applicationPorts + - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]" + [[- end ]] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] + [[ if .ObjectMeta.Annotations ]] + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + [[ toJSON .ObjectMeta.Annotations ]] + [[ end ]] + [[ if .ObjectMeta.Labels ]] + - name: ISTIO_METAJSON_LABELS + value: | + [[ toJSON .ObjectMeta.Labels ]] + [[ end ]] + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + [[- end ]] + imagePullPolicy: IfNotPresent + [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] + readinessProbe: + httpGet: + path: /healthz/ready + port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] + initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]] + periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]] + failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]] + [[ end -]]securityContext: + readOnlyRootFilesystem: true + [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + + runAsUser: 1337 + [[- end ]] + resources: + [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] + requests: + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]] + cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]" + [[ end ]] + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] + memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]" + [[ end ]] + [[ else -]] + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + [[ end -]] + volumeMounts: + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + [[- end ]] + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]] + [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]] + - name: "[[ $index ]]" + [[ toYaml $value | indent 4 ]] + [[ end ]] + [[- end ]] + volumes: + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - name: custom-bootstrap-volume + configMap: + name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]] + [[- end ]] + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + [[ if eq .Spec.ServiceAccountName "" -]] + secretName: istio.default + [[ else -]] + secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] + [[ end -]] + [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]] + [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]] + - name: "[[ $index ]]" + [[ toYaml $value | indent 2 ]] + [[ end ]] + [[ end ]] + +--- +# Source: istio/charts/galley/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + +--- +# Source: istio/charts/gateways/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-egressgateway-service-account + labels: + app: istio-egressgateway + chart: gateways + heritage: Tiller + release: istio +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + release: istio +--- + + +--- +# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-grafana-post-install-account + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install-1.1.6 + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + chart: grafana + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/kiali/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali-service-account + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio + +--- +# Source: istio/charts/mixer/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-mixer-service-account + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + +--- +# Source: istio/charts/pilot/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + +--- +# Source: istio/charts/prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio + +--- +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets-1.1.6 + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + labels: + app: security + chart: security + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install-1.1.6 + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: security + chart: security + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + imagePullPolicy: IfNotPresent + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + labels: + app: security + chart: security + heritage: Tiller + release: istio + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + +--- +# Source: istio/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + +--- +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions","apps"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments/finalizers"] + resourceNames: ["istio-galley"] + verbs: ["update"] + +--- +# Source: istio/charts/gateways/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-egressgateway-istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-ingressgateway-istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- + +--- +# Source: istio/charts/kiali/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - apikeys + - authorizations + - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - reportnothings + - rules + - solarwindses + - stackdrivers + - statsds + - stdios + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - apikeys + - authorizations + - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - reportnothings + - rules + - servicecontrolreports + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + verbs: + - get + - list + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - get + - list + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - get + - list + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get + +--- +# Source: istio/charts/mixer/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-mixer-istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/pilot/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] + +--- +# Source: istio/charts/security/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts", "services"] + verbs: ["get", "watch", "list"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + +--- +# Source: istio/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-egressgateway-istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-egressgateway-istio-system +subjects: +- kind: ServiceAccount + name: istio-egressgateway-service-account +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- + +--- +# Source: istio/charts/kiali/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-kiali-admin-role-binding-istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali-service-account + +--- +# Source: istio/charts/mixer/templates/clusterrolebinding.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-istio-system +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: istio-system + +--- +# Source: istio/charts/pilot/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system + +--- +# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus-istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-istio-system +subjects: +- kind: ServiceAccount + name: prometheus + +--- +# Source: istio/charts/security/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-istio-system +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: istio-system + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system + +--- +# Source: istio/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: istio-1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + +--- +# Source: istio/charts/gateways/templates/role.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- + +--- +# Source: istio/charts/gateways/templates/rolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- + +--- +# Source: istio/charts/galley/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 15014 + name: http-monitoring + - port: 9901 + name: grpc-mcp + selector: + istio: galley + +--- +# Source: istio/charts/gateways/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-egressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + type: ClusterIP + selector: + release: istio + app: istio-egressgateway + istio: egressgateway + ports: + - + name: http2 + port: 80 + - + name: https + port: 443 + - + name: tls + port: 15443 + targetPort: 15443 +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + type: NodePort + selector: + release: istio + app: istio-ingressgateway + istio: ingressgateway + ports: + - + name: status-port + port: 15020 + targetPort: 15020 + - + name: http2 + nodePort: 31380 + port: 80 + targetPort: 80 + - + name: https + nodePort: 31390 + port: 443 + - + name: tcp + nodePort: 31400 + port: 31400 + - + name: https-kiali + port: 15029 + targetPort: 15029 + - + name: https-prometheus + port: 15030 + targetPort: 15030 + - + name: https-grafana + port: 15031 + targetPort: 15031 + - + name: https-tracing + port: 15032 + targetPort: 15032 + - + name: tls + port: 15443 + targetPort: 15443 +--- + +--- +# Source: istio/charts/grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app: grafana + +--- +# Source: istio/charts/kiali/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +spec: + ports: + - name: http-kiali + protocol: TCP + port: 20001 + selector: + app: kiali + +--- +# Source: istio/charts/mixer/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + annotations: + networking.istio.io/exportTo: "*" + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + selector: + istio: mixer + istio-mixer-type: policy +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + annotations: + networking.istio.io/exportTo: "*" + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + selector: + istio: mixer + istio-mixer-type: telemetry +--- + + +--- +# Source: istio/charts/pilot/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + selector: + istio: pilot + +--- +# Source: istio/charts/prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: prometheus + annotations: + prometheus.io/scrape: 'true' + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +--- +# Source: istio/charts/security/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 15014 + selector: + istio: citadel + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector + +--- +# Source: istio/charts/galley/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-galley + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + template: + metadata: + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-galley-service-account + containers: + - name: galley + image: "docker.io/istio/galley:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + - containerPort: 15014 + - containerPort: 9901 + command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s + - --deployment-namespace=istio-system + - --insecure=true + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort=15014 + - --log_output_level=default:info + # see https://github.com/istio/istio/issues/15352 + - --enable-validation=true + volumeMounts: + - name: certs + mountPath: /etc/certs + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: mesh-config + mountPath: /etc/mesh-config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + - name: mesh-config + configMap: + name: istio + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/gateways/templates/deployment.yaml + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-egressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + selector: + matchLabels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway + template: + metadata: + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-egressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 15443 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-egressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" + optional: true + - name: egressgateway-ca-certs + secret: + secretName: "istio-egressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + selector: + matchLabels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway + template: + metadata: + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-ingressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15020 + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15443 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: ingressgateway-certs + mountPath: "/etc/istio/ingressgateway-certs" + readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + - name: ingressgateway-certs + secret: + secretName: "istio-ingressgateway-certs" + optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + +--- +# Source: istio/charts/grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + template: + metadata: + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + securityContext: + runAsUser: 472 + fsGroup: 472 + containers: + - name: grafana + image: "grafana/grafana:6.0.2" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin + - name: GF_PATHS_DATA + value: /data/grafana + resources: + requests: + cpu: 10m + + volumeMounts: + - name: data + mountPath: /data/grafana + - name: dashboards-istio-galley-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/galley-dashboard.json" + subPath: galley-dashboard.json + readOnly: true + - name: dashboards-istio-istio-mesh-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-mesh-dashboard.json" + subPath: istio-mesh-dashboard.json + readOnly: true + - name: dashboards-istio-istio-performance-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-performance-dashboard.json" + subPath: istio-performance-dashboard.json + readOnly: true + - name: dashboards-istio-istio-service-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-service-dashboard.json" + subPath: istio-service-dashboard.json + readOnly: true + - name: dashboards-istio-istio-workload-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-workload-dashboard.json" + subPath: istio-workload-dashboard.json + readOnly: true + - name: dashboards-istio-mixer-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/mixer-dashboard.json" + subPath: mixer-dashboard.json + readOnly: true + - name: dashboards-istio-pilot-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/pilot-dashboard.json" + subPath: pilot-dashboard.json + readOnly: true + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + volumes: + - name: config + configMap: + name: istio-grafana + - name: data + emptyDir: {} + - name: dashboards-istio-galley-dashboard + configMap: + name: istio-grafana-configuration-dashboards-galley-dashboard + - name: dashboards-istio-istio-mesh-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-mesh-dashboard + - name: dashboards-istio-istio-performance-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-performance-dashboard + - name: dashboards-istio-istio-service-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-service-dashboard + - name: dashboards-istio-istio-workload-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-workload-dashboard + - name: dashboards-istio-mixer-dashboard + configMap: + name: istio-grafana-configuration-dashboards-mixer-dashboard + - name: dashboards-istio-pilot-dashboard + configMap: + name: istio-grafana-configuration-dashboards-pilot-dashboard + +--- +# Source: istio/charts/kiali/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: kiali + template: + metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + spec: + serviceAccountName: kiali-service-account + containers: + - image: "docker.io/kiali/kiali:v0.16" + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + - "-v" + - "4" + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PROMETHEUS_SERVICE_URL + value: http://prometheus:9090 + - name: SERVER_WEB_ROOT + value: /kiali + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-secret + mountPath: "/kiali-secret" + resources: + requests: + cpu: 10m + + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-secret + secret: + secretName: kiali + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/mixer/templates/deployment.yaml + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-policy + labels: + app: istio-mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: policy + template: + metadata: + labels: + app: policy + chart: mixer + heritage: Tiller + release: istio + istio: mixer + istio-mixer-type: policy + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + - name: policy-adapter-secret + secret: + secretName: policy-adapter-secret + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15014 + - containerPort: 42422 + args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 + - --configDefaultNamespace=istio-system + - --useAdapterCRDs=true + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=1" + - name: GOMAXPROCS + value: "6" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 100Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + - name: policy-adapter-secret + mountPath: /var/run/secrets/istio.io/policy/adapter + readOnly: true + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-telemetry + labels: + app: istio-mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: telemetry + template: + metadata: + labels: + app: telemetry + chart: mixer + heritage: Tiller + release: istio + istio: mixer + istio-mixer-type: telemetry + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + - name: telemetry-adapter-secret + secret: + secretName: telemetry-adapter-secret + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15014 + - containerPort: 42422 + args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 + - --configDefaultNamespace=istio-system + - --useAdapterCRDs=true + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + - --averageLatencyThreshold + - 100ms + - --loadsheddingMode + - enforce + env: + - name: GODEBUG + value: "gctrace=1" + - name: GOMAXPROCS + value: "6" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 100Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: telemetry-adapter-secret + mountPath: /var/run/secrets/istio.io/telemetry/adapter + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- + +--- +# Source: istio/charts/pilot/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-pilot + # TODO: default template doesn't have this, which one is right ? + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot + annotations: + checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-pilot-service-account + containers: + - name: discovery + image: "docker.io/istio/pilot:1.1.6" + imagePullPolicy: IfNotPresent + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --secureGrpcAddr + - "" + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: GODEBUG + value: "gctrace=1" + - name: PILOT_PUSH_THROTTLE + value: "100" + - name: PILOT_TRACE_SAMPLING + value: "100" + - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY + value: "1" + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 10m + memory: 100Mi + + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/prometheus/templates/deployment.yaml +# TODO: the original template has service account, roles, etc +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: "docker.io/prom/prometheus:v2.3.1" + imagePullPolicy: IfNotPresent + args: + - '--storage.tsdb.retention=6h' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: + requests: + cpu: 10m + + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/deployment.yaml +# istio CA watching all namespaces +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-citadel + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel + template: + metadata: + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: "docker.io/istio/citadel:1.1.6" + imagePullPolicy: IfNotPresent + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace=istio-system + - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system + - --monitoring-port=15014 + - --self-signed-ca=true + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-sidecar-injector + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + template: + metadata: + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-sidecar-injector-service-account + containers: + - name: sidecar-injector-webhook + image: "docker.io/istio/sidecar_injector:1.1.6" + imagePullPolicy: IfNotPresent + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/tracing/templates/deployment-jaeger.yaml + + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + selector: + matchLabels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio + template: + metadata: + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "16686" + prometheus.io/path: "/jaeger/metrics" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.9" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + + +--- +# Source: istio/charts/gateways/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-egressgateway + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-egressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingressgateway + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/mixer/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-policy + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/tracing/templates/service-jaeger.yaml + +apiVersion: v1 +kind: Service +metadata: + name: jaeger-query + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger + +--- + +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + labels: + app: jaeger + jaeger-infra: collector-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-agent + labels: + app: jaeger + jaeger-infra: agent-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger + + + +--- +# Source: istio/charts/tracing/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: zipkin + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 + protocol: TCP + name: http + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + annotations: + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: http-query + port: 80 + protocol: TCP + + targetPort: 16686 + + selector: + app: jaeger + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled + + +--- +# Source: istio/charts/galley/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + + minAvailable: 1 + selector: + matchLabels: + app: galley + release: istio + istio: galley + +--- +# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-egressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + + minAvailable: 1 + selector: + matchLabels: + release: istio + app: istio-egressgateway + istio: egressgateway +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-ingressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + + minAvailable: 1 + selector: + matchLabels: + release: istio + app: istio-ingressgateway + istio: ingressgateway +--- + +--- +# Source: istio/charts/mixer/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-policy + labels: + app: policy + chart: mixer + heritage: Tiller + release: istio + version: 1.1.0 + istio: mixer + istio-mixer-type: policy +spec: + + minAvailable: 1 + selector: + matchLabels: + app: policy + release: istio + istio: mixer + istio-mixer-type: policy +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-telemetry + labels: + app: telemetry + chart: mixer + heritage: Tiller + release: istio + version: 1.1.0 + istio: mixer + istio-mixer-type: telemetry +spec: + + minAvailable: 1 + selector: + matchLabels: + app: telemetry + release: istio + istio: mixer + istio-mixer-type: telemetry +--- +# Source: istio/charts/pilot/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot +spec: + + minAvailable: 1 + selector: + matchLabels: + app: pilot + release: istio + istio: pilot + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.url_path: + valueType: STRING + request.query_params: + valueType: STRING_MAP + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + response.grpc_status: + valueType: STRING + response.grpc_message: + valueType: STRING + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.proxy_error_code: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + rbac.permissive.response_code: + valueType: STRING + rbac.permissive.effective_policy_id: + valueType: STRING + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + check.cache_hit: + valueType: BOOL + quota.cache_hit: + valueType: BOOL + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: stdio + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: stdio + params: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseFlags: context.proxy_error_code | "" + responseSize: response.size | 0 + permissiveResponseCode: rbac.permissive.response_code | "none" + permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + grpcStatus: response.grpc_status | "" + grpcMessage: response.grpc_message | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + responseFlags: context.proxy_error_code | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpconnectionsopened + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpconnectionsclosed + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: prometheus + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: prometheus + params: + metricsExpirationPolicy: + metricsExpiryDuration: "10m" + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_opened_total + instance_name: tcpconnectionsopened.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_closed_total + instance_name: tcpconnectionsclosed.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) + actions: + - handler: prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionopen + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + actions: + - handler: prometheus + instances: + - tcpconnectionsopened.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionclosed + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: kubernetesenv + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: kubernetesenv + params: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + actions: + - handler: kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/kustomization.yaml new file mode 100644 index 0000000000..0073dc8e47 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio-install/base/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- istio-noauth.yaml +namespace: kubeflow +images: +- name: docker.io/istio/kubectl + newName: docker.io/istio/kubectl + newTag: 1.1.6 +- name: docker.io/istio/galley + newName: docker.io/istio/galley + newTag: 1.1.6 +- name: docker.io/istio/proxyv2 + newName: docker.io/istio/proxyv2 + newTag: 1.1.6 +- name: grafana/grafana + newName: grafana/grafana + newTag: 6.0.2 +- name: docker.io/kiali/kiali + newName: docker.io/kiali/kiali + newTag: v0.16 +- name: docker.io/istio/mixer + newName: docker.io/istio/mixer + newTag: 1.1.6 +- name: docker.io/istio/pilot + newName: docker.io/istio/pilot + newTag: 1.1.6 +- name: docker.io/prom/prometheus + newName: docker.io/prom/prometheus + newTag: v2.3.1 +- name: docker.io/istio/citadel + newName: docker.io/istio/citadel + newTag: 1.1.6 +- name: docker.io/istio/sidecar_injector + newName: docker.io/istio/sidecar_injector + newTag: 1.1.6 +- name: docker.io/jaegertracing/all-in-one + newName: docker.io/jaegertracing/all-in-one + newTag: '1.9' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/README.md new file mode 100644 index 0000000000..861a38775f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/README.md @@ -0,0 +1,7 @@ +# Manifest for Istio in Kubeflow + +- `install` dir contains the manifest to install Istio +- kf-istio-resources.yaml has + - Gateway for routing + - VirtualService for Grafana + - ServiceEntry and VirtualService for egress traffic diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/cluster-roles.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/cluster-roles.yaml new file mode 100644 index 0000000000..d60d4e9cd2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/cluster-roles.yaml @@ -0,0 +1,55 @@ +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: +- apiGroups: + - istio.io + - networking.istio.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - istio.io + - networking.istio.io + resources: ["*"] + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kf-istio-resources.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kf-istio-resources.yaml new file mode 100644 index 0000000000..3d938a89a1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kf-istio-resources.yaml @@ -0,0 +1,113 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway +spec: + selector: + istio: $(gatewaySelector) + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana-vs +spec: + hosts: + - "*" + gateways: + - "kubeflow-gateway" + http: + - match: + - uri: + prefix: "/istio/grafana/" + method: + exact: "GET" + rewrite: + uri: "/" + route: + - destination: + host: "grafana.istio-system.svc.cluster.local" + port: + number: 3000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: google-api-entry +spec: + hosts: + - www.googleapis.com + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: DNS + location: MESH_EXTERNAL +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: google-api-vs +spec: + hosts: + - www.googleapis.com + tls: + - match: + - port: 443 + sni_hosts: + - www.googleapis.com + route: + - destination: + host: www.googleapis.com + port: + number: 443 + weight: 100 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: google-storage-api-entry +spec: + hosts: + - storage.googleapis.com + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: DNS + location: MESH_EXTERNAL +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: google-storage-api-vs +spec: + hosts: + - storage.googleapis.com + tls: + - match: + - port: 443 + sni_hosts: + - storage.googleapis.com + route: + - destination: + host: storage.googleapis.com + port: + number: 443 + weight: 100 +--- +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default +spec: + mode: $(clusterRbacConfig) + exclusion: + namespaces: + - istio-system # Accessing Istio services won't require an rbac policy. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kustomization.yaml new file mode 100644 index 0000000000..062807f761 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- kf-istio-resources.yaml +- cluster-roles.yaml +namespace: kubeflow +configMapGenerator: +- name: istio-parameters + env: params.env +vars: +- name: clusterRbacConfig + objref: + kind: ConfigMap + name: istio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterRbacConfig +- name: gatewaySelector + objref: + kind: ConfigMap + name: istio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.gatewaySelector +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.env new file mode 100644 index 0000000000..840d921ab7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.env @@ -0,0 +1,2 @@ +clusterRbacConfig=ON_WITH_EXCLUSION +gatewaySelector=ingressgateway \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.yaml new file mode 100644 index 0000000000..df85a42729 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/mode + kind: ClusterRbacConfig +- path: spec/selector + kind: Gateway \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kf-istio-resources.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kf-istio-resources.yaml new file mode 100644 index 0000000000..0515bd3ee6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kf-istio-resources.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway +spec: + selector: + istio: $(gatewaySelector) + servers: + - hosts: + - '*' + port: + name: https + number: 443 + protocol: HTTPS + tls: + mode: SIMPLE + privateKey: /etc/istio/ingressgateway-certs/tls.key + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kustomization.yaml new file mode 100644 index 0000000000..4a0e56c209 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- kf-istio-resources.yaml + +configMapGenerator: +- name: istio-parameters + behavior: merge + env: params.env +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.env new file mode 100644 index 0000000000..bb0cded28d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.env @@ -0,0 +1 @@ +gatewaySelector=ingressgateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.yaml new file mode 100644 index 0000000000..c8c2507fe0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/istio/overlays/https-gateway/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/selector + kind: Gateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/envoy-filter.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/envoy-filter.yaml new file mode 100644 index 0000000000..eb2e1415f3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/envoy-filter.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: authn-filter +spec: + workloadLabels: + istio: ingressgateway + filters: + - filterConfig: + httpService: + serverUri: + uri: http://authservice.$(namespace).svc.cluster.local + cluster: outbound|8080||authservice.$(namespace).svc.cluster.local + failureModeAllow: false + timeout: 10s + authorizationRequest: + allowedHeaders: + patterns: + - exact: "cookie" + - exact: "X-Auth-Token" + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: "kubeflow-userid" + statusOnError: + code: GatewayTimeout + filterName: envoy.ext_authz + filterType: HTTP + insertPosition: + index: FIRST + listenerMatch: + listenerType: GATEWAY diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/kustomization.yaml new file mode 100644 index 0000000000..d6873598a0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/kustomization.yaml @@ -0,0 +1,87 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- service.yaml +- statefulset.yaml +- envoy-filter.yaml +- pvc.yaml + +namespace: istio-system + +configMapGenerator: +- name: oidc-authservice-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true + +vars: +- name: client_id + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id +- name: oidc_provider + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_provider +- name: oidc_redirect_uri + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_redirect_uri +- name: oidc_auth_url + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_auth_url +- name: application_secret + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.application_secret +- name: skip_auth_uri + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.skip_auth_uri +- name: userid-header + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.userid-header +- name: userid-prefix + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.userid-prefix +- name: namespace + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml +images: +- name: gcr.io/arrikto/kubeflow/oidc-authservice + newName: gcr.io/arrikto/kubeflow/oidc-authservice + newTag: 28c59ef diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.env new file mode 100644 index 0000000000..9ae6e65cfb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.env @@ -0,0 +1,9 @@ +client_id=ldapdexapp +oidc_provider= +oidc_redirect_uri= +oidc_auth_url= +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok +skip_auth_uri= +userid-header= +userid-prefix= +namespace=istio-system \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.yaml new file mode 100644 index 0000000000..a98891656b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: spec/template/spec/containers/env/value + kind: StatefulSet +- path: spec/filters/filterConfig/httpService/serverUri/uri + kind: EnvoyFilter +- path: spec/filters/filterConfig/httpService/serverUri/cluster + kind: EnvoyFilter \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/pvc.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/pvc.yaml new file mode 100644 index 0000000000..da2f06ba3a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authservice-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/service.yaml new file mode 100644 index 0000000000..72dbda041f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: authservice +spec: + type: ClusterIP + selector: + app: authservice + ports: + - port: 8080 + name: http-authservice + targetPort: http-api + publishNotReadyAddresses: true \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/statefulset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/statefulset.yaml new file mode 100644 index 0000000000..4a85d3dff5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/base/statefulset.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: authservice +spec: + replicas: 1 + selector: + matchLabels: + app: authservice + serviceName: authservice + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: authservice + spec: + containers: + - name: authservice + image: gcr.io/arrikto/kubeflow/oidc-authservice:6ac9400 + imagePullPolicy: Always + ports: + - name: http-api + containerPort: 8080 + env: + - name: USERID_HEADER + value: $(userid-header) + - name: USERID_PREFIX + value: $(userid-prefix) + - name: USERID_CLAIM + value: email + - name: OIDC_PROVIDER + value: $(oidc_provider) + - name: OIDC_AUTH_URL + value: $(oidc_auth_url) + - name: OIDC_SCOPES + value: "profile email groups" + - name: REDIRECT_URL + value: $(oidc_redirect_uri) + - name: SKIP_AUTH_URI + value: $(skip_auth_uri) + - name: PORT + value: "8080" + - name: CLIENT_ID + value: $(client_id) + - name: CLIENT_SECRET + value: $(application_secret) + - name: STORE_PATH + value: /var/lib/authservice/data.db + volumeMounts: + - name: data + mountPath: /var/lib/authservice + readinessProbe: + httpGet: + path: / + port: 8081 + securityContext: + fsGroup: 111 + volumes: + - name: data + persistentVolumeClaim: + claimName: authservice-pvc diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/application.yaml new file mode 100644 index 0000000000..1f33ffcdf7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/application.yaml @@ -0,0 +1,43 @@ + +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: oidc-authservice +spec: + selector: + matchLabels: + app.kubernetes.io/name: oidc-authservice + app.kubernetes.io/instance: oidc-authservice-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: oidc-authservice + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: apps + kind: StatefulSet + - group: core + kind: Service + - group: core + kind: PersistentVolumeClaim + - group: networking.istio.io + kind: EnvoyFilter + descriptor: + type: oidc-authservice + version: v1beta1 + description: Provides OIDC-based authentication for Kubeflow Applications, at the Istio Gateway. + maintainers: + - name: Yannis Zarkadas + email: yanniszark@arrikto.com + owners: + - name: Yannis Zarkadas + email: yanniszark@arrikto.com + keywords: + - oidc + - authservice + - authentication + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/oidc-authservice + - description: Docs + url: https://www.kubeflow.org/docs/started/k8s/kfctl-existing-arrikto + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..fbe38250d9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: oidc-authservice + app.kubernetes.io/name: oidc-authservice +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml new file mode 100644 index 0000000000..4da19269ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- statefulset.yaml +images: + - name: busybox + newTag: "latest" + newName: busybox diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml new file mode 100644 index 0000000000..2bf14f3759 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/istio/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: authservice +spec: + template: + spec: + initContainers: + - name: fix-permission + image: busybox + command: ['sh', '-c'] + args: ['chmod -R 777 /var/lib/authservice;'] + volumeMounts: + - mountPath: /var/lib/authservice + name: data diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/OWNERS new file mode 100644 index 0000000000..41a3d8f9ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/OWNERS @@ -0,0 +1,4 @@ +approvers: + - kimwnasptd + - lluunn + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..f7fe51dff5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role.yaml new file mode 100644 index 0000000000..09f293672e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/cluster-role.yaml @@ -0,0 +1,112 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebook-ui-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebook-ui-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebook-ui-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/configs/spawner_ui_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/configs/spawner_ui_config.yaml new file mode 100644 index 0000000000..f5e63b37b3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/configs/spawner_ui_config.yaml @@ -0,0 +1,128 @@ +# Configuration file for the Jupyter UI. +# +# Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' +# - The 'value' key contains the default value +# - The 'readOnly' key determines if the option will be available to users +# +# If the 'readOnly' key is present and set to 'true', the respective option +# will be disabled for users and only set by the admin. Also when a +# Notebook is POSTED to the API if a necessary field is not present then +# the value from the config will be used. +# +# If the 'readOnly' key is missing (defaults to 'false'), the respective option +# will be available for users to edit. +# +# Note that some values can be templated. Such values are the names of the +# Volumes as well as their StorageClass +spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + # The list of available standard container Images + options: + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-gpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-gpu:1.0.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + readOnly: false + cpu: + # CPU for user's Notebook + value: '0.5' + readOnly: false + memory: + # Memory for user's Notebook + value: 1.0Gi + readOnly: false + workspaceVolume: + # Workspace Volume to be attached to user's Notebook + # Each Workspace Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + value: + type: + # The Type of the Workspace Volume + # Supported values: 'New', 'Existing' + value: New + name: + # The Name of the Workspace Volume + # Note that this is a templated value. Special values: + # {notebook-name}: Replaced with the name of the Notebook. The frontend + # will replace this value as the user types the name + value: 'workspace-{notebook-name}' + size: + # The Size of the Workspace Volume (in Gi) + value: '10Gi' + mountPath: + # The Path that the Workspace Volume will be mounted + value: /home/jovyan + accessModes: + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + value: ReadWriteOnce + class: + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + value: '{none}' + readOnly: false + dataVolumes: + # List of additional Data Volumes to be attached to the user's Notebook + value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-2' + # size: + # value: '10Gi' + # mountPath: + # value: /home/jovyan/vol-2 + # accessModes: + # value: ReadWriteMany + # class: + # value: {none} + readOnly: false + gpus: + # Number of GPUs to be assigned to the Notebook Container + value: + # values: "none", "1", "2", "4", "8" + num: "none" + # Determines what the UI will show and send to the backend + vendors: + - limitsKey: "nvidia.com/gpu" + uiName: "NVIDIA" + # Values: "" or a `limits-key` from the vendors list + vendor: "" + readOnly: false + shm: + value: true + readOnly: false + configurations: + # List of labels to be selected, these are the labels from PodDefaults + # value: + # - add-gcp-secret + # - default-editor + value: [] + readOnly: false \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment.yaml new file mode 100644 index 0000000000..42885b7dcc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + replicas: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: gcr.io/kubeflow-images-public/jupyter-web-app + name: jupyter-web-app + ports: + - containerPort: 5000 + volumeMounts: + - mountPath: /etc/config + name: config-volume + serviceAccountName: service-account + volumes: + - configMap: + name: jupyter-web-app-config + name: config-volume diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment_patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment_patch.yaml new file mode 100644 index 0000000000..c4351cab88 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/deployment_patch.yaml @@ -0,0 +1,27 @@ +# TODO(https://github.com/kubeflow/manifests/issues/774): This is a patch +# that pulls out from core the parts that should be in pulled into stacks. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: jupyter-web-app + imagePullPolicy: $(policy) + env: + - name: ROK_SECRET_NAME + valueFrom: + configMapKeyRef: + name: parameters + key: ROK_SECRET_NAME + - name: UI + valueFrom: + configMapKeyRef: + name: parameters + key: UI + - name: USERID_HEADER + value: $(userid-header) + - name: USERID_PREFIX + value: $(userid-prefix) \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/kustomization.yaml new file mode 100644 index 0000000000..29dcc61216 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/kustomization.yaml @@ -0,0 +1,85 @@ +# TODO(https://github.com/kubeflow/manifests/issues/774): +# This is a legacy package. Hopefully we can get rid of it once +# 774 is complete. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +# TODO(jlewi): We can't depend on base because of the deployment_patch. +# but maybe if we changed that to use ConfigMapRef then the patch would correctly +# override the patch applied in base_v3 +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +namePrefix: jupyter-web-app- +namespace: kubeflow +commonLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app +images: +- name: gcr.io/kubeflow-images-public/jupyter-web-app + newName: gcr.io/kubeflow-images-public/jupyter-web-app + newTag: vmaster-gd9be4b9e +configMapGenerator: +- envs: + - params.env + name: parameters +# We need the name to be unique without the suffix because the original name is what +# gets used with patches +- name: jupyter-web-app-config + files: + - configs/spawner_ui_config.yaml +generatorOptions: + # TODO(jlewi): Why are we setting disableNameSuffixHash true? Don't we want a content hash so that if the config map + # changes we would update the configmap? + disableNameSuffixHash: true +patchesStrategicMerge: +- deployment_patch.yaml +vars: +- fieldref: + fieldPath: data.policy + name: policy + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.prefix + name: prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.clusterDomain + name: clusterDomain + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: data.userid-header + name: userid-header + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.userid-prefix + name: userid-prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.env new file mode 100644 index 0000000000..f3463e436a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.env @@ -0,0 +1,7 @@ +UI=default +ROK_SECRET_NAME=secret-rok-{username} +policy=Always +prefix=jupyter +clusterDomain=cluster.local +userid-header= +userid-prefix= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.yaml new file mode 100644 index 0000000000..65ff4846ae --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/template/spec/containers/imagePullPolicy + kind: Deployment +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/template/spec/containers/0/env/2/value + kind: Deployment +- path: spec/template/spec/containers/0/env/3/value + kind: Deployment \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role-binding.yaml new file mode 100644 index 0000000000..5400a70f6e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: jupyter-notebook-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: jupyter-notebook-role +subjects: +- kind: ServiceAccount + name: jupyter-notebook diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role.yaml new file mode 100644 index 0000000000..bcd601a5a2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/role.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: jupyter-notebook-role +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + - secrets + - services + verbs: + - '*' +- apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - '*' + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service-account.yaml new file mode 100644 index 0000000000..a36cbd800f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service.yaml new file mode 100644 index 0000000000..d22b9ed69b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: webapp_mapping + prefix: /$(prefix)/ + service: jupyter-web-app-service.$(namespace) + add_request_headers: + x-forwarded-prefix: /jupyter + labels: + run: jupyter-web-app + name: service +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 5000 + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/deployment_patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/deployment_patch.yaml new file mode 100644 index 0000000000..ca39d15ce2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/deployment_patch.yaml @@ -0,0 +1,22 @@ +# TODO(https://github.com/kubeflow/manifests/issues/774): This is a patch +# that pulls out from core the parts that should be in pulled into stacks. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: jupyter-web-app + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-header + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-prefix \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/kustomization.yaml new file mode 100644 index 0000000000..e1c07bd55a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/base_v3/kustomization.yaml @@ -0,0 +1,50 @@ +# TODO(https://github.com/kubeflow/manifests/issues/774): +# This is a new kustomization file intended to get rid of the +# need to rely on kfctl to build the kustomization.yaml file. +# We might want to eventually move it to jupyter/jupyter-web-app/kustomization.yaml +# We currently don't do that because we don't want to interfere with existing behavior. +# +# This kustomization.yaml file doesn't depend on base/kustomization.yaml +# because that file contains changes that won't work with the new stack kustomize +# packages that we want to define. For example, we can't define vars namespace, clusterDomain +# etc... because we want those to be defined at the stack level and reused across applications. +# We don't want to modify jupyter-web-app/kustomization.yaml because that would +# break the existing KFDef files. So we want to make the stacks work +# and then replace it. +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 +kind: Kustomization +namePrefix: jupyter-web-app- +namespace: kubeflow +commonLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app +namespace: kubeflow +images: +- name: gcr.io/kubeflow-images-public/jupyter-web-app + newName: gcr.io/kubeflow-images-public/jupyter-web-app + newTag: vmaster-gd9be4b9e +resources: +- ../base/cluster-role-binding.yaml +- ../base/cluster-role.yaml +- ../base/deployment.yaml +- ../base/role-binding.yaml +- ../base/role.yaml +- ../base/service-account.yaml +- ../base/service.yaml +- ../overlays/istio +- ../overlays/application +configMapGenerator: +# We need the name to be unique without the suffix because the original name is what +# gets used with patches +- name: jupyter-web-app-config + files: + - ../base/configs/spawner_ui_config.yaml +patchesStrategicMerge: +- deployment_patch.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/application.yaml new file mode 100644 index 0000000000..403e269781 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/application.yaml @@ -0,0 +1,49 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: jupyter-web-app +spec: + selector: + matchLabels: + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + type: jupyter-web-app + version: v1beta1 + description: Provides a UI which allows the user to create/conect/delete jupyter notebooks. + maintainers: + - name: Kimonas Sotirchos + email: kimwnasptd@arrikto.com + owners: + - name: Kimonas Sotirchos + email: kimwnasptd@arrikto.com + keywords: + - jupyterhub + - jupyter ui + - notebooks + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/jupyter-web-app + - description: Docs + url: https://www.kubeflow.org/docs/notebooks + addOwnerRef: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..6cdc486367 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/application/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/name: jupyter-web-app +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/kustomization.yaml new file mode 100644 index 0000000000..faa9de8a07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base +configMapGenerator: +- name: jupyter-web-app-config + behavior: replace + files: + - spawner_ui_config.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/spawner_ui_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/spawner_ui_config.yaml new file mode 100644 index 0000000000..9eb4607e02 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/aws/spawner_ui_config.yaml @@ -0,0 +1,132 @@ +# Configuration file for the Jupyter UI. +# +# Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' +# - The 'value' key contains the default value +# - The 'readOnly' key determines if the option will be available to users +# +# If the 'readOnly' key is present and set to 'true', the respective option +# will be disabled for users and only set by the admin. Also when a +# Notebook is POSTED to the API if a necessary field is not present then +# the value from the config will be used. +# +# If the 'readOnly' key is missing (defaults to 'false'), the respective option +# will be available for users to edit. +# +# Note that some values can be templated. Such values are the names of the +# Volumes as well as their StorageClass +spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: 527798164940.dkr.ecr.us-west-2.amazonaws.com/tensorflow-1.15.2-notebook-cpu:1.0.0 + # The list of available standard container Images + options: + - 527798164940.dkr.ecr.us-west-2.amazonaws.com/tensorflow-1.15.2-notebook-cpu:1.0.0 + - 527798164940.dkr.ecr.us-west-2.amazonaws.com/tensorflow-1.15.2-notebook-gpu:1.0.0 + - 527798164940.dkr.ecr.us-west-2.amazonaws.com/tensorflow-2.1.0-notebook-cpu:1.0.0 + - 527798164940.dkr.ecr.us-west-2.amazonaws.com/tensorflow-2.1.0-notebook-gpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-1.15.2-notebook-gpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-cpu:1.0.0 + - gcr.io/kubeflow-images-public/tensorflow-2.1.0-notebook-gpu:1.0.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + readOnly: false + cpu: + # CPU for user's Notebook + value: '0.5' + readOnly: false + memory: + # Memory for user's Notebook + value: 1.0Gi + readOnly: false + workspaceVolume: + # Workspace Volume to be attached to user's Notebook + # Each Workspace Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + value: + type: + # The Type of the Workspace Volume + # Supported values: 'New', 'Existing' + value: New + name: + # The Name of the Workspace Volume + # Note that this is a templated value. Special values: + # {notebook-name}: Replaced with the name of the Notebook. The frontend + # will replace this value as the user types the name + value: 'workspace-{notebook-name}' + size: + # The Size of the Workspace Volume (in Gi) + value: '10Gi' + mountPath: + # The Path that the Workspace Volume will be mounted + value: /home/jovyan + accessModes: + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + value: ReadWriteOnce + class: + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + value: '{none}' + readOnly: false + dataVolumes: + # List of additional Data Volumes to be attached to the user's Notebook + value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-2' + # size: + # value: '10Gi' + # mountPath: + # value: /home/jovyan/vol-2 + # accessModes: + # value: ReadWriteMany + # class: + # value: {none} + readOnly: false + gpus: + # Number of GPUs to be assigned to the Notebook Container + value: + # values: "none", "1", "2", "4", "8" + num: "none" + # Determines what the UI will show and send to the backend + vendors: + - limitsKey: "nvidia.com/gpu" + uiName: "NVIDIA" + # Values: "" or a `limits-key` from the vendors list + vendor: "" + readOnly: false + shm: + value: true + readOnly: false + configurations: + # List of labels to be selected, these are the labels from PodDefaults + # value: + # - add-gcp-secret + # - default-editor + value: [] + readOnly: false \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..0991e8fcdf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..589a8ee5f3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/jupyter-web-app/overlays/istio/virtual-service.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: jupyter-web-app +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /jupyter + match: + - uri: + prefix: /jupyter/ + rewrite: + uri: / + route: + - destination: + host: jupyter-web-app-service.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..a1a3945401 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role.yaml new file mode 100644 index 0000000000..16b6253a8f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/cluster-role.yaml @@ -0,0 +1,107 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: role +rules: +- apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - '*' +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + - notebooks/finalizers + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - '*' + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebooks-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebooks-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebooks-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/crd.yaml new file mode 100644 index 0000000000..b6556bd4cc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/crd.yaml @@ -0,0 +1,64 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: notebooks.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Notebook + plural: notebooks + singular: notebook + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + - name: v1 + served: true + storage: false + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + template: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + properties: + spec: + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions is an array of current conditions + items: + properties: + type: + description: Type of the confition/ + type: string + required: + - type + type: object + type: array + required: + - conditions + type: object diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment.yaml new file mode 100644 index 0000000000..af3e902261 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: manager + image: gcr.io/kubeflow-images-public/notebook-controller:v20190614-v0-160-g386f2749-e3b0c4 + command: + - /manager + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + serviceAccountName: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment_patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment_patch.yaml new file mode 100644 index 0000000000..a7dfb43349 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/deployment_patch.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + env: + # We use a patch to set the USE_ISTIO because in other patches + # we want to set it to a configMapRef and so if we include the value + # in the base when we do the merge we end up with 2 fields setting the value. + - name: USE_ISTIO + value: "false" \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/kustomization.yaml new file mode 100644 index 0000000000..e0977d7f06 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/kustomization.yaml @@ -0,0 +1,43 @@ +# TODO(https://github.com/kubeflow/manifests/issues/1052): Cleanup this up +# once kustomize_v3 migration is done. +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +namePrefix: notebook-controller- +namespace: kubeflow +patchesStrategicMerge: +- deployment_patch.yaml +commonLabels: + app: notebook-controller + kustomize.component: notebook-controller +images: +- name: gcr.io/kubeflow-images-public/notebook-controller + newName: gcr.io/kubeflow-images-public/notebook-controller + newTag: vmaster-gf39279c0 +configMapGenerator: +- envs: + - params.env + name: parameters +generatorOptions: + disableNameSuffixHash: true +vars: +- fieldref: + fieldPath: data.USE_ISTIO + name: USE_ISTIO + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.ISTIO_GATEWAY + name: ISTIO_GATEWAY + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/params.env new file mode 100644 index 0000000000..b746a4fd4f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/params.env @@ -0,0 +1,3 @@ +POD_LABELS=gcp-cred-secret=user-gcp-sa,gcp-cred-secret-filename=user-gcp-sa.json +USE_ISTIO=false +ISTIO_GATEWAY=kubeflow/kubeflow-gateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service-account.yaml new file mode 100644 index 0000000000..a36cbd800f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service.yaml new file mode 100644 index 0000000000..c7368f9703 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + ports: + - port: 443 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/deployment_patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/deployment_patch.yaml new file mode 100644 index 0000000000..e1ea7a60db --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/deployment_patch.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + env: + - name: USE_ISTIO + valueFrom: + configMapKeyRef: + name: notebook-controller-config + key: USE_ISTIO + - name: ISTIO_GATEWAY + valueFrom: + configMapKeyRef: + name: notebook-controller-config + key: ISTIO_GATEWAY + \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/kustomization.yaml new file mode 100644 index 0000000000..b522d7b3ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/base_v3/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app: notebook-controller + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller + kustomize.component: notebook-controller +configMapGenerator: +- literals: + - USE_ISTIO=true + - ISTIO_GATEWAY=kubeflow/kubeflow-gateway + name: notebook-controller-config +images: +- name: gcr.io/kubeflow-images-public/notebook-controller + newName: gcr.io/kubeflow-images-public/notebook-controller + newTag: vmaster-gf39279c0 +kind: Kustomization +namePrefix: notebook-controller- +namespace: kubeflow +patchesStrategicMerge: +- deployment_patch.yaml +resources: +- ../base/cluster-role-binding.yaml +- ../base/cluster-role.yaml +- ../base/crd.yaml +- ../base/deployment.yaml +- ../base/service-account.yaml +- ../base/service.yaml +- ../overlays/application/application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/application.yaml new file mode 100644 index 0000000000..88021f579a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/application.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: notebook-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: notebook-controller + app.kubernetes.io/instance: notebook-controller-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + type: notebook-controller + version: v1beta1 + description: Notebooks controller allows users to create a custom resource \"Notebook\" (jupyter notebook). + maintainers: + - name: Lun-kai Hsu + email: lunkai@google.com + owners: + - name: Lun-kai Hsu + email: lunkai@gogle.com + keywords: + - jupyter + - notebook + - notebook-controller + - jupyterhub + links: + - description: About + url: "https://github.com/kubeflow/kubeflow/tree/master/components/notebook-controller" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..de548477df --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/name: notebook-controller +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/deployment.yaml new file mode 100644 index 0000000000..bd18f5d3a8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/deployment.yaml @@ -0,0 +1,14 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + env: + - name: USE_ISTIO + value: $(USE_ISTIO) + - name: ISTIO_GATEWAY + value: $(ISTIO_GATEWAY) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..7184bcd517 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml +configMapGenerator: +- name: parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/params.env new file mode 100644 index 0000000000..5fa00071df --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/jupyter/notebook-controller/overlays/istio/params.env @@ -0,0 +1,2 @@ +USE_ISTIO=true +ISTIO_GATEWAY=kubeflow/kubeflow-gateway diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/OWNERS new file mode 100644 index 0000000000..0a18720174 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/OWNERS @@ -0,0 +1,4 @@ +approvers: + - andreyvelich + - gaocegege + - johnugeorge diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-controller/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-controller/kustomization.yaml new file mode 100644 index 0000000000..0974111c31 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-controller/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + - ../../katib-controller/base/katib-configmap.yaml + - ../../katib-controller/base/katib-controller-deployment.yaml + - ../../katib-controller/base/katib-controller-rbac.yaml + - ../../katib-controller/base/katib-controller-secret.yaml + - ../../katib-controller/base/katib-controller-service.yaml + - ../../katib-controller/base/katib-ui-deployment.yaml + - ../../katib-controller/base/katib-ui-rbac.yaml + - ../../katib-controller/base/katib-ui-service.yaml + - ../../katib-controller/base/trial-template-configmap.yaml + - ../../katib-controller/overlays/application/application.yaml + - ../../katib-controller/overlays/istio/katib-ui-virtual-service.yaml +images: + - name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + newTag: v0.8.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + - name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + newTag: v0.8.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-controller +configurations: + - ../../katib-controller/overlays/istio/params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-manager/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-manager/kustomization.yaml new file mode 100644 index 0000000000..d61b13d3d8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-manager/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + - ../../katib-controller/base/katib-db-manager-deployment.yaml + - ../../katib-controller/base/katib-db-manager-service.yaml +images: + - name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager + newTag: v0.8.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-mysql/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-mysql/kustomization.yaml new file mode 100644 index 0000000000..213d76f11d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/components/katib-db-mysql/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + - ../../katib-controller/base/katib-mysql-deployment.yaml + - ../../katib-controller/base/katib-mysql-pvc.yaml + - ../../katib-controller/base/katib-mysql-secret.yaml + - ../../katib-controller/base/katib-mysql-service.yaml +images: + - name: mysql + newTag: "8" + newName: mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/katib-db-manager-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/katib-db-manager-deployment.yaml new file mode 100644 index 0000000000..5fc8bdb1b9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/katib-db-manager-deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-db-manager +spec: + template: + spec: + containers: + - name: katib-db-manager + env: + - name: DB_NAME + value: mysql + - name: DB_USER + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: DB_PASSWORD + - name: KATIB_MYSQL_DB_DATABASE + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: KATIB_MYSQL_DB_DATABASE + - name: KATIB_MYSQL_DB_HOST + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: KATIB_MYSQL_DB_HOST + - name: KATIB_MYSQL_DB_PORT + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: KATIB_MYSQL_DB_PORT diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/kustomization.yaml new file mode 100644 index 0000000000..5fe655a6fa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + - ../../components/katib-controller + - ../../components/katib-db-manager +patchesStrategicMerge: + - katib-db-manager-deployment.yaml +secretGenerator: +- name: katib-mysql-secrets + env: secrets.env +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/secrets.env b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/secrets.env new file mode 100644 index 0000000000..d9b31a9d22 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-external-db/secrets.env @@ -0,0 +1,5 @@ +KATIB_MYSQL_DB_DATABASE= +KATIB_MYSQL_DB_HOST= +KATIB_MYSQL_DB_PORT= +DB_USER= +DB_PASSWORD= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone-ibm/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone-ibm/kustomization.yaml new file mode 100644 index 0000000000..67a48f8e7b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone-ibm/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../katib-standalone +patchesStrategicMerge: +- ../../katib-controller/overlays/ibm-storage-config/katib-mysql-deployment.yaml +images: + - name: mysql + newTag: "5.6" + newName: mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone/kustomization.yaml new file mode 100644 index 0000000000..2d468c0847 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/installs/katib-standalone/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + - ../../components/katib-controller + - ../../components/katib-db-manager + - ../../components/katib-db-mysql +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-configmap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-configmap.yaml new file mode 100644 index 0000000000..d4b26db0cf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-configmap.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: katib-config +data: + metrics-collector-sidecar: |- + { + "StdOut": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/file-metrics-collector:v0.8.0" + }, + "File": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/file-metrics-collector:v0.8.0" + }, + "TensorFlowEvent": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/tfevent-metrics-collector:v0.8.0", + "resources": { + "limits": { + "memory": "1Gi" + } + } + } + } + suggestion: |- + { + "random": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-hyperopt:v0.8.0" + }, + "grid": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-chocolate:v0.8.0" + }, + "hyperband": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-hyperband:v0.8.0" + }, + "bayesianoptimization": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-skopt:v0.8.0" + }, + "tpe": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-hyperopt:v0.8.0" + }, + "nasrl": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-nasrl:v0.8.0", + "imagePullPolicy": "Always", + "resources": { + "limits": { + "memory": "200Mi" + } + } + } + } diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-deployment.yaml new file mode 100644 index 0000000000..e7f2b2fde8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-controller + labels: + app: katib-controller +spec: + replicas: 1 + selector: + matchLabels: + app: katib-controller + template: + metadata: + labels: + app: katib-controller + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + spec: + serviceAccountName: katib-controller + containers: + - name: katib-controller + image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + imagePullPolicy: IfNotPresent + command: ["./katib-controller"] + args: + - '--webhook-port=8443' + ports: + - containerPort: 8443 + name: webhook + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + env: + - name: KATIB_CORE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /tmp/cert + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: katib-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-rbac.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-rbac.yaml new file mode 100644 index 0000000000..ff5fbe6696 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-rbac.yaml @@ -0,0 +1,146 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-controller +rules: +- apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + - services + - secrets + - events + - namespaces + verbs: + - "*" +- apiGroups: + - "" + resources: + - pods + - pods/log + - pods/status + verbs: + - "*" +- apiGroups: + - apps + resources: + - deployments + verbs: + - "*" +- apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - "*" +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - experiments + - experiments/status + - trials + - trials/status + - suggestions + - suggestions/status + verbs: + - "*" +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - pytorchjobs + verbs: + - "*" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: katib-controller +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: katib-controller +subjects: +- kind: ServiceAccount + name: katib-controller + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-katib-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-katib-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - experiments + - trials + - suggestions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-katib-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - experiments + - trials + - suggestions + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-secret.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-secret.yaml new file mode 100644 index 0000000000..8341a6a15a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-secret.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Secret +metadata: + name: katib-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-service.yaml new file mode 100644 index 0000000000..732e09b93f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-controller-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-controller + annotations: + prometheus.io/port: "8080" + prometheus.io/scheme: http + prometheus.io/scrape: "true" +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + name: webhook + - name: metrics + port: 8080 + targetPort: 8080 + selector: + app: katib-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-deployment.yaml new file mode 100644 index 0000000000..f38832deed --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-db-manager + labels: + app: katib + component: db-manager +spec: + replicas: 1 + selector: + matchLabels: + app: katib + component: db-manager + template: + metadata: + name: katib-db-manager + labels: + app: katib + component: db-manager + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: katib-db-manager + image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager + imagePullPolicy: IfNotPresent + env: + - name : DB_NAME + value: "mysql" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: MYSQL_ROOT_PASSWORD + command: + - './katib-db-manager' + ports: + - name: api + containerPort: 6789 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:6789"] + initialDelaySeconds: 5 + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:6789"] + initialDelaySeconds: 10 + periodSeconds: 60 + failureThreshold: 5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-service.yaml new file mode 100644 index 0000000000..589df9c12b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-db-manager-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-db-manager + labels: + app: katib + component: db-manager +spec: + type: ClusterIP + ports: + - port: 6789 + protocol: TCP + name: api + selector: + app: katib + component: db-manager diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-deployment.yaml new file mode 100644 index 0000000000..144f3c5a40 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-mysql + labels: + app: katib + component: mysql +spec: + replicas: 1 + selector: + matchLabels: + app: katib + component: mysql + template: + metadata: + name: katib-mysql + labels: + app: katib + component: mysql + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: katib-mysql + image: mysql:8 + args: + - --datadir + - /var/lib/mysql/datadir + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: katib-mysql-secrets + key: MYSQL_ROOT_PASSWORD + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "true" + - name: MYSQL_DATABASE + value: "katib" + ports: + - name: dbapi + containerPort: 3306 + readinessProbe: + exec: + command: + - "/bin/bash" + - "-c" + - "mysql -D ${MYSQL_DATABASE} -u root -p${MYSQL_ROOT_PASSWORD} -e 'SELECT 1'" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + livenessProbe: + exec: + command: + - "/bin/bash" + - "-c" + - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}" + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + volumeMounts: + - name: katib-mysql + mountPath: /var/lib/mysql + volumes: + - name: katib-mysql + persistentVolumeClaim: + claimName: katib-mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-pvc.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-pvc.yaml new file mode 100644 index 0000000000..d8f8a82463 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: katib-mysql +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-secret.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-secret.yaml new file mode 100644 index 0000000000..74ac8bf96e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: katib-mysql-secrets +data: + MYSQL_ROOT_PASSWORD: dGVzdA== # "test" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-service.yaml new file mode 100644 index 0000000000..5378f21a3d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-mysql-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-mysql + labels: + app: katib + component: mysql +spec: + type: ClusterIP + ports: + - port: 3306 + protocol: TCP + name: dbapi + selector: + app: katib + component: mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-deployment.yaml new file mode 100644 index 0000000000..833986e89d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-ui + labels: + app: katib + component: ui +spec: + replicas: 1 + selector: + matchLabels: + app: katib + component: ui + template: + metadata: + name: katib-ui + labels: + app: katib + component: ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: katib-ui + image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + imagePullPolicy: IfNotPresent + command: + - './katib-ui' + args: + - '--port=8080' + env: + - name: KATIB_CORE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: ui + containerPort: 8080 + serviceAccountName: katib-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-rbac.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-rbac.yaml new file mode 100644 index 0000000000..6ff78445b4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-rbac.yaml @@ -0,0 +1,36 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-ui +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + verbs: + - "*" +- apiGroups: + - kubeflow.org + resources: + - experiments + - trials + verbs: + - "*" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: katib-ui +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: katib-ui +subjects: +- kind: ServiceAccount + name: katib-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-service.yaml new file mode 100644 index 0000000000..8266a6faf6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/katib-ui-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-ui + labels: + app: katib + component: ui +spec: + type: ClusterIP + ports: + - port: 80 + protocol: TCP + name: ui + targetPort: 8080 + selector: + app: katib + component: ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/kustomization.yaml new file mode 100644 index 0000000000..f9bc64edb6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/kustomization.yaml @@ -0,0 +1,52 @@ +namespace: kubeflow +resources: +- katib-configmap.yaml +- katib-controller-deployment.yaml +- katib-controller-rbac.yaml +- katib-controller-secret.yaml +- katib-controller-service.yaml +- katib-mysql-deployment.yaml +- katib-mysql-pvc.yaml +- katib-mysql-secret.yaml +- katib-mysql-service.yaml +- katib-db-manager-deployment.yaml +- katib-db-manager-service.yaml +- katib-ui-deployment.yaml +- katib-ui-rbac.yaml +- katib-ui-service.yaml +- trial-template-configmap.yaml +configMapGenerator: +- name: katib-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +images: +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + newTag: v0.8.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager + newTag: v0.8.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + newTag: v0.8.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui +- name: mysql + newTag: "8" + newName: mysql +vars: +- name: clusterDomain + objref: + kind: ConfigMap + name: katib-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +- name: katib-ui-namespace + objref: + kind: Service + name: katib-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.env new file mode 100644 index 0000000000..bdd6604e95 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.env @@ -0,0 +1 @@ +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.yaml new file mode 100644 index 0000000000..eade9a871d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: data/config + kind: ConfigMap +- path: data/config + kind: Deployment +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/trial-template-configmap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/trial-template-configmap.yaml new file mode 100644 index 0000000000..145617a35f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/base/trial-template-configmap.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trial-template +data: + defaultTrialTemplate.yaml : |- + apiVersion: batch/v1 + kind: Job + metadata: + name: {{.Trial}} + namespace: {{.NameSpace}} + spec: + template: + spec: + containers: + - name: {{.Trial}} + image: docker.io/kubeflowkatib/mxnet-mnist + command: + - "python3" + - "/opt/mxnet-mnist/mnist.py" + - "--batch-size=64" + {{- with .HyperParameters}} + {{- range .}} + - "{{.Name}}={{.Value}}" + {{- end}} + {{- end}} + restartPolicy: Never diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/application.yaml new file mode 100644 index 0000000000..8f65d9c916 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/application.yaml @@ -0,0 +1,66 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: katib-controller +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: Secret + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: Experiment + - group: kubeflow.org + kind: Suggestion + - group: kubeflow.org + kind: Trial + descriptor: + description: Katib is a service for hyperparameter tuning and neural architecture + search. + keywords: + - katib + - katib-controller + - hyperparameter tuning + links: + - description: About + url: https://github.com/kubeflow/katib + maintainers: + - email: gaoce@caicloud.io + name: Ce Gao + - email: johnugeo@cisco.com + name: Johnu George + - email: liuhougang6@126.com + name: Hougang Liu + - email: ricliu@google.com + name: Richard Liu + - email: yuji.oshima0x3fd@gmail.com + name: YujiOshima + - email: andrey.velichkevich@gmail.com + name: Andrey Velichkevich + owners: + - email: gaoce@caicloud.io + name: Ce Gao + - email: johnugeo@cisco.com + name: Johnu George + - email: liuhougang6@126.com + name: Hougang Liu + - email: ricliu@google.com + name: Richard Liu + - email: yuji.oshima0x3fd@gmail.com + name: YujiOshima + - email: andrey.velichkevich@gmail.com + name: Andrey Velichkevich + type: katib + version: v1alpha3 + selector: + matchLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/instance: katib-controller + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: katib-controller + app.kubernetes.io/part-of: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..a23cd3844b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-controller +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/katib-mysql-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/katib-mysql-deployment.yaml new file mode 100644 index 0000000000..a5400a8bcd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/katib-mysql-deployment.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-mysql +spec: + template: + spec: + containers: + - name: katib-mysql + # Base's livenessProbe created some kernel errors on non-POSIX filesystem + livenessProbe: null diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/kustomization.yaml new file mode 100644 index 0000000000..31d89fdfed --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/ibm-storage-config/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- katib-mysql-deployment.yaml +images: + - name: mysql + newTag: "5.6" + newName: mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/katib-ui-virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/katib-ui-virtual-service.yaml new file mode 100644 index 0000000000..f20286a445 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/katib-ui-virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: katib-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /katib/ + rewrite: + uri: /katib/ + route: + - destination: + host: katib-ui.$(katib-ui-namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..0f16884935 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- katib-ui-virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/kustomization.yaml new file mode 100644 index 0000000000..f0f7c8f888 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-controller +configurations: +- params.yaml +images: +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + newTag: v0.8.0 +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-db-manager + newTag: v0.8.0 +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + newTag: v0.8.0 +- name: mysql + newName: mysql + newTag: "8" +kind: Kustomization +namespace: kubeflow +resources: +- ../base/katib-configmap.yaml +- ../base/katib-controller-deployment.yaml +- ../base/katib-controller-rbac.yaml +- ../base/katib-controller-secret.yaml +- ../base/katib-controller-service.yaml +- ../base/katib-mysql-deployment.yaml +- ../base/katib-mysql-pvc.yaml +- ../base/katib-mysql-secret.yaml +- ../base/katib-mysql-service.yaml +- ../base/katib-db-manager-deployment.yaml +- ../base/katib-db-manager-service.yaml +- ../base/katib-ui-deployment.yaml +- ../base/katib-ui-rbac.yaml +- ../base/katib-ui-service.yaml +- ../base/trial-template-configmap.yaml +- ../overlays/application/application.yaml +- ../overlays/istio/katib-ui-virtual-service.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/params.yaml new file mode 100644 index 0000000000..fbb4348760 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-controller/v3/params.yaml @@ -0,0 +1,3 @@ +varReference: + - path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/experiment-crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/experiment-crd.yaml new file mode 100644 index 0000000000..a6d5fb1e1e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/experiment-crd.yaml @@ -0,0 +1,25 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: experiments.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: Status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + version: v1alpha3 + scope: Namespaced + subresources: + status: {} + names: + kind: Experiment + singular: experiment + plural: experiments + categories: + - all + - kubeflow + - katib diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/kustomization.yaml new file mode 100644 index 0000000000..a25fb65ea8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: kubeflow +resources: +- experiment-crd.yaml +- suggestion-crd.yaml +- trial-crd.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/suggestion-crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/suggestion-crd.yaml new file mode 100644 index 0000000000..0c725ab3b5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/suggestion-crd.yaml @@ -0,0 +1,34 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: suggestions.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: Type + type: string + - JSONPath: .status.conditions[-1:].status + name: Status + type: string + - JSONPath: .spec.requests + name: Requested + type: string + - JSONPath: .status.suggestionCount + name: Assigned + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + version: v1alpha3 + scope: Namespaced + subresources: + status: {} + names: + kind: Suggestion + singular: suggestion + plural: suggestions + categories: + - all + - kubeflow + - katib diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/trial-crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/trial-crd.yaml new file mode 100644 index 0000000000..f7cea34064 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/base/trial-crd.yaml @@ -0,0 +1,28 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trials.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: Type + type: string + - JSONPath: .status.conditions[-1:].status + name: Status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + version: v1alpha3 + scope: Namespaced + subresources: + status: {} + names: + kind: Trial + singular: trial + plural: trials + categories: + - all + - kubeflow + - katib diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/application.yaml new file mode 100644 index 0000000000..43f63facc5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/application.yaml @@ -0,0 +1,64 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: katib-crds +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: Experiment + - group: kubeflow.org + kind: Suggestion + - group: kubeflow.org + kind: Trial + descriptor: + description: Katib is a service for hyperparameter tuning and neural architecture + search. + keywords: + - katib + - katib-controller + - hyperparameter tuning + links: + - description: About + url: https://github.com/kubeflow/katib + maintainers: + - email: gaoce@caicloud.io + name: Ce Gao + - email: johnugeo@cisco.com + name: Johnu George + - email: liuhougang6@126.com + name: Hougang Liu + - email: ricliu@google.com + name: Richard Liu + - email: yuji.oshima0x3fd@gmail.com + name: YujiOshima + - email: andrey.velichkevich@gmail.com + name: Andrey Velichkevich + owners: + - email: gaoce@caicloud.io + name: Ce Gao + - email: johnugeo@cisco.com + name: Johnu George + - email: liuhougang6@126.com + name: Hougang Liu + - email: ricliu@google.com + name: Richard Liu + - email: yuji.oshima0x3fd@gmail.com + name: YujiOshima + - email: andrey.velichkevich@gmail.com + name: Andrey Velichkevich + type: katib + version: v1alpha3 + selector: + matchLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/instance: katib-crds + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: katib-crds + app.kubernetes.io/part-of: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..e6734f99ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-crds +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/v3/kustomization.yaml new file mode 100644 index 0000000000..1a50e0def4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/katib/katib-crds/v3/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/name: katib-crds +kind: Kustomization +namespace: kubeflow +resources: +- ../base/experiment-crd.yaml +- ../base/suggestion-crd.yaml +- ../base/trial-crd.yaml +- ../overlays/application/application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/OWNERS new file mode 100644 index 0000000000..42444d8bc9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/OWNERS @@ -0,0 +1,11 @@ +approvers: + - abhi-g + - gabrielwen + - Jeffwan + - jlewi + - kkasravi + - krishnadurai + - kunmingg + - lluunn + - richardsliu + - yanniszark diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/README.md new file mode 100644 index 0000000000..190f80cdb9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/README.md @@ -0,0 +1,3 @@ +This directory contains YAML files defining resources. + +These YAMl files can be used in conjuction with kfctl to deploy Kubeflow. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/OWNERS new file mode 100644 index 0000000000..d22ebe518f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/OWNERS @@ -0,0 +1,2 @@ +approvers: + - yanniszark diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/README.md new file mode 100644 index 0000000000..c0b129f464 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/README.md @@ -0,0 +1,2 @@ +This directory contains some additional configuration files that are used by some KFDef resources +when deploying with kfctl. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/authservice.tmpl b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/authservice.tmpl new file mode 100644 index 0000000000..7553813252 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/authservice.tmpl @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: authservice + namespace: istio-system +spec: + type: ClusterIP + selector: + app: authservice + ports: + - port: 8080 + name: http-authservice + targetPort: http-api +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authservice + namespace: istio-system +spec: + replicas: 1 + selector: + matchLabels: + app: authservice + strategy: + type: RollingUpdate + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: authservice + spec: + volumes: + - name: custom-ca + secret: + secretName: istio-ingressgateway-certs + items: + - key: tls.crt + path: tls.crt + containers: + - name: authservice + image: gcr.io/arrikto/kubeflow/oidc-authservice:v0.3 + imagePullPolicy: Always + ports: + - name: http-api + containerPort: 8080 + volumeMounts: + - name: custom-ca + mountPath: /etc/custom-ca + readOnly: true + env: + - name: USERID_HEADER + value: "kubeflow-userid" + - name: USERID_PREFIX + value: "" + - name: OIDC_PROVIDER_CA_FILE + value: "/etc/custom-ca/tls.crt" + - name: DISABLE_USERINFO + value: "true" + - name: PORT + value: "8080" + - name: OIDC_SCOPES + value: "profile email groups" + - name: OIDC_PROVIDER + value: {{.OIDCEndpoint}} + - name: SELF_URL + value: {{.KubeflowEndpoint}} + - name: CLIENT_ID + value: kubeflow-authservice-oidc + - name: CLIENT_SECRET + value: {{.AuthServiceClientSecret}} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/dex.tmpl b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/dex.tmpl new file mode 100644 index 0000000000..edc288a637 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/dex.tmpl @@ -0,0 +1,121 @@ +apiVersion: v1 +kind: Service +metadata: + name: dex + namespace: kubeflow +spec: + selector: + app: dex + type: ClusterIP + ports: + - name: http + port: 5556 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: dex + name: dex + namespace: kubeflow +spec: + replicas: 1 + selector: + matchLabels: + app: dex + template: + metadata: + labels: + app: dex + spec: + serviceAccountName: dex + containers: + - image: quay.io/coreos/dex:v2.10.0 + name: dex + command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] + + ports: + - name: http + containerPort: 5556 + + volumeMounts: + - name: config + mountPath: /etc/dex/cfg + volumes: + - name: config + configMap: + name: dex + items: + - key: config.yaml + path: config.yaml +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: dex + namespace: kubeflow +data: + config.yaml: | + issuer: {{.OIDCEndpoint}} + storage: + type: kubernetes + config: + inCluster: true + web: + http: 0.0.0.0:5556 + oauth2: + skipApprovalScreen: true + enablePasswordDB: true + {{if .KubeflowUser}} + staticPasswords: + - email: {{.KubeflowUser.UserEmail}} + # BCrypt Hash + hash: "{{.KubeflowUser.PasswordHash}}" + username: {{.KubeflowUser.Username}} + userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" + {{end}} + staticClients: + - id: kubeflow-authservice-oidc + redirectURIs: + # After authenticating and giving consent, dex will redirect to + # this url for the specific client. + - {{.KubeflowEndpoint}}/login/oidc + name: 'Kubeflow AuthService OIDC' + secret: {{.AuthServiceClientSecret}} + # Options for controlling the logger. + logger: + level: "debug" + format: "text" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: dex + name: dex + namespace: kubeflow +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: dex +rules: +- apiGroups: ["dex.coreos.com"] # API group created by dex + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: dex +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dex +subjects: +- kind: ServiceAccount + name: dex # Service account assigned to the dex pod, created above + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/envoy-filter.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/envoy-filter.yaml new file mode 100644 index 0000000000..bc5dcb83f7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/envoy-filter.yaml @@ -0,0 +1,34 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: authn-filter + namespace: kubeflow +spec: + workloadLabels: + #include namespace in the label to avoid clashes across namespaces + istio: ingressgateway + filters: + - filterConfig: + httpService: + serverUri: + uri: http://authservice.istio-system.svc.cluster.local + cluster: outbound|8080||authservice.istio-system.svc.cluster.local + failureModeAllow: false + timeout: 10s + authorizationRequest: + allowedHeaders: + patterns: + - exact: "cookie" + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: "kubeflow-userid" + statusOnError: + code: GatewayTimeout + filterName: envoy.ext_authz + filterType: HTTP + insertPosition: + index: FIRST + listenerMatch: + portNumber: 443 + listenerType: GATEWAY diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/gateway.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/gateway.yaml new file mode 100644 index 0000000000..c480ae3824 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/auth_oidc/gateway.yaml @@ -0,0 +1,50 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway + namespace: kubeflow +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 5556 + name: https-dex + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + privateKey: /etc/istio/ingressgateway-certs/tls.key + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + privateKey: /etc/istio/ingressgateway-certs/tls.key + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: auth-virtual-services + namespace: kubeflow +spec: + hosts: + - "*" + gateways: + - kubeflow-gateway + http: + - match: + - port: 5556 + route: + - destination: + port: + number: 5556 + host: dex.kubeflow.svc.cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/crds.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/crds.yaml new file mode 100644 index 0000000000..373f062313 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/crds.yaml @@ -0,0 +1,1534 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + labels: + app: mixer + package: bypass + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + labels: + app: mixer + package: circonus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + labels: + app: mixer + package: denier + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + labels: + app: mixer + package: fluentd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + labels: + app: mixer + package: listchecker + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + labels: + app: mixer + package: memquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + labels: + app: mixer + package: noop + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + labels: + app: mixer + package: opa + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + labels: + app: mixer + package: prometheus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + labels: + app: mixer + package: rbac + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + labels: + app: mixer + package: redisquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + labels: + app: mixer + package: signalfx + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + labels: + app: mixer + package: solarwinds + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + labels: + app: mixer + package: stackdriver + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + labels: + app: mixer + package: statsd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + labels: + app: mixer + package: stdio + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + labels: + app: mixer + package: apikey + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + labels: + app: mixer + package: authorization + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + labels: + app: mixer + package: checknothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + labels: + app: mixer + package: listentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + labels: + app: mixer + package: logentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + additionalPrinterColumns: + - JSONPath: .spec.severity + description: The importance of the log entry + name: Severity + type: string + - JSONPath: .spec.timestamp + description: The time value for the log entry + name: Timestamp + type: string + - JSONPath: .spec.monitored_resource_type + description: Optional expression to compute the type of the monitored resource this log entry is being recorded on + name: Res Type + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + labels: + app: mixer + package: edge + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + labels: + app: mixer + package: metric + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + labels: + app: mixer + package: quota + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + labels: + app: mixer + package: reportnothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + labels: + app: mixer + package: tracespan + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: cloudwatches.config.istio.io + labels: + app: mixer + package: cloudwatch + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: cloudwatch + plural: cloudwatches + singular: cloudwatch + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: dogstatsds.config.istio.io + labels: + app: mixer + package: dogstatsd + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: dogstatsd + plural: dogstatsds + singular: dogstatsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: zipkins.config.istio.io + labels: + app: mixer + package: zipkin + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: zipkin + plural: zipkins + singular: zipkin + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/istio-noauth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/istio-noauth.yaml new file mode 100644 index 0000000000..d91fb16f88 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/generic/istio/istio-noauth.yaml @@ -0,0 +1,18988 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-injection: disabled +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + labels: + app: mixer + package: bypass + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + labels: + app: mixer + package: circonus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + labels: + app: mixer + package: denier + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + labels: + app: mixer + package: fluentd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + labels: + app: mixer + package: listchecker + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + labels: + app: mixer + package: memquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + labels: + app: mixer + package: noop + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + labels: + app: mixer + package: opa + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + labels: + app: mixer + package: prometheus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + labels: + app: mixer + package: rbac + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + labels: + app: mixer + package: redisquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + labels: + app: mixer + package: signalfx + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + labels: + app: mixer + package: solarwinds + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + labels: + app: mixer + package: stackdriver + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + labels: + app: mixer + package: statsd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + labels: + app: mixer + package: stdio + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + labels: + app: mixer + package: apikey + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + labels: + app: mixer + package: authorization + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + labels: + app: mixer + package: checknothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + labels: + app: mixer + package: listentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + labels: + app: mixer + package: logentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + additionalPrinterColumns: + - JSONPath: .spec.severity + description: The importance of the log entry + name: Severity + type: string + - JSONPath: .spec.timestamp + description: The time value for the log entry + name: Timestamp + type: string + - JSONPath: .spec.monitored_resource_type + description: Optional expression to compute the type of the monitored resource this log entry is being recorded on + name: Res Type + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + labels: + app: mixer + package: edge + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + labels: + app: mixer + package: metric + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + labels: + app: mixer + package: quota + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + labels: + app: mixer + package: reportnothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + labels: + app: mixer + package: tracespan + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: cloudwatches.config.istio.io + labels: + app: mixer + package: cloudwatch + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: cloudwatch + plural: cloudwatches + singular: cloudwatch + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: dogstatsds.config.istio.io + labels: + app: mixer + package: dogstatsd + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: dogstatsd + plural: dogstatsds + singular: dogstatsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: zipkins.config.istio.io + labels: + app: mixer + package: zipkin + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: zipkin + plural: zipkins + singular: zipkin + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced +--- +# Source: istio/charts/kiali/templates/demosecret.yaml + +apiVersion: v1 +kind: Secret +metadata: + name: kiali + namespace: istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +type: Opaque +data: + username: YWRtaW4= # admin + passphrase: YWRtaW4= # admin + +--- +# Source: istio/charts/galley/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + failurePolicy: Fail +--- +# Source: istio/charts/grafana/templates/configmap-custom-resources.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + custom-resources.yaml: |- + apiVersion: authentication.istio.io/v1alpha1 + kind: Policy + metadata: + name: grafana-ports-mtls-disabled + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + spec: + targets: + - name: grafana + ports: + - number: 3000 + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/charts/grafana/templates/configmap-dashboards.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-galley-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + galley-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 46, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"galley\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Galley Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 40, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 36, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "A" + }, + { + "expr": "process_resident_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "B" + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "C" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F" + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "G" + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "H" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Total (kis)", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 38, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "galley (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 12, + "y": 6 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Open FDs (galley)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} ", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 6 + }, + "id": 44, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "goroutines_total", + "refId": "A" + }, + { + "expr": "galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "clients_total", + "refId": "B" + }, + { + "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "avg_goroutines_per_client", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 10, + "panels": [], + "title": "Runtime", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 15 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Strategy Change Events", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Processed Events", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Snapshot Published", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Event Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 15 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Max Time Reached", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Quiesce Reached", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Timer Resets", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Timer Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 15 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 3, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P95", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Events Per Snapshot", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ typeURL }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "State Type Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Count", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 34, + "panels": [], + "title": "Validation", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 28 + }, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 28 + }, + "id": 30, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 28 + }, + "id": 32, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 34 + }, + "id": 12, + "panels": [], + "title": "Kubernetes Source", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Success", + "refId": "A" + }, + { + "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Source Event Rate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 16, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Successes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Conversions/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Failures/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 41 + }, + "id": 18, + "panels": [], + "title": "Mesh Configuration Protocol", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_mcp_source_clients_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Clients", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Connected Clients", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request ACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "ACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 42 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request NACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "NACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "TSEY6jLmk", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-mesh-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-mesh-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 111, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-performance-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-performance-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.", + "gridPos": { + "h": 4, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 11, + "links": [], + "mode": "markdown", + "title": "Istio Performance Dashboard Readme", + "type": "text" + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-service-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-service-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "iteration": 1536442501501, + "links": [], + "panels": [ + { + "content": "
\nSERVICE: $service\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Received Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Sent Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nCLIENT WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "
\nSERVICE WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-workload-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-workload-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
\nWORKLOAD: $workload.$namespace\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nINBOUND WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
\nOUTBOUND SERVICES\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-mixer-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + mixer-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1543881232533, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 62, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 64, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Mixer Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Mixer Overview

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 21 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_server_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 21 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 21 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 21 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Adapters and Config

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 37 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 37 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 37 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 37 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Individual Adapters

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 44 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 48 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 48 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Mixer Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-pilot-dashboard + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + pilot-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 58, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Pilot Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

xDS

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 21 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 21 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Pilot Dashboard", + "version": 4 +} +' +--- + +--- +# Source: istio/charts/grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + +--- +# Source: istio/charts/kiali/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +data: + config.yaml: | + istio_namespace: istio-system + server: + port: 20001 + external_services: + istio: + url_service_version: http://istio-pilot:8080/version + jaeger: + url: + grafana: + url: + +--- +# Source: istio/charts/prometheus/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +data: + prometheus.yml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + + - job_name: 'istio-policy' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name +--- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +data: + custom-resources.yaml: |- + # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. + apiVersion: "authentication.istio.io/v1alpha1" + kind: "MeshPolicy" + metadata: + name: "default" + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + peers: + - mtls: + mode: PERMISSIVE + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/templates/configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + app: istio + chart: istio + heritage: Tiller + release: istio +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: false + + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: "" + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: 'TEXT' + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway + + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: 5s + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: + + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # will be used to generate key/cert eventually. This isn't supported for non-k8s case. + enableSdsTokenMount: false + + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. + # this flag is ignored if enableSdsTokenMount is set. + # This isn't supported for non-k8s case. + sdsUseK8sSaJwt: false + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: ALLOW_ANY + + localityLbSetting: + {} + + + # The namespace to treat as the administrative root namespace for istio + # configuration. + rootNamespace: istio-system + configSources: + - address: istio-galley.istio-system.svc:9901 + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15010 + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + +--- +# Source: istio/templates/sidecar-injector-configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: istio + chart: istio + heritage: Tiller + release: istio + istio: sidecar-injector +data: + config: |- + policy: enabled + template: |- + rewriteAppHTTPProbe: false + initContainers: + [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]] + - name: istio-init + image: "docker.io/istio/proxy_init:1.1.6" + args: + - "-p" + - [[ .MeshConfig.ProxyListenPort ]] + - "-u" + - 1337 + - "-m" + - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]] + - "-i" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]" + - "-x" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]" + - "-b" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]" + - "-d" + - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]" + [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]] + - "-k" + - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]" + [[ end -]] + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 100m + memory: 50Mi + securityContext: + runAsUser: 0 + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN + restartPolicy: Always + [[ end -]] + containers: + - name: istio-proxy + image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "docker.io/istio/proxyv2:1.1.6" ]] + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - [[ .ProxyConfig.ConfigPath ]] + - --binaryPath + - [[ .ProxyConfig.BinaryPath ]] + - --serviceCluster + [[ if ne "" (index .ObjectMeta.Labels "app") -]] + - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE) + [[ else -]] + - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]] + [[ end -]] + - --drainDuration + - [[ formatDuration .ProxyConfig.DrainDuration ]] + - --parentShutdownDuration + - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] + - --discoveryAddress + - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]] + - --zipkinAddress + - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]] + - --connectTimeout + - [[ formatDuration .ProxyConfig.ConnectTimeout ]] + - --proxyAdminPort + - [[ .ProxyConfig.ProxyAdminPort ]] + [[ if gt .ProxyConfig.Concurrency 0 -]] + - --concurrency + - [[ .ProxyConfig.Concurrency ]] + [[ end -]] + - --controlPlaneAuthPolicy + - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]] + [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] + - --statusPort + - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] + - --applicationPorts + - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]" + [[- end ]] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] + [[ if .ObjectMeta.Annotations ]] + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + [[ toJSON .ObjectMeta.Annotations ]] + [[ end ]] + [[ if .ObjectMeta.Labels ]] + - name: ISTIO_METAJSON_LABELS + value: | + [[ toJSON .ObjectMeta.Labels ]] + [[ end ]] + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + [[- end ]] + imagePullPolicy: IfNotPresent + [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] + readinessProbe: + httpGet: + path: /healthz/ready + port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] + initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]] + periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]] + failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]] + [[ end -]]securityContext: + readOnlyRootFilesystem: true + [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + + runAsUser: 1337 + [[- end ]] + resources: + [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] + requests: + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]] + cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]" + [[ end ]] + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] + memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]" + [[ end ]] + [[ else -]] + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + [[ end -]] + volumeMounts: + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + [[- end ]] + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]] + [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]] + - name: "[[ $index ]]" + [[ toYaml $value | indent 4 ]] + [[ end ]] + [[- end ]] + volumes: + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - name: custom-bootstrap-volume + configMap: + name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]] + [[- end ]] + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + [[ if eq .Spec.ServiceAccountName "" -]] + secretName: istio.default + [[ else -]] + secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] + [[ end -]] + [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]] + [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]] + - name: "[[ $index ]]" + [[ toYaml $value | indent 2 ]] + [[ end ]] + [[ end ]] + +--- +# Source: istio/charts/galley/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + +--- +# Source: istio/charts/gateways/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-egressgateway-service-account + namespace: istio-system + labels: + app: istio-egressgateway + chart: gateways + heritage: Tiller + release: istio +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + namespace: istio-system + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + release: istio +--- + + +--- +# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-grafana-post-install-account + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install-1.1.6 + namespace: istio-system + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + chart: grafana + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/kiali/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali-service-account + namespace: istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio + +--- +# Source: istio/charts/mixer/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-mixer-service-account + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + +--- +# Source: istio/charts/pilot/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + namespace: istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + +--- +# Source: istio/charts/prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio + +--- +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets-1.1.6 + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install-1.1.6 + namespace: istio-system + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: security + chart: security + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + imagePullPolicy: IfNotPresent + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + namespace: istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + namespace: istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + +--- +# Source: istio/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + namespace: istio-system + +--- +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions","apps"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["deployments/finalizers"] + resourceNames: ["istio-galley"] + verbs: ["update"] + +--- +# Source: istio/charts/gateways/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-egressgateway-istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-ingressgateway-istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- + +--- +# Source: istio/charts/kiali/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - apikeys + - authorizations + - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - reportnothings + - rules + - solarwindses + - stackdrivers + - statsds + - stdios + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - apikeys + - authorizations + - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - reportnothings + - rules + - servicecontrolreports + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + verbs: + - get + - list + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - get + - list + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - get + - list + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get + +--- +# Source: istio/charts/mixer/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-mixer-istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/pilot/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] + +--- +# Source: istio/charts/security/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts", "services"] + verbs: ["get", "watch", "list"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + +--- +# Source: istio/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-egressgateway-istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-egressgateway-istio-system +subjects: +- kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account + namespace: istio-system +--- + +--- +# Source: istio/charts/kiali/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-kiali-admin-role-binding-istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali-service-account + namespace: istio-system + +--- +# Source: istio/charts/mixer/templates/clusterrolebinding.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-istio-system +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: istio-system + +--- +# Source: istio/charts/pilot/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system + +--- +# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus-istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-istio-system +subjects: +- kind: ServiceAccount + name: prometheus + namespace: istio-system + +--- +# Source: istio/charts/security/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-istio-system +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: istio-system + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system + +--- +# Source: istio/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: istio-1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/role.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds + namespace: istio-system +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- + +--- +# Source: istio/charts/gateways/templates/rolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- + +--- +# Source: istio/charts/galley/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 15014 + name: http-monitoring + - port: 9901 + name: grpc-mcp + selector: + istio: galley + +--- +# Source: istio/charts/gateways/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-egressgateway + namespace: istio-system + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + type: ClusterIP + selector: + release: istio + app: istio-egressgateway + istio: egressgateway + ports: + - + name: http2 + port: 80 + - + name: https + port: 443 + - + name: tls + port: 15443 + targetPort: 15443 +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-system + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + type: LoadBalancer + selector: + release: istio + app: istio-ingressgateway + istio: ingressgateway + ports: + - + name: https-dex + port: 5556 + targetPort: 5556 + - + name: status-port + port: 15020 + targetPort: 15020 + - + name: http2 + nodePort: 31380 + port: 80 + targetPort: 80 + - + name: https + nodePort: 31390 + port: 443 + - + name: tcp + nodePort: 31400 + port: 31400 + - + name: https-kiali + port: 15029 + targetPort: 15029 + - + name: https-prometheus + port: 15030 + targetPort: 15030 + - + name: https-grafana + port: 15031 + targetPort: 15031 + - + name: https-tracing + port: 15032 + targetPort: 15032 + - + name: tls + port: 15443 + targetPort: 15443 +--- + +--- +# Source: istio/charts/grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app: grafana + +--- +# Source: istio/charts/kiali/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +spec: + ports: + - name: http-kiali + protocol: TCP + port: 20001 + selector: + app: kiali + +--- +# Source: istio/charts/mixer/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + namespace: istio-system + annotations: + networking.istio.io/exportTo: "*" + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + selector: + istio: mixer + istio-mixer-type: policy +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + namespace: istio-system + annotations: + networking.istio.io/exportTo: "*" + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + selector: + istio: mixer + istio-mixer-type: telemetry +--- + + +--- +# Source: istio/charts/pilot/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + selector: + istio: pilot + +--- +# Source: istio/charts/prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: istio-system + annotations: + prometheus.io/scrape: 'true' + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +--- +# Source: istio/charts/security/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + namespace: istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 15014 + selector: + istio: citadel + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector + +--- +# Source: istio/charts/galley/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-galley-service-account + containers: + - name: galley + image: "docker.io/istio/galley:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + - containerPort: 15014 + - containerPort: 9901 + command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s + - --deployment-namespace=istio-system + - --insecure=true + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort=15014 + - --log_output_level=default:info + volumeMounts: + - name: certs + mountPath: /etc/certs + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: mesh-config + mountPath: /etc/mesh-config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + - name: mesh-config + configMap: + name: istio + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/gateways/templates/deployment.yaml + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-egressgateway + namespace: istio-system + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + template: + metadata: + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-egressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 15443 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-egressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" + optional: true + - name: egressgateway-ca-certs + secret: + secretName: "istio-egressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-system + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + template: + metadata: + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-ingressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15020 + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15443 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: ingressgateway-certs + mountPath: "/etc/istio/ingressgateway-certs" + readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + - name: ingressgateway-certs + secret: + secretName: "istio-ingressgateway-certs" + optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + +--- +# Source: istio/charts/grafana/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + replicas: 1 + template: + metadata: + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + securityContext: + runAsUser: 472 + fsGroup: 472 + containers: + - name: grafana + image: "grafana/grafana:6.0.2" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin + - name: GF_PATHS_DATA + value: /data/grafana + resources: + requests: + cpu: 10m + + volumeMounts: + - name: data + mountPath: /data/grafana + - name: dashboards-istio-galley-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/galley-dashboard.json" + subPath: galley-dashboard.json + readOnly: true + - name: dashboards-istio-istio-mesh-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-mesh-dashboard.json" + subPath: istio-mesh-dashboard.json + readOnly: true + - name: dashboards-istio-istio-performance-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-performance-dashboard.json" + subPath: istio-performance-dashboard.json + readOnly: true + - name: dashboards-istio-istio-service-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-service-dashboard.json" + subPath: istio-service-dashboard.json + readOnly: true + - name: dashboards-istio-istio-workload-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-workload-dashboard.json" + subPath: istio-workload-dashboard.json + readOnly: true + - name: dashboards-istio-mixer-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/mixer-dashboard.json" + subPath: mixer-dashboard.json + readOnly: true + - name: dashboards-istio-pilot-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/pilot-dashboard.json" + subPath: pilot-dashboard.json + readOnly: true + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + volumes: + - name: config + configMap: + name: istio-grafana + - name: data + emptyDir: {} + - name: dashboards-istio-galley-dashboard + configMap: + name: istio-grafana-configuration-dashboards-galley-dashboard + - name: dashboards-istio-istio-mesh-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-mesh-dashboard + - name: dashboards-istio-istio-performance-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-performance-dashboard + - name: dashboards-istio-istio-service-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-service-dashboard + - name: dashboards-istio-istio-workload-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-workload-dashboard + - name: dashboards-istio-mixer-dashboard + configMap: + name: istio-grafana-configuration-dashboards-mixer-dashboard + - name: dashboards-istio-pilot-dashboard + configMap: + name: istio-grafana-configuration-dashboards-pilot-dashboard + +--- +# Source: istio/charts/kiali/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kiali + namespace: istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: kiali + template: + metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + spec: + serviceAccountName: kiali-service-account + containers: + - image: "docker.io/kiali/kiali:v0.16" + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + - "-v" + - "4" + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PROMETHEUS_SERVICE_URL + value: http://prometheus:9090 + - name: SERVER_WEB_ROOT + value: /kiali + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-secret + mountPath: "/kiali-secret" + resources: + requests: + cpu: 10m + + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-secret + secret: + secretName: kiali + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/mixer/templates/deployment.yaml + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-policy + namespace: istio-system + labels: + app: istio-mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: policy + template: + metadata: + labels: + app: policy + chart: mixer + heritage: Tiller + release: istio + istio: mixer + istio-mixer-type: policy + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + - name: policy-adapter-secret + secret: + secretName: policy-adapter-secret + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15014 + - containerPort: 42422 + args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 + - --configDefaultNamespace=istio-system + - --useAdapterCRDs=true + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=1" + - name: GOMAXPROCS + value: "6" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 100Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + - name: policy-adapter-secret + mountPath: /var/run/secrets/istio.io/policy/adapter + readOnly: true + +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-telemetry + namespace: istio-system + labels: + app: istio-mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: telemetry + template: + metadata: + labels: + app: telemetry + chart: mixer + heritage: Tiller + release: istio + istio: mixer + istio-mixer-type: telemetry + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + - name: telemetry-adapter-secret + secret: + secretName: telemetry-adapter-secret + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15014 + - containerPort: 42422 + args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 + - --configDefaultNamespace=istio-system + - --useAdapterCRDs=true + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + - --averageLatencyThreshold + - 100ms + - --loadsheddingMode + - enforce + env: + - name: GODEBUG + value: "gctrace=1" + - name: GOMAXPROCS + value: "6" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 100Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: telemetry-adapter-secret + mountPath: /var/run/secrets/istio.io/telemetry/adapter + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- + +--- +# Source: istio/charts/pilot/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-pilot + namespace: istio-system + # TODO: default template doesn't have this, which one is right ? + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot + annotations: + checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-pilot-service-account + containers: + - name: discovery + image: "docker.io/istio/pilot:1.1.6" + imagePullPolicy: IfNotPresent + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --secureGrpcAddr + - "" + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: GODEBUG + value: "gctrace=1" + - name: PILOT_PUSH_THROTTLE + value: "100" + - name: PILOT_TRACE_SAMPLING + value: "100" + - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY + value: "1" + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 10m + memory: 100Mi + + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/prometheus/templates/deployment.yaml +# TODO: the original template has service account, roles, etc +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: "docker.io/prom/prometheus:v2.3.1" + imagePullPolicy: IfNotPresent + args: + - '--storage.tsdb.retention=6h' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: + requests: + cpu: 10m + + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/deployment.yaml +# istio CA watching all namespaces +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-citadel + namespace: istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: "docker.io/istio/citadel:1.1.6" + imagePullPolicy: IfNotPresent + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace=istio-system + - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system + - --monitoring-port=15014 + - --self-signed-ca=true + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-sidecar-injector-service-account + containers: + - name: sidecar-injector-webhook + image: "docker.io/istio/sidecar_injector:1.1.6" + imagePullPolicy: IfNotPresent + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/tracing/templates/deployment-jaeger.yaml + + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-tracing + namespace: istio-system + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + template: + metadata: + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "16686" + prometheus.io/path: "/jaeger/metrics" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.9" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + + +--- +# Source: istio/charts/gateways/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-egressgateway + namespace: istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-egressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingressgateway + namespace: istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/mixer/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-policy + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/tracing/templates/service-jaeger.yaml + +apiVersion: v1 +kind: Service +metadata: + name: jaeger-query + namespace: istio-system + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger + +--- + +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger + jaeger-infra: collector-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-agent + namespace: istio-system + labels: + app: jaeger + jaeger-infra: agent-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger + + + +--- +# Source: istio/charts/tracing/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: istio-system + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 + protocol: TCP + name: http + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + annotations: + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: http-query + port: 80 + protocol: TCP + + targetPort: 16686 + + selector: + app: jaeger + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled + + +--- +# Source: istio/charts/galley/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + + minAvailable: 1 + selector: + matchLabels: + app: galley + release: istio + istio: galley + +--- +# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-egressgateway + namespace: istio-system + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + + minAvailable: 1 + selector: + matchLabels: + release: istio + app: istio-egressgateway + istio: egressgateway +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-ingressgateway + namespace: istio-system + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + + minAvailable: 1 + selector: + matchLabels: + release: istio + app: istio-ingressgateway + istio: ingressgateway +--- + +--- +# Source: istio/charts/mixer/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-policy + namespace: istio-system + labels: + app: policy + chart: mixer + heritage: Tiller + release: istio + version: 1.1.0 + istio: mixer + istio-mixer-type: policy +spec: + + minAvailable: 1 + selector: + matchLabels: + app: policy + release: istio + istio: mixer + istio-mixer-type: policy +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-telemetry + namespace: istio-system + labels: + app: telemetry + chart: mixer + heritage: Tiller + release: istio + version: 1.1.0 + istio: mixer + istio-mixer-type: telemetry +spec: + + minAvailable: 1 + selector: + matchLabels: + app: telemetry + release: istio + istio: mixer + istio-mixer-type: telemetry +--- + +--- +# Source: istio/charts/pilot/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot +spec: + + minAvailable: 1 + selector: + matchLabels: + app: pilot + release: istio + istio: pilot + +--- + +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.url_path: + valueType: STRING + request.query_params: + valueType: STRING_MAP + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + response.grpc_status: + valueType: STRING + response.grpc_message: + valueType: STRING + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.proxy_error_code: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + rbac.permissive.response_code: + valueType: STRING + rbac.permissive.effective_policy_id: + valueType: STRING + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + check.cache_hit: + valueType: BOOL + quota.cache_hit: + valueType: BOOL + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: stdio + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: stdio + params: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseFlags: context.proxy_error_code | "" + responseSize: response.size | 0 + permissiveResponseCode: rbac.permissive.response_code | "none" + permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + grpcStatus: response.grpc_status | "" + grpcMessage: response.grpc_message | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + responseFlags: context.proxy_error_code | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpconnectionsopened + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpconnectionsclosed + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: prometheus + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: prometheus + params: + metricsExpirationPolicy: + metricsExpiryDuration: "10m" + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_opened_total + instance_name: tcpconnectionsopened.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_closed_total + instance_name: tcpconnectionsclosed.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) + actions: + - handler: prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionopen + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + actions: + - handler: prometheus + instances: + - tcpconnectionsopened.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionclosed + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: kubernetesenv + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: kubernetesenv + params: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + actions: + - handler: kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- + +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default +spec: + mode: 'ON' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.0.yaml new file mode 100644 index 0000000000..f314faded6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.0.yaml @@ -0,0 +1,319 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0-branch.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.1.yaml new file mode 100644 index 0000000000..8768304f90 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.1.yaml @@ -0,0 +1,319 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0-branch.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.2.yaml new file mode 100644 index 0000000000..542c971db9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.v1.0.2.yaml @@ -0,0 +1,319 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.yaml new file mode 100644 index 0000000000..01a93f9aa8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_anthos.yaml @@ -0,0 +1,319 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.0.yaml new file mode 100644 index 0000000000..91166b7c72 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.0.yaml @@ -0,0 +1,351 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + basicAuth: + password: + name: password + username: admin + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.1.yaml new file mode 100644 index 0000000000..ab5abd5c71 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.1.yaml @@ -0,0 +1,351 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + basicAuth: + password: + name: password + username: admin + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.2.yaml new file mode 100644 index 0000000000..c94a9fb7da --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.v1.0.2.yaml @@ -0,0 +1,393 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + basicAuth: + password: + name: password + username: admin + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.yaml new file mode 100644 index 0000000000..6b0d15c437 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws.yaml @@ -0,0 +1,386 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + - aws + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + basicAuth: + password: + name: password + username: admin + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.0.yaml new file mode 100644 index 0000000000..b1bb0778aa --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.0.yaml @@ -0,0 +1,378 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - cognito + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: aws/istio-ingress + name: istio-ingress + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: origin-header + value: x-amzn-oidc-data + - name: custom-header + value: kubeflow-userid + repoRef: + name: manifests + path: aws/aws-istio-authz-adaptor + name: aws-istio-authz-adaptor + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + cognito: + certArn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxxxxxxxx-xxxx + cognitoAppClientId: xxxxxbxxxxxx + cognitoUserPoolArn: arn:aws:cognito-idp:us-west-2:xxxxx:userpool/us-west-2_xxxxxx + cognitoUserPoolDomain: your-user-pool + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.1.yaml new file mode 100644 index 0000000000..7573879127 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.1.yaml @@ -0,0 +1,378 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - cognito + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: aws/istio-ingress + name: istio-ingress + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: origin-header + value: x-amzn-oidc-data + - name: custom-header + value: kubeflow-userid + repoRef: + name: manifests + path: aws/aws-istio-authz-adaptor + name: aws-istio-authz-adaptor + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + cognito: + certArn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxxxxxxxx-xxxx + cognitoAppClientId: xxxxxbxxxxxx + cognitoUserPoolArn: arn:aws:cognito-idp:us-west-2:xxxxx:userpool/us-west-2_xxxxxx + cognitoUserPoolDomain: your-user-pool + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.2.yaml new file mode 100644 index 0000000000..4a7531f360 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.v1.0.2.yaml @@ -0,0 +1,420 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - cognito + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: aws/istio-ingress + name: istio-ingress + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: origin-header + value: x-amzn-oidc-data + - name: custom-header + value: kubeflow-userid + repoRef: + name: manifests + path: aws/aws-istio-authz-adaptor + name: aws-istio-authz-adaptor + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + cognito: + certArn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxxxxxxxx-xxxx + cognitoAppClientId: xxxxxbxxxxxx + cognitoUserPoolArn: arn:aws:cognito-idp:us-west-2:xxxxx:userpool/us-west-2_xxxxxx + cognitoUserPoolDomain: your-user-pool + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.yaml new file mode 100644 index 0000000000..65427c2a0c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_aws_cognito.yaml @@ -0,0 +1,413 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + - aws + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - cognito + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: aws/istio-ingress + name: istio-ingress + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: origin-header + value: x-amzn-oidc-data + - name: custom-header + value: kubeflow-userid + repoRef: + name: manifests + path: aws/aws-istio-authz-adaptor + name: aws-istio-authz-adaptor + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + cognito: + certArn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxxxxxxxx-xxxx + cognitoAppClientId: xxxxxbxxxxxx + cognitoUserPoolArn: arn:aws:cognito-idp:us-west-2:xxxxx:userpool/us-west-2_xxxxxx + cognitoUserPoolDomain: your-user-pool + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_asm_exp.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_asm_exp.yaml new file mode 100644 index 0000000000..59369bf801 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_asm_exp.yaml @@ -0,0 +1,408 @@ +# This is the experimental config to install Kubeflow on an ASM GKE cluster. + +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/iap-gateway + name: iap-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '7439583937720421527' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + value: test1-ip + - name: hostname + repoRef: + name: manifests + path: gcp/iap-ingress + name: iap-ingress + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: user + - name: profile-name + value: anonymous + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.0.yaml new file mode 100644 index 0000000000..c601304014 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.0.yaml @@ -0,0 +1,431 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '2700513155662330975' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: ipName + value: ipName + - name: hostname + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: ambassadorServiceType + value: NodePort + - name: namespace + value: istio-system + repoRef: + name: manifests + path: common/ambassador + name: ambassador + - kustomizeConfig: + repoRef: + name: manifests + path: common/basic-auth + name: basic-auth + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + - name: hostname + - name: project + - name: ingressName + value: envoy-ingress + - name: issuer + value: letsencrypt-prod + repoRef: + name: manifests + path: gcp/basic-auth-ingress + name: basic-auth-ingress + - kustomizeConfig: + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: true + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.1.yaml new file mode 100644 index 0000000000..28368d2542 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.1.yaml @@ -0,0 +1,431 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '2700513155662330975' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: ipName + value: ipName + - name: hostname + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: ambassadorServiceType + value: NodePort + - name: namespace + value: istio-system + repoRef: + name: manifests + path: common/ambassador + name: ambassador + - kustomizeConfig: + repoRef: + name: manifests + path: common/basic-auth + name: basic-auth + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + - name: hostname + - name: project + - name: ingressName + value: envoy-ingress + - name: issuer + value: letsencrypt-prod + repoRef: + name: manifests + path: gcp/basic-auth-ingress + name: basic-auth-ingress + - kustomizeConfig: + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: true + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.2.yaml new file mode 100644 index 0000000000..40740add86 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.v1.0.2.yaml @@ -0,0 +1,431 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '2700513155662330975' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: ipName + value: ipName + - name: hostname + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: ambassadorServiceType + value: NodePort + - name: namespace + value: istio-system + repoRef: + name: manifests + path: common/ambassador + name: ambassador + - kustomizeConfig: + repoRef: + name: manifests + path: common/basic-auth + name: basic-auth + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + - name: hostname + - name: project + - name: ingressName + value: envoy-ingress + - name: issuer + value: letsencrypt-prod + repoRef: + name: manifests + path: gcp/basic-auth-ingress + name: basic-auth-ingress + - kustomizeConfig: + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: true + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.yaml new file mode 100644 index 0000000000..5043bc6642 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_basic_auth.yaml @@ -0,0 +1,423 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '2700513155662330975' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: ipName + value: ipName + - name: hostname + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: ambassadorServiceType + value: NodePort + - name: namespace + value: istio-system + repoRef: + name: manifests + path: common/ambassador + name: ambassador + - kustomizeConfig: + repoRef: + name: manifests + path: common/basic-auth + name: basic-auth + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + - name: hostname + - name: project + - name: ingressName + value: envoy-ingress + - name: issuer + value: letsencrypt-prod + repoRef: + name: manifests + path: gcp/basic-auth-ingress + name: basic-auth-ingress + - kustomizeConfig: + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: true + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.0.yaml new file mode 100644 index 0000000000..fcf794c523 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.0.yaml @@ -0,0 +1,426 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '7439583937720421527' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + value: test1-ip + - name: hostname + repoRef: + name: manifests + path: gcp/iap-ingress + name: iap-ingress + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: user + - name: profile-name + value: anonymous + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.1.yaml new file mode 100644 index 0000000000..ec1d7cb973 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.1.yaml @@ -0,0 +1,426 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '7439583937720421527' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + value: test1-ip + - name: hostname + repoRef: + name: manifests + path: gcp/iap-ingress + name: iap-ingress + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: user + - name: profile-name + value: anonymous + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.2.yaml new file mode 100644 index 0000000000..43b26d2d6c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.v1.0.2.yaml @@ -0,0 +1,429 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '7439583937720421527' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + value: test1-ip + - name: hostname + repoRef: + name: manifests + path: gcp/iap-ingress + name: iap-ingress + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: user + - name: profile-name + value: anonymous + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.yaml new file mode 100644 index 0000000000..083fa87989 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_gcp_iap.yaml @@ -0,0 +1,426 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: namespaces + name: namespaces + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: 'true' + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: '7439583937720421527' + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + value: test1-ip + - name: hostname + repoRef: + name: manifests + path: gcp/iap-ingress + name: iap-ingress + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: user + - name: profile-name + value: anonymous + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.0.yaml new file mode 100644 index 0000000000..63cbff168e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.0.yaml @@ -0,0 +1,361 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: containerRuntimeExecutor + value: pns + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - ibm-storage-config + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + - ibm-storage-config + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: example@kubeflow.org + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.1.yaml new file mode 100644 index 0000000000..272b880df4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.1.yaml @@ -0,0 +1,361 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: containerRuntimeExecutor + value: pns + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - ibm-storage-config + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + - ibm-storage-config + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: example@kubeflow.org + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.2.yaml new file mode 100644 index 0000000000..ec6c765004 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.v1.0.2.yaml @@ -0,0 +1,361 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: containerRuntimeExecutor + value: pns + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - ibm-storage-config + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + - ibm-storage-config + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: example@kubeflow.org + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.yaml new file mode 100644 index 0000000000..f45ce7dba2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_ibm.yaml @@ -0,0 +1,353 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: containerRuntimeExecutor + value: pns + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - ibm-storage-config + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + - ibm-storage-config + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: example@kubeflow.org + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.0.yaml new file mode 100644 index 0000000000..eaf65cb945 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.0.yaml @@ -0,0 +1,374 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-crds-1-3-1 + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-install-1-3-1 + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/cluster-local-gateway-1-3-1 + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: userid-header + value: kubeflow-userid + - name: oidc_provider + value: http://dex.auth.svc.cluster.local:5556/dex + - name: oidc_redirect_uri + value: /login/oidc + - name: oidc_auth_url + value: /dex/auth + - name: skip_auth_uri + value: /dex + - name: client_id + value: kubeflow-oidc-authservice + repoRef: + name: manifests + path: istio/oidc-authservice + name: oidc-authservice + - kustomizeConfig: + overlays: + - istio + parameters: + - name: namespace + value: auth + - name: issuer + value: http://dex.auth.svc.cluster.local:5556/dex + - name: client_id + value: kubeflow-oidc-authservice + - name: oidc_redirect_uris + value: '["/login/oidc"]' + - name: static_email + value: admin@kubeflow.org + - name: static_password_hash + value: $2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO + repoRef: + name: manifests + path: dex-auth/dex-crds + name: dex + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - cert-manager + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.1.yaml new file mode 100644 index 0000000000..62e4561d6d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.1.yaml @@ -0,0 +1,374 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-crds-1-3-1 + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-install-1-3-1 + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/cluster-local-gateway-1-3-1 + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: userid-header + value: kubeflow-userid + - name: oidc_provider + value: http://dex.auth.svc.cluster.local:5556/dex + - name: oidc_redirect_uri + value: /login/oidc + - name: oidc_auth_url + value: /dex/auth + - name: skip_auth_uri + value: /dex + - name: client_id + value: kubeflow-oidc-authservice + repoRef: + name: manifests + path: istio/oidc-authservice + name: oidc-authservice + - kustomizeConfig: + overlays: + - istio + parameters: + - name: namespace + value: auth + - name: issuer + value: http://dex.auth.svc.cluster.local:5556/dex + - name: client_id + value: kubeflow-oidc-authservice + - name: oidc_redirect_uris + value: '["/login/oidc"]' + - name: static_email + value: admin@kubeflow.org + - name: static_password_hash + value: $2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO + repoRef: + name: manifests + path: dex-auth/dex-crds + name: dex + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - cert-manager + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.2.yaml new file mode 100644 index 0000000000..6a44f5e39e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.v1.0.2.yaml @@ -0,0 +1,374 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-crds-1-3-1 + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-install-1-3-1 + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/cluster-local-gateway-1-3-1 + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: userid-header + value: kubeflow-userid + - name: oidc_provider + value: http://dex.auth.svc.cluster.local:5556/dex + - name: oidc_redirect_uri + value: /login/oidc + - name: oidc_auth_url + value: /dex/auth + - name: skip_auth_uri + value: /dex + - name: client_id + value: kubeflow-oidc-authservice + repoRef: + name: manifests + path: istio/oidc-authservice + name: oidc-authservice + - kustomizeConfig: + overlays: + - istio + parameters: + - name: namespace + value: auth + - name: issuer + value: http://dex.auth.svc.cluster.local:5556/dex + - name: client_id + value: kubeflow-oidc-authservice + - name: oidc_redirect_uris + value: '["/login/oidc"]' + - name: static_email + value: admin@kubeflow.org + - name: static_password_hash + value: $2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO + repoRef: + name: manifests + path: dex-auth/dex-crds + name: dex + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - cert-manager + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.yaml new file mode 100644 index 0000000000..3904fa8737 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_istio_dex.yaml @@ -0,0 +1,373 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-crds-1-3-1 + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-install-1-3-1 + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/cluster-local-gateway-1-3-1 + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'ON' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: userid-header + value: kubeflow-userid + - name: oidc_provider + value: http://dex.auth.svc.cluster.local:5556/dex + - name: oidc_redirect_uri + value: /login/oidc + - name: oidc_auth_url + value: /dex/auth + - name: skip_auth_uri + value: /dex + - name: client_id + value: kubeflow-oidc-authservice + repoRef: + name: manifests + path: istio/oidc-authservice + name: oidc-authservice + - kustomizeConfig: + overlays: + - istio + parameters: + - name: namespace + value: auth + - name: issuer + value: http://dex.auth.svc.cluster.local:5556/dex + - name: client_id + value: kubeflow-oidc-authservice + - name: oidc_redirect_uris + value: '["/login/oidc"]' + - name: static_email + value: admin@kubeflow.org + - name: static_password_hash + value: $2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO + repoRef: + name: manifests + path: dex-auth/dex-crds + name: dex + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - cert-manager + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.0.yaml new file mode 100644 index 0000000000..492c8c5502 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.0.yaml @@ -0,0 +1,356 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: johnDoe@acme.com + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.1.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.1.yaml new file mode 100644 index 0000000000..2d19f1223e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.1.yaml @@ -0,0 +1,356 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: johnDoe@acme.com + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.2.yaml new file mode 100644 index 0000000000..49c24a0fe5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.v1.0.2.yaml @@ -0,0 +1,356 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/kfserving-gateway + name: kfserving-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: johnDoe@acme.com + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.yaml new file mode 100644 index 0000000000..6c8494fc72 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_k8s_istio.yaml @@ -0,0 +1,348 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: 'OFF' + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: 'true' + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: johnDoe@acme.com + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.0.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.0.yaml new file mode 100644 index 0000000000..0ea13240ba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.0.yaml @@ -0,0 +1,14 @@ +apiVersion: kfupgrade.apps.kubeflow.org/v1alpha1 +kind: KfUpgrade +metadata: + name: kf-upgrade-v1.0.0 +spec: + currentKfDef: + # Replace with the name of your Kubeflow app + name: kubeflow-app + version: v0.7.1 + newKfDef: + # Replace with the name of your kubeflow app + name: kubeflow-app + version: v0.1.0 + baseConfigPath: https://raw.githubusercontent.com/kubeflow/manifests/v1.0-branch/kfdef/kfctl_gcp_iap.v1.0.0.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.2.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.2.yaml new file mode 100644 index 0000000000..be462a5934 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/kfctl_upgrade_gcp_iap_1.0.2.yaml @@ -0,0 +1,14 @@ +apiVersion: kfupgrade.apps.kubeflow.org/v1alpha1 +kind: KfUpgrade +metadata: + name: kf-upgrade-v1.0.2 +spec: + currentKfDef: + # Replace with the name of your Kubeflow app + name: kubeflow-app + version: v1.0.0 + newKfDef: + # Replace with the name of your kubeflow app + name: kubeflow-app + version: v1.0.2 + baseConfigPath: https://raw.githubusercontent.com/kubeflow/manifests/v1.0-branch/kfdef/kfctl_gcp_iap.v1.0.2.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/README.md new file mode 100644 index 0000000000..bcaade963b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/README.md @@ -0,0 +1,16 @@ +This directory contains kustomization packages that are used to generate the YAML specs for the KFDef. + +The script `hack/build_kfdef_specs.py` is used to run kustomize and output the YAML files. + +## Subdirectories + +Each sub-directory corresponds to a kustomize package corresponding to a different release +of Kubeflow. + +* **master**: This is the base kustomization package + * In general when adding new applications or making other KFDef specs that should be carried throughout + future versions you would make here + +* **vX.Y.Z**: This is the kustomization package for Kubeflow release x.y.x. It will + typically reference another version as its base and define patches to apply the appropriate + modifications. diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_anthos.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_anthos.yaml new file mode 100644 index 0000000000..783d0f076f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_anthos.yaml @@ -0,0 +1,325 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. + +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-anthos +spec: + applications: + # This component is the istio resources for Kubeflow (e.g. gateway), not about installing istio. + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "OFF" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + # An example uri that uses a PR version of the manifest repo. + # uri: https://github.com/kubeflow/manifests/archive/pull/PR_NUMBER/head.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws.yaml new file mode 100644 index 0000000000..772a26250b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws.yaml @@ -0,0 +1,386 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "OFF" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + - aws + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + basicAuth: + password: + name: password + username: admin + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws_cognito.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws_cognito.yaml new file mode 100644 index 0000000000..343269e8fc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_aws_cognito.yaml @@ -0,0 +1,413 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws-cognito +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "ON" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + - aws + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: mpi-job/mpi-operator + name: mpi-operator + - kustomizeConfig: + overlays: + - cognito + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: aws/istio-ingress + name: istio-ingress + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: origin-header + value: x-amzn-oidc-data + - name: custom-header + value: kubeflow-userid + repoRef: + name: manifests + path: aws/aws-istio-authz-adaptor + name: aws-istio-authz-adaptor + - kustomizeConfig: + overlays: + - application + parameters: + - name: clusterName + value: kubeflow-aws + repoRef: + name: manifests + path: aws/aws-alb-ingress-controller + name: aws-alb-ingress-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: aws/nvidia-device-plugin + name: nvidia-device-plugin + plugins: + - kind: KfAwsPlugin + metadata: + name: aws + spec: + auth: + cognito: + certArn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxxxxxxxx-xxxx + cognitoAppClientId: xxxxxbxxxxxx + cognitoUserPoolArn: arn:aws:cognito-idp:us-west-2:xxxxx:userpool/us-west-2_xxxxxx + cognitoUserPoolDomain: your-user-pool + region: us-west-2 + roles: + - eksctl-kubeflow-aws-nodegroup-ng-a2-NodeInstanceRole-xxxxx + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_basic_auth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_basic_auth.yaml new file mode 100644 index 0000000000..a1218cfcda --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_basic_auth.yaml @@ -0,0 +1,445 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-basic-auth +spec: + applications: + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "OFF" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: "true" + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: "2700513155662330975" + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: ipName + value: ipName + - name: hostname + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + # email will be auto-filled. + # value: SET_EMAIL + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: ambassadorServiceType + value: NodePort + - name: namespace + value: istio-system + repoRef: + name: manifests + path: common/ambassador + name: ambassador + - kustomizeConfig: + repoRef: + name: manifests + path: common/basic-auth + name: basic-auth + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + - name: ipName + # ipName will be auto-filled based on app name if not set. + # value: test1-ip + - name: hostname + # hostname will be auto-filled if not set. + # value: .endpoints..cloud.goog + - name: project + # Project will be auto-filled. + # value: SET_PROJECT + - name: ingressName + value: envoy-ingress + - name: issuer + value: letsencrypt-prod + repoRef: + name: manifests + path: gcp/basic-auth-ingress + name: basic-auth-ingress + - kustomizeConfig: + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: true + # email should be set the google account of the person setting up Kubeflow. + # If its not set kfctl generate will try to set it automatically based on the default + # gcloud config + # email: + # + # Project should be set to the GCP project you want to use. + # If you run kfctl init --config=/kfctl_gcp_iap.yaml + # kfctl will try to automatically set it. + # project: + # + # User can specify which zone to deploy to. If not set, will try to auto-fill + # this field based on default config in gcloud. + # zone: us-east1-d + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_iap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_iap.yaml new file mode 100644 index 0000000000..eb49b15c00 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_gcp_iap.yaml @@ -0,0 +1,452 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + # kustomize requires a name. + name: kfctl-gcp-iap +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: namespaces + name: namespaces + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "ON" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - application + parameters: + - name: webhookNamePrefix + value: admission-webhook- + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: injectGcpCredentials + value: "true" + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: "7439583937720421527" + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - minioPd + - application + parameters: + - name: minioPd + value: test1-storage-artifact-store + - name: minioPvName + value: minio-pv + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - mysqlPd + - application + parameters: + - name: mysqlPd + value: test1-storage-metadata-store + - name: mysqlPvName + value: mysql-pv + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - gcp + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + - use-kf-user + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/cloud-endpoints + name: cloud-endpoints + - kustomizeConfig: + overlays: + - application + - istio + parameters: + # kfctl will set admin to current user account that deploying kubeflow + - name: admin + # value: SET_EMAIL + - name: userid-header + value: X-Goog-Authenticated-User-Email + - name: userid-prefix + value: 'accounts.google.com:' + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: gcp/gpu-driver + name: gpu-driver + - kustomizeConfig: + overlays: + - managed-cert + - application + parameters: + - name: namespace + value: istio-system + # email will be auto-filled. + - name: ipName + value: test1-ip + - name: hostname + # The value of hostname should be the DNS address for ingress. + # This will be set automatically during kfctl generate. + # value: test1.endpoints.SET_PROJECT.cloud.goog + repoRef: + name: manifests + path: gcp/iap-ingress + name: iap-ingress + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + - kustomizeConfig: + parameters: + - name: user + # kfctl will set user to current user account that deploying kubeflow + # value: SET_EMAIL + - name: profile-name + # kfctl might overwrite profile name + value: anonymous + repoRef: + name: manifests + path: default-install + name: default-install + plugins: + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + # email should be set the google account of the person setting up Kubeflow. + # If its not set kfctl generate will try to set it automatically based on the default + # gcloud config + # email: + # + # Project should be set to the GCP project you want to use. + # If you run kfctl init --config=/kfctl_gcp_iap.yaml + # kfctl will try to automatically set it. + # project: + # + # User can specify which zone to deploy to. If not set, will try to auto-fill + # this field based on default config in gcloud. + # zone: us-east1-d + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_ibm.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_ibm.yaml new file mode 100644 index 0000000000..0387f8b9fe --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_ibm.yaml @@ -0,0 +1,357 @@ +# This is the config to install Kubeflow on an existing IBM Cloud Kubernetes cluster. +# If the cluster already has istio, comment out the istio install part below. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-ibm +spec: + applications: + # Istio install. If not needed, comment out istio-crds and istio-install. + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + # This component is the istio resources for Kubeflow (e.g. gateway), not about installing istio. + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "OFF" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: containerRuntimeExecutor + value: pns + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - ibm-storage-config + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + - ibm-storage-config + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: example@kubeflow.org + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_istio_dex.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_istio_dex.yaml new file mode 100644 index 0000000000..588701651f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_istio_dex.yaml @@ -0,0 +1,377 @@ +# This is the config to install Kubeflow on an existing K8s cluster, with support +# for multi-user and LDAP auth using Dex. + +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-istio-dex +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + # Istio install. If not needed, comment out istio-crds and istio-install. + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-crds-1-3-1 + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/istio-install-1-3-1 + name: istio-install + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio-1-3-1/cluster-local-gateway-1-3-1 + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "ON" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: istio-system + - name: userid-header + value: kubeflow-userid + - name: oidc_provider + value: http://dex.auth.svc.cluster.local:5556/dex + - name: oidc_redirect_uri + value: /login/oidc + - name: oidc_auth_url + value: /dex/auth + - name: skip_auth_uri + value: /dex + - name: client_id + value: kubeflow-oidc-authservice + repoRef: + name: manifests + path: istio/oidc-authservice + name: oidc-authservice + - kustomizeConfig: + overlays: + - istio + parameters: + - name: namespace + value: auth + - name: issuer + value: http://dex.auth.svc.cluster.local:5556/dex + - name: client_id + value: kubeflow-oidc-authservice + - name: oidc_redirect_uris + value: '["/login/oidc"]' + - name: static_email + value: admin@kubeflow.org + - name: static_password_hash + value: $2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO + repoRef: + name: manifests + path: dex-auth/dex-crds + name: dex + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - cert-manager + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_k8s_istio.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_k8s_istio.yaml new file mode 100644 index 0000000000..6f1762a779 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kfctl_k8s_istio.yaml @@ -0,0 +1,353 @@ +# This is the config to install Kubeflow on an existing k8s cluster. +# If the cluster already has istio, comment out the istio install part below. + +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-k8s-istio +spec: + applications: + # Istio install. If not needed, comment out istio-crds and istio-install. + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-crds + name: istio-crds + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/istio-install + name: istio-install + # This component is the istio resources for Kubeflow (e.g. gateway), not about installing istio. + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/cluster-local-gateway + name: cluster-local-gateway + - kustomizeConfig: + parameters: + - name: clusterRbacConfig + value: "OFF" + repoRef: + name: manifests + path: istio/istio + name: istio + - kustomizeConfig: + parameters: + - name: namespace + value: istio-system + repoRef: + name: manifests + path: istio/add-anonymous-user-filter + name: add-anonymous-user-filter + - kustomizeConfig: + repoRef: + name: manifests + path: application/application-crds + name: application-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: application/application + name: application + - kustomizeConfig: + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager-crds + name: cert-manager-crds + - kustomizeConfig: + parameters: + - name: namespace + value: kube-system + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources + name: cert-manager-kube-system-resources + - kustomizeConfig: + overlays: + - self-signed + - application + parameters: + - name: namespace + value: cert-manager + repoRef: + name: manifests + path: cert-manager/cert-manager + name: cert-manager + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller + name: metacontroller + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: argo + name: argo + - kustomizeConfig: + repoRef: + name: manifests + path: kubeflow-roles + name: kubeflow-roles + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: common/centraldashboard + name: centraldashboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/bootstrap + name: bootstrap + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: admission-webhook/webhook + name: webhook + - kustomizeConfig: + overlays: + - istio + - application + parameters: + - name: userid-header + value: kubeflow-userid + repoRef: + name: manifests + path: jupyter/jupyter-web-app + name: jupyter-web-app + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: spark/spark-operator + name: spark-operator + - kustomizeConfig: + overlays: + - istio + - application + - db + repoRef: + name: manifests + path: metadata + name: metadata + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: jupyter/notebook-controller + name: notebook-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-job-crds + name: pytorch-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pytorch-job/pytorch-operator + name: pytorch-operator + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-crds + name: knative-crds + - kustomizeConfig: + overlays: + - application + parameters: + - name: namespace + value: knative-serving + repoRef: + name: manifests + path: knative/knative-serving-install + name: knative-install + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-crds + name: kfserving-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: kfserving/kfserving-install + name: kfserving-install + - kustomizeConfig: + overlays: + - application + parameters: + - name: usageId + value: + - name: reportUsage + value: "true" + repoRef: + name: manifests + path: common/spartakus + name: spartakus + - kustomizeConfig: + overlays: + - istio + repoRef: + name: manifests + path: tensorboard + name: tensorboard + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-crds + name: tf-job-crds + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: tf-training/tf-job-operator + name: tf-job-operator + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: katib/katib-crds + name: katib-crds + - kustomizeConfig: + overlays: + - application + - istio + repoRef: + name: manifests + path: katib/katib-controller + name: katib-controller + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/api-service + name: api-service + - kustomizeConfig: + overlays: + - application + parameters: + - name: minioPvcName + value: minio-pv-claim + repoRef: + name: manifests + path: pipeline/minio + name: minio + - kustomizeConfig: + overlays: + - application + parameters: + - name: mysqlPvcName + value: mysql-pv-claim + repoRef: + name: manifests + path: pipeline/mysql + name: mysql + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/persistent-agent + name: persistent-agent + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-runner + name: pipelines-runner + - kustomizeConfig: + overlays: + - istio + - application + repoRef: + name: manifests + path: pipeline/pipelines-ui + name: pipelines-ui + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipelines-viewer + name: pipelines-viewer + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/scheduledworkflow + name: scheduledworkflow + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: pipeline/pipeline-visualization-service + name: pipeline-visualization-service + - kustomizeConfig: + overlays: + - application + - istio + parameters: + - name: admin + value: johnDoe@acme.com + repoRef: + name: manifests + path: profiles + name: profiles + - kustomizeConfig: + overlays: + - application + repoRef: + name: manifests + path: seldon/seldon-core-operator + name: seldon-core-operator + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/master.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kustomization.yaml new file mode 100644 index 0000000000..9c233c9d7e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/master/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- kfctl_anthos.yaml +- kfctl_aws.yaml +- kfctl_aws_cognito.yaml +- kfctl_gcp_iap.yaml +- kfctl_gcp_basic_auth.yaml +- kfctl_ibm.yaml +- kfctl_istio_dex.yaml +- kfctl_k8s_istio.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_anthos.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_anthos.yaml new file mode 100644 index 0000000000..24c6a15f28 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_anthos.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-anthos +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0-branch.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws.yaml new file mode 100644 index 0000000000..f2b116b1fb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws_cognito.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws_cognito.yaml new file mode 100644 index 0000000000..68558e2b9c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_aws_cognito.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws-cognito +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_basic_auth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_basic_auth.yaml new file mode 100644 index 0000000000..b70b0055eb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_basic_auth.yaml @@ -0,0 +1,13 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-basic-auth +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_iap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_iap.yaml new file mode 100644 index 0000000000..28e14f1f38 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_gcp_iap.yaml @@ -0,0 +1,12 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-iap +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_ibm.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_ibm.yaml new file mode 100644 index 0000000000..8a92de93db --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_ibm.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-ibm +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_istio_dex.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_istio_dex.yaml new file mode 100644 index 0000000000..42163f492d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_istio_dex.yaml @@ -0,0 +1,14 @@ +# This is the config to install Kubeflow on an existing K8s cluster, with support +# for multi-user and LDAP auth using Dex. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-istio-dex + namespace: kubeflow +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_k8s_istio.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_k8s_istio.yaml new file mode 100644 index 0000000000..f3c2039c49 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kfctl_k8s_istio.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-k8s-istio +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.0.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kustomization.yaml new file mode 100644 index 0000000000..b65186a4a2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.0/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +bases: + - ../master +patchesStrategicMerge: +- kfctl_anthos.yaml +- kfctl_aws.yaml +- kfctl_aws_cognito.yaml +- kfctl_gcp_iap.yaml +- kfctl_gcp_basic_auth.yaml +- kfctl_ibm.yaml +- kfctl_istio_dex.yaml +- kfctl_k8s_istio.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_anthos.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_anthos.yaml new file mode 100644 index 0000000000..e8f949f46f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_anthos.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-anthos +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0-branch.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws.yaml new file mode 100644 index 0000000000..8aaf2db89c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws_cognito.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws_cognito.yaml new file mode 100644 index 0000000000..0fdd958fbe --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_aws_cognito.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws-cognito +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_basic_auth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_basic_auth.yaml new file mode 100644 index 0000000000..c85331da79 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_basic_auth.yaml @@ -0,0 +1,13 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-basic-auth +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_iap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_iap.yaml new file mode 100644 index 0000000000..2438f5c777 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_gcp_iap.yaml @@ -0,0 +1,12 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-iap +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_ibm.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_ibm.yaml new file mode 100644 index 0000000000..07a5505a39 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_ibm.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-ibm +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_istio_dex.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_istio_dex.yaml new file mode 100644 index 0000000000..762d7682dd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_istio_dex.yaml @@ -0,0 +1,14 @@ +# This is the config to install Kubeflow on an existing K8s cluster, with support +# for multi-user and LDAP auth using Dex. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-istio-dex + namespace: kubeflow +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_k8s_istio.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_k8s_istio.yaml new file mode 100644 index 0000000000..d3fe13b576 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kfctl_k8s_istio.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-k8s-istio +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.1.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kustomization.yaml new file mode 100644 index 0000000000..b65186a4a2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.1/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +bases: + - ../master +patchesStrategicMerge: +- kfctl_anthos.yaml +- kfctl_aws.yaml +- kfctl_aws_cognito.yaml +- kfctl_gcp_iap.yaml +- kfctl_gcp_basic_auth.yaml +- kfctl_ibm.yaml +- kfctl_istio_dex.yaml +- kfctl_k8s_istio.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_anthos.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_anthos.yaml new file mode 100644 index 0000000000..b630ad8de0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_anthos.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-anthos +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws.yaml new file mode 100644 index 0000000000..a149464e6d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws_cognito.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws_cognito.yaml new file mode 100644 index 0000000000..f86d014a9c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_aws_cognito.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-aws-cognito +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_basic_auth.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_basic_auth.yaml new file mode 100644 index 0000000000..3dc96cffd2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_basic_auth.yaml @@ -0,0 +1,13 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-basic-auth +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_iap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_iap.yaml new file mode 100644 index 0000000000..a83f23150a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_gcp_iap.yaml @@ -0,0 +1,12 @@ +# Please set project and email! +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-gcp-iap +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_ibm.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_ibm.yaml new file mode 100644 index 0000000000..80b7122a68 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_ibm.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-ibm +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_istio_dex.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_istio_dex.yaml new file mode 100644 index 0000000000..13e753fa73 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_istio_dex.yaml @@ -0,0 +1,14 @@ +# This is the config to install Kubeflow on an existing K8s cluster, with support +# for multi-user and LDAP auth using Dex. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-istio-dex + namespace: kubeflow +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_k8s_istio.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_k8s_istio.yaml new file mode 100644 index 0000000000..81b5ec7fd7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kfctl_k8s_istio.yaml @@ -0,0 +1,13 @@ +# This is the config to install Kubeflow on an Anthos. +# The cluster comes with customized Istio installation. +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: kfctl-k8s-istio +spec: + repos: + - name: manifests + uri: https://github.com/kubeflow/manifests/archive/v1.0.2.tar.gz + # To get manifest at a PR: + #uri: https://github.com/kubeflow/manifests/archive/pull/235/head.tar.gz + version: v1.0.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kustomization.yaml new file mode 100644 index 0000000000..b65186a4a2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfdef/source/v1.0.2/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +bases: + - ../master +patchesStrategicMerge: +- kfctl_anthos.yaml +- kfctl_aws.yaml +- kfctl_aws_cognito.yaml +- kfctl_gcp_iap.yaml +- kfctl_gcp_basic_auth.yaml +- kfctl_ibm.yaml +- kfctl_istio_dex.yaml +- kfctl_k8s_istio.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/crd.yaml new file mode 100644 index 0000000000..e5563d8881 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/crd.yaml @@ -0,0 +1,607 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: inferenceservices.serving.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.url + name: URL + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.traffic + name: Default Traffic + type: integer + - JSONPath: .status.canaryTraffic + name: Canary Traffic + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: serving.kubeflow.org + names: + kind: InferenceService + plural: inferenceservices + shortNames: + - inferenceservice + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canary: + description: Canary defines an alternate endpoints to route a percentage + of traffic. + properties: + explainer: + description: Explainer defines the model explanation service spec, + explainer service calls to predictor or transformer if it is specified. + properties: + alibi: + description: Spec for alibi explainer + properties: + config: + description: Inline custom parameter settings for explainer + type: object + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Defaults to latest Alibi Version + type: string + storageUri: + description: The location of a trained explanation model + type: string + type: + description: The type of Alibi explainer + type: string + required: + - type + type: object + custom: + description: Spec for a custom explainer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + predictor: + description: Predictor defines the model serving spec +required + properties: + custom: + description: Spec for a custom predictor + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + onnx: + description: Spec for ONNX runtime (https://github.com/microsoft/onnxruntime) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + pytorch: + description: Spec for PyTorch predictor + properties: + modelClassName: + description: Defaults PyTorch model class name to 'PyTorchModel' + type: string + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + sklearn: + description: Spec for SKLearn predictor + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorflow: + description: Spec for Tensorflow Serving (https://github.com/tensorflow/serving) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map. + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorrt: + description: Spec for TensorRT Inference Server (https://github.com/NVIDIA/tensorrt-inference-server) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + xgboost: + description: Spec for XGBoost predictor + properties: + nthread: + description: Number of thread to be used by XGBoost + format: int64 + type: integer + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + type: object + transformer: + description: Transformer defines the pre/post processing before + and after the predictor call, transformer service calls to predictor + service. + properties: + custom: + description: Spec for a custom transformer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + required: + - predictor + type: object + canaryTrafficPercent: + description: CanaryTrafficPercent defines the percentage of traffic + going to canary InferenceService endpoints + format: int64 + type: integer + default: + description: Default defines default InferenceService endpoints +required + properties: + explainer: + description: Explainer defines the model explanation service spec, + explainer service calls to predictor or transformer if it is specified. + properties: + alibi: + description: Spec for alibi explainer + properties: + config: + description: Inline custom parameter settings for explainer + type: object + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Defaults to latest Alibi Version + type: string + storageUri: + description: The location of a trained explanation model + type: string + type: + description: The type of Alibi explainer + type: string + required: + - type + type: object + custom: + description: Spec for a custom explainer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + predictor: + description: Predictor defines the model serving spec +required + properties: + custom: + description: Spec for a custom predictor + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + onnx: + description: Spec for ONNX runtime (https://github.com/microsoft/onnxruntime) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + pytorch: + description: Spec for PyTorch predictor + properties: + modelClassName: + description: Defaults PyTorch model class name to 'PyTorchModel' + type: string + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + sklearn: + description: Spec for SKLearn predictor + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorflow: + description: Spec for Tensorflow Serving (https://github.com/tensorflow/serving) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map. + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorrt: + description: Spec for TensorRT Inference Server (https://github.com/NVIDIA/tensorrt-inference-server) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + xgboost: + description: Spec for XGBoost predictor + properties: + nthread: + description: Number of thread to be used by XGBoost + format: int64 + type: integer + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + type: object + transformer: + description: Transformer defines the pre/post processing before + and after the predictor call, transformer service calls to predictor + service. + properties: + custom: + description: Spec for a custom transformer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + required: + - predictor + type: object + required: + - default + type: object + status: + properties: + canary: + description: Statuses for the canary endpoints of the InferenceService + type: object + canaryTraffic: + description: Traffic percentage that goes to canary services + format: int64 + type: integer + conditions: + description: Conditions the latest available observations of a resource's + current state. +patchMergeKey=type +patchStrategy=merge + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. We use VolatileTime + in place of metav1.Time to exclude this from creating equality.Semantic + differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type + of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + +required + type: string + type: + description: Type of condition. +required + type: string + required: + - type + - status + type: object + type: array + default: + description: Statuses for the default endpoints of the InferenceService + type: object + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that + was last processed by the controller. + format: int64 + type: integer + traffic: + description: Traffic percentage that goes to default services + format: int64 + type: integer + url: + description: URL of the InferenceService + type: string + type: object + version: v1alpha2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/kustomization.yaml new file mode 100644 index 0000000000..6e120e7b63 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/application.yaml new file mode 100644 index 0000000000..2841aa9d7a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: kfserving-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: kfserving-crds + app.kubernetes.io/instance: kfserving-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kfserving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: kfserving-crds + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - kfserving-crds + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..f7beb0dfb8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-crds/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: kfserving-crds + app.kubernetes.io/name: kfserving-crds +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..abb8b2caad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role-binding.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfserving-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kfserving-proxy-role +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role.yaml new file mode 100644 index 0000000000..2b851c6b96 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/cluster-role.yaml @@ -0,0 +1,209 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kfserving-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - serving.knative.dev + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - serving.knative.dev + resources: + - services/status + verbs: + - get + - update + - patch +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - networking.istio.io + resources: + - virtualservices/status + verbs: + - get + - update + - patch +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kfserving-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kfserving-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: "true" +rules: +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kfserving-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/config-map.yaml new file mode 100644 index 0000000000..8ccd809ce6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/config-map.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: inferenceservice-config +data: + predictors: |- + { + "tensorflow": { + "image": "tensorflow/serving", + "defaultImageVersion": "1.14.0", + "defaultGpuImageVersion": "1.14.0-gpu", + "allowedImageVersions": [ + "1.11.0", + "1.11.0-gpu", + "1.12.0", + "1.12.0-gpu", + "1.13.0", + "1.13.0-gpu", + "1.14.0", + "1.14.0-gpu" + ] + }, + "onnx": { + "image": "mcr.microsoft.com/onnxruntime/server", + "defaultImageVersion": "v0.5.1", + "allowedImageVersions": [ + "v0.5.1" + ] + }, + "sklearn": { + "image": "gcr.io/kfserving/sklearnserver", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + }, + "xgboost": { + "image": "gcr.io/kfserving/xgbserver", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + }, + "pytorch": { + "image": "gcr.io/kfserving/pytorchserver", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + }, + "tensorrt": { + "image": "nvcr.io/nvidia/tensorrtserver", + "defaultImageVersion": "19.05-py3", + "allowedImageVersions": [ + "19.05-py3" + ] + } + } + transformers: |- + { + } + explainers: |- + { + "alibi": { + "image" : "gcr.io/kfserving/alibi-explainer", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + } + } + storageInitializer: |- + { + "image" : "gcr.io/kfserving/storage-initializer:0.2.2", + "memoryRequest": "100Mi", + "memoryLimit": "1Gi", + "cpuRequest": "100m", + "cpuLimit": "1" + } + credentials: |- + { + "gcs": { + "gcsCredentialFileName": "gcloud-application-credentials.json" + }, + "s3": { + "s3AccessKeyIDName": "awsAccessKeyID", + "s3SecretAccessKeyName": "awsSecretAccessKey" + } + } + ingress: |- + { + "ingressGateway" : "kubeflow-gateway.kubeflow", + "ingressService" : "istio-ingressgateway.istio-system.svc.cluster.local" + } + logger: |- + { + "image" : "gcr.io/kfserving/logger:0.2.2", + "memoryRequest": "100Mi", + "memoryLimit": "1Gi", + "cpuRequest": "100m", + "cpuLimit": "1" + } diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/kustomization.yaml new file mode 100644 index 0000000000..f452fba7ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- secret.yaml +- statefulset.yaml +- service.yaml +commonLabels: + kustomize.component: kfserving +configMapGenerator: +- name: kfserving-parameters + env: params.env +vars: +- name: registry + objref: + kind: ConfigMap + name: kfserving-parameters + apiVersion: v1 + fieldref: + fieldpath: data.registry +configurations: +- params.yaml +images: +- name: gcr.io/kubebuilder/kube-rbac-proxy + newName: gcr.io/kubebuilder/kube-rbac-proxy + newTag: v0.4.0 +- name: $(registry)/kfserving-controller + newName: $(registry)/kfserving-controller + newTag: 0.2.2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.env new file mode 100644 index 0000000000..ca48d4610f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.env @@ -0,0 +1 @@ +registry=gcr.io/kfserving diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.yaml new file mode 100644 index 0000000000..a7b94f6e46 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/containers/image + kind: StatefulSet +- path: data/frameworks + kind: ConfigMap diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/secret.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/secret.yaml new file mode 100644 index 0000000000..621365867e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/secret.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Secret +metadata: + name: kfserving-webhook-server-secret diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/service.yaml new file mode 100644 index 0000000000..29398ef8f3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/service.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + name: kfserving-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + name: kfserving-controller-manager-service +spec: + ports: + - port: 443 + selector: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/statefulset.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/statefulset.yaml new file mode 100644 index 0000000000..1a1beec502 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/base/statefulset.yaml @@ -0,0 +1,70 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + name: kfserving-controller-manager +spec: + selector: + matchLabels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + serviceName: controller-manager-service + template: + metadata: + labels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SECRET_NAME + value: kfserving-webhook-server-secret + - name: ENABLE_WEBHOOK_NAMESPACE_SELECTOR + value: enabled + image: $(registry)/kfserving-controller:0.2.2 + imagePullPolicy: Always + name: manager + ports: + - containerPort: 9876 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - mountPath: /tmp/cert + name: cert + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kfserving-webhook-server-secret + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/application.yaml new file mode 100644 index 0000000000..c96444ce75 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/application.yaml @@ -0,0 +1,40 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: "kfserving" +spec: + selector: + matchLabels: + app.kubernetes.io/name: kfserving-install + app.kubernetes.io/instance: kfserving-install-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kfserving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + type: "kfserving" + componentKinds: + - group: apps/v1 + kind: StatefulSet + - group: v1 + kind: Service + - group: apps/v1 + kind: Deployment + - group: v1 + kind: Secret + - group: v1 + kind: ConfigMap + version: "v1alpha2" + description: "KFServing provides a Kubernetes Custom Resource Definition for serving ML Models on arbitrary frameworks" + icons: + maintainers: + - name: Johnu George + email: johnugeo@cisco.com + owners: + - name: Johnu George + email: johnugeo@cisco.com + keywords: + - "kfserving" + - "inference" + links: + - description: About + url: "https://github.com/kubeflow/kfserving" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..e6cfca40e4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kfserving/kfserving-install/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: kfserving-install + app.kubernetes.io/name: kfserving-install +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/crd.yaml new file mode 100644 index 0000000000..1ce7c5904c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/crd.yaml @@ -0,0 +1,397 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: certificates.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: Certificate + plural: certificates + shortNames: + - kcert + singular: certificate + scope: Namespaced + subresources: + status: {} + version: v1alpha1 + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + duck.knative.dev/podspecable: "true" + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: configurations.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.latestCreatedRevisionName + name: LatestCreated + type: string + - JSONPath: .status.latestReadyRevisionName + name: LatestReady + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Configuration + plural: configurations + shortNames: + - config + - cfg + singular: configuration + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + name: images.caching.internal.knative.dev +spec: + group: caching.internal.knative.dev + names: + categories: + - knative-internal + - caching + kind: Image + plural: images + shortNames: + - img + singular: image + scope: Namespaced + subresources: + status: {} + version: v1alpha1 + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: ingresses.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: Ingress + plural: ingresses + shortNames: + - ing + singular: ingress + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: metrics.autoscaling.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: autoscaling.internal.knative.dev + names: + categories: + - knative-internal + - autoscaling + kind: Metric + plural: metrics + singular: metric + scope: Namespaced + subresources: + status: {} + version: v1alpha1 + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: podautoscalers.autoscaling.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.desiredScale + name: DesiredScale + type: integer + - JSONPath: .status.actualScale + name: ActualScale + type: integer + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: autoscaling.internal.knative.dev + names: + categories: + - knative-internal + - autoscaling + kind: PodAutoscaler + plural: podautoscalers + shortNames: + - kpa + - pa + singular: podautoscaler + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: revisions.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .metadata.labels['serving\.knative\.dev/configuration'] + name: Config Name + type: string + - JSONPath: .status.serviceName + name: K8s Service Name + type: string + - JSONPath: .metadata.labels['serving\.knative\.dev/configurationGeneration'] + name: Generation + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Revision + plural: revisions + shortNames: + - rev + singular: revision + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + duck.knative.dev/addressable: "true" + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: routes.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.url + name: URL + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Route + plural: routes + shortNames: + - rt + singular: route + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + duck.knative.dev/addressable: "true" + duck.knative.dev/podspecable: "true" + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: services.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.url + name: URL + type: string + - JSONPath: .status.latestCreatedRevisionName + name: LatestCreated + type: string + - JSONPath: .status.latestReadyRevisionName + name: LatestReady + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Service + plural: services + shortNames: + - kservice + - ksvc + singular: service + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.11.1" + name: serverlessservices.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .spec.mode + name: Mode + type: string + - JSONPath: .status.serviceName + name: ServiceName + type: string + - JSONPath: .status.privateServiceName + name: PrivateServiceName + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: ServerlessService + plural: serverlessservices + shortNames: + - sks + singular: serverlessservice + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/kustomization.yaml new file mode 100644 index 0000000000..ed2cb28bfd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespace.yaml +- crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/namespace.yaml new file mode 100644 index 0000000000..04bb5b5225 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/base/namespace.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio-injection: enabled + serving.knative.dev/release: "v0.11.1" + name: knative-serving + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/application.yaml new file mode 100644 index 0000000000..855a6ff837 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: knative-serving-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: knative-serving-crds + app.kubernetes.io/instance: knative-serving-crds-v0.11.1 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: knative-serving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.11.1 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: knative-serving-crds + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - knative-serving-crds + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..ea9c6c7cc2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-crds/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: knative-serving-crds + app.kubernetes.io/name: knative-serving-crds +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/apiservice.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/apiservice.yaml new file mode 100644 index 0000000000..18500e6f94 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/apiservice.yaml @@ -0,0 +1,18 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.11.1" + name: v1beta1.custom.metrics.k8s.io +spec: + group: custom.metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: autoscaler + namespace: knative-serving + version: v1beta1 + versionPriority: 100 + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..e69e4dbeeb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role-binding.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.11.1" + name: custom-metrics:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: controller + namespace: knative-serving + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.11.1" + name: hpa-controller-custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-server-resources +subjects: + - kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: knative-serving-controller-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: knative-serving-admin +subjects: + - kind: ServiceAccount + name: controller + namespace: knative-serving + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role.yaml new file mode 100644 index 0000000000..81279631ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/cluster-role.yaml @@ -0,0 +1,265 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + duck.knative.dev/addressable: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-addressable-resolver +rules: + - apiGroups: + - serving.knative.dev + resources: + - routes + - routes/status + - services + - services/status + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.11.1" + name: custom-metrics-server-resources +rules: + - apiGroups: + - custom.metrics.k8s.io + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-namespaced-admin +rules: + - apiGroups: + - serving.knative.dev + - networking.internal.knative.dev + - autoscaling.internal.knative.dev + - caching.internal.knative.dev + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-namespaced-edit +rules: + - apiGroups: + - serving.knative.dev + - networking.internal.knative.dev + - autoscaling.internal.knative.dev + - caching.internal.knative.dev + resources: + - '*' + verbs: + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-namespaced-view +rules: + - apiGroups: + - serving.knative.dev + - networking.internal.knative.dev + - autoscaling.internal.knative.dev + - caching.internal.knative.dev + resources: + - '*' + verbs: + - get + - list + - watch + +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + serving.knative.dev/controller: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: knative-serving-admin +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + serving.knative.dev/controller: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-core +rules: + - apiGroups: + - "" + resources: + - pods + - namespaces + - secrets + - configmaps + - endpoints + - services + - events + - serviceaccounts + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + - apiGroups: + - "" + resources: + - endpoints/restricted + verbs: + - create + - apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + - apiGroups: + - serving.knative.dev + - autoscaling.internal.knative.dev + - networking.internal.knative.dev + resources: + - '*' + - '*/status' + - '*/finalizers' + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - patch + - watch + - apiGroups: + - caching.internal.knative.dev + resources: + - images + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + duck.knative.dev/podspecable: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-podspecable-binding +rules: + - apiGroups: + - serving.knative.dev + resources: + - configurations + - services + verbs: + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/controller: "true" + serving.knative.dev/release: "v0.11.1" + name: knative-serving-istio +rules: + - apiGroups: + - networking.istio.io + resources: + - virtualservices + - gateways + verbs: + - get + - list + - create + - update + - delete + - patch + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/config-map.yaml new file mode 100644 index 0000000000..a493e66bdf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/config-map.yaml @@ -0,0 +1,694 @@ +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # The Revision ContainerConcurrency field specifies the maximum number + # of requests the Container can handle at once. Container concurrency + # target percentage is how much of that maximum to use in a stable + # state. E.g. if a Revision specifies ContainerConcurrency of 10, then + # the Autoscaler will try to maintain 7 concurrent connections per pod + # on average. + # Note: this limit will be applied to container concurrency set at every + # level (ConfigMap, Revision Spec or Annotation). + # For legacy and backwards compatibility reasons, this value also accepts + # fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%). + # Thus minimal percentage value must be greater than 1.0, or it will be + # treated as a fraction. + container-concurrency-target-percentage: "70" + + # The container concurrency target default is what the Autoscaler will + # try to maintain when concurrency is used as the scaling metric for a + # Revision and the Revision specifies unlimited concurrency. + # Even when specifying unlimited concurrency, the autoscaler will + # horizontally scale the application based on this target concurrency. + # NOTE: Only one metric can be used for autoscaling a Revision. + container-concurrency-target-default: "100" + + # The requests per second (RPS) target default is what the Autoscaler will + # try to maintain when RPS is used as the scaling metric for a Revision and + # the Revision specifies unlimited RPS. Even when specifying unlimited RPS, + # the autoscaler will horizontally scale the application based on this + # target RPS. + # Must be greater than 1.0. + # NOTE: Only one metric can be used for autoscaling a Revision. + requests-per-second-target-default: "200" + + # The target burst capacity specifies the size of burst in concurrent + # requests that the system operator expects the system will receive. + # Autoscaler will try to protect the system from queueing by introducing + # Activator in the request path if the current spare capacity of the + # service is less than this setting. + # If this setting is 0, then Activator will be in the request path only + # when the revision is scaled to 0. + # If this setting is > 0 and container-concurrency-target-percentage is + # 100% or 1.0, then activator will always be in the request path. + # -1 denotes unlimited target-burst-capacity and activator will always + # be in the request path. + # Other negative values are invalid. + target-burst-capacity: "200" + + # When operating in a stable mode, the autoscaler operates on the + # average concurrency over the stable window. + # Stable window must be in whole seconds. + stable-window: "60s" + + # When observed average concurrency during the panic window reaches + # panic-threshold-percentage the target concurrency, the autoscaler + # enters panic mode. When operating in panic mode, the autoscaler + # scales on the average concurrency over the panic window which is + # panic-window-percentage of the stable-window. + # When computing the panic window it will be rounded to the closest + # whole second. + panic-window-percentage: "10.0" + + # The percentage of the container concurrency target at which to + # enter panic mode when reached within the panic window. + panic-threshold-percentage: "200.0" + + # Max scale up rate limits the rate at which the autoscaler will + # increase pod count. It is the maximum ratio of desired pods versus + # observed pods. + # Cannot less or equal to 1. + # I.e with value of 2.0 the number of pods can at most go N to 2N + # over single Autoscaler period (see tick-interval), but at least N to + # N+1, if Autoscaler needs to scale up. + max-scale-up-rate: "1000.0" + + # Max scale down rate limits the rate at which the autoscaler will + # decrease pod count. It is the maximum ratio of observed pods versus + # desired pods. + # Cannot less or equal to 1. + # I.e. with value of 2.0 the number of pods can at most go N to N/2 + # over single Autoscaler evaluation period (see tick-interval), but at + # least N to N-1, if Autoscaler needs to scale down. + # Not yet used // TODO(vagababov) remove once other parts are ready. + max-scale-down-rate: "2.0" + + # Scale to zero feature flag + enable-scale-to-zero: "true" + + # Tick interval is the time between autoscaling calculations. + tick-interval: "2s" + + # Dynamic parameters (take effect when config map is updated): + + # Scale to zero grace period is the time an inactive revision is left + # running before it is scaled to zero (min: 30s). + scale-to-zero-grace-period: "30s" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-autoscaler + namespace: knative-serving + +--- + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # revision-timeout-seconds contains the default number of + # seconds to use for the revision's per-request timeout, if + # none is specified. + revision-timeout-seconds: "300" # 5 minutes + + # max-revision-timeout-seconds contains the maximum number of + # seconds that can be used for revision-timeout-seconds. + # This value must be greater than or equal to revision-timeout-seconds. + # If omitted, the system default is used (600 seconds). + max-revision-timeout-seconds: "600" # 10 minutes + + # revision-cpu-request contains the cpu allocation to assign + # to revisions by default. If omitted, no value is specified + # and the system default is used. + revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU) + + # revision-memory-request contains the memory allocation to assign + # to revisions by default. If omitted, no value is specified + # and the system default is used. + revision-memory-request: "100M" # 100 megabytes of memory + + # revision-cpu-limit contains the cpu allocation to limit + # revisions to by default. If omitted, no value is specified + # and the system default is used. + revision-cpu-limit: "1000m" # 1 CPU (aka 1000 milli-CPU) + + # revision-memory-limit contains the memory allocation to limit + # revisions to by default. If omitted, no value is specified + # and the system default is used. + revision-memory-limit: "200M" # 200 megabytes of memory + + # container-name-template contains a template for the default + # container name, if none is specified. This field supports + # Go templating and is supplied with the ObjectMeta of the + # enclosing Service or Configuration, so values such as + # {{.Name}} are also valid. + container-name-template: "user-container" + + # container-concurrency specifies the maximum number + # of requests the Container can handle at once, and requests + # above this threshold are queued. Setting a value of zero + # disables this throttling and lets through as many requests as + # the pod receives. + container-concurrency: "0" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-defaults + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # List of repositories for which tag to digest resolving should be skipped + registriesSkippingTagResolving: "ko.local,dev.local" + queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:792f6945c7bc73a49a470a5b955c39c8bd174705743abf5fb71aa0f4c04128eb +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-deployment + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default value for domain. + # Although it will match all routes, it is the least-specific rule so it + # will only be used if no other domain matches. + example.com: | + + # These are example settings of domain. + # example.org will be used for routes having app=nonprofit. + example.org: | + selector: + app: nonprofit + + # Routes having domain suffix of 'svc.cluster.local' will not be exposed + # through Ingress. You can define your own label selector to assign that + # domain suffix to your Route here, or you can set the label + # "serving.knative.dev/visibility=cluster-local" + # to achieve the same effect. This shows how to make routes having + # the label app=secret only exposed to the local cluster. + svc.cluster.local: | + selector: + app: secret +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-domain + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Delay after revision creation before considering it for GC + stale-revision-create-delay: "24h" + + # Duration since a route has been pointed at a revision before it should be GC'd + # This minus lastpinned-debounce be longer than the controller resync period (10 hours) + stale-revision-timeout: "15h" + + # Minimum number of generations of revisions to keep before considering for GC + stale-revision-minimum-generations: "1" + + # To avoid constant updates, we allow an existing annotation to be stale by this + # amount before we update the timestamp + stale-revision-lastpinned-debounce: "5h" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-gc + namespace: knative-serving + +--- + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Common configuration for all Knative codebase + zap-logger-config: | + { + "level": "info", + "development": false, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "ts", + "levelKey": "level", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "msg", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + + # Log level overrides + # For all components except the autoscaler and queue proxy, + # changes are be picked up immediately. + # For autoscaler and queue proxy, changes require recreation of the pods. + loglevel.controller: "info" + loglevel.autoscaler: "info" + loglevel.queueproxy: "info" + loglevel.webhook: "info" + loglevel.activator: "info" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-logging + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # istio.sidecar.includeOutboundIPRanges specifies the IP ranges that Istio sidecar + # will intercept. + # + # Replace this with the IP ranges of your cluster (see below for some examples). + # Separate multiple entries with a comma. + # Example: "10.4.0.0/14,10.7.240.0/20" + # + # If set to "*" Istio will intercept all traffic within + # the cluster as well as traffic that is going outside the cluster. + # Traffic going outside the cluster will be blocked unless + # necessary egress rules are created. + # + # If omitted or set to "", value of global.proxy.includeIPRanges + # provided at Istio deployment time is used. In default Knative serving + # deployment, global.proxy.includeIPRanges value is set to "*". + # + # If an invalid value is passed, "" is used instead. + # + # If valid set of IP address ranges are put into this value, + # Istio will no longer intercept traffic going to IP addresses + # outside the provided ranges and there is no need to specify + # egress rules. + # + # To determine the IP ranges of your cluster: + # IBM Cloud Private: cat cluster/config.yaml | grep service_cluster_ip_range + # IBM Cloud Kubernetes Service: "172.30.0.0/16,172.20.0.0/16,10.10.10.0/24" + # Google Container Engine (GKE): gcloud container clusters describe $CLUSTER_NAME --zone=$CLUSTER_ZONE | grep -e clusterIpv4Cidr -e servicesIpv4Cidr + # Azure Kubernetes Service (AKS): "10.0.0.0/16" + # Azure Container Service (ACS; deprecated): "10.244.0.0/16,10.240.0.0/16" + # Azure Container Service Engine (ACS-Engine; OSS): Configurable, but defaults to "10.0.0.0/16" + # Minikube: "10.0.0.1/24" + # + # For more information, visit + # https://istio.io/docs/tasks/traffic-management/egress/ + # + istio.sidecar.includeOutboundIPRanges: "*" + + # clusteringress.class has been deprecated. Please use ingress.class instead. + clusteringress.class: "istio.ingress.networking.knative.dev" + + # ingress.class specifies the default ingress class + # to use when not dictated by Route annotation. + # + # If not specified, will use the Istio ingress. + # + # Note that changing the Ingress class of an existing Route + # will result in undefined behavior. Therefore it is best to only + # update this value during the setup of Knative, to avoid getting + # undefined behavior. + ingress.class: "istio.ingress.networking.knative.dev" + + # certificate.class specifies the default Certificate class + # to use when not dictated by Route annotation. + # + # If not specified, will use the Cert-Manager Certificate. + # + # Note that changing the Certificate class of an existing Route + # will result in undefined behavior. Therefore it is best to only + # update this value during the setup of Knative, to avoid getting + # undefined behavior. + certificate.class: "cert-manager.certificate.networking.internal.knative.dev" + + # domainTemplate specifies the golang text template string to use + # when constructing the Knative service's DNS name. The default + # value is "{{.Name}}.{{.Namespace}}.{{.Domain}}". And those three + # values (Name, Namespace, Domain) are the only variables defined. + # + # Changing this value might be necessary when the extra levels in + # the domain name generated is problematic for wildcard certificates + # that only support a single level of domain name added to the + # certificate's domain. In those cases you might consider using a value + # of "{{.Name}}-{{.Namespace}}.{{.Domain}}", or removing the Namespace + # entirely from the template. When choosing a new value be thoughtful + # of the potential for conflicts - for example, when users choose to use + # characters such as `-` in their service, or namespace, names. + # {{.Annotations}} can be used for any customization in the go template if needed. + # We strongly recommend keeping namespace part of the template to avoid domain name clashes + # Example '{{.Name}}-{{.Namespace}}.{{ index .Annotations "sub"}}.{{.Domain}}' + # and you have an annotation {"sub":"foo"}, then the generated template would be {Name}-{Namespace}.foo.{Domain} + domainTemplate: "{{.Name}}.{{.Namespace}}.{{.Domain}}" + + # tagTemplate specifies the golang text template string to use + # when constructing the DNS name for "tags" within the traffic blocks + # of Routes and Configuration. This is used in conjunction with the + # domainTemplate above to determine the full URL for the tag. + tagTemplate: "{{.Tag}}-{{.Name}}" + + # Controls whether TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate external TLS connection. + # 1. Enabled: enabling auto-TLS feature. + # 2. Disabled: disabling auto-TLS feature. + autoTLS: "Disabled" + + # Controls the behavior of the HTTP endpoint for the Knative ingress. + # It requires autoTLS to be enabled or reconcileExternalGateway in config-istio to be true. + # 1. Enabled: The Knative ingress will be able to serve HTTP connection. + # 2. Disabled: The Knative ingress will reject HTTP traffic. + # 3. Redirected: The Knative ingress will send a 302 redirect for all + # http connections, asking the clients to use HTTPS + httpProtocol: "Enabled" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-network + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # logging.enable-var-log-collection defaults to false. + # The fluentd daemon set will be set up to collect /var/log if + # this flag is true. + logging.enable-var-log-collection: "false" + + # logging.revision-url-template provides a template to use for producing the + # logging URL that is injected into the status of each Revision. + # This value is what you might use the the Knative monitoring bundle, and provides + # access to Kibana after setting up kubectl proxy. + logging.revision-url-template: | + http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.serving-knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase)))) + + # If non-empty, this enables queue proxy writing user request logs to stdout, excluding probe + # requests. + # The value determines the shape of the request logs and it must be a valid go text/template. + # It is important to keep this as a single line. Multiple lines are parsed as separate entities + # by most collection agents and will split the request logs into multiple records. + # + # The following fields and functions are available to the template: + # + # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) + # representing an HTTP request received by the server. + # + # Response: + # struct { + # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) + # Size int // An int representing the size of the response. + # Latency float64 // A float64 representing the latency of the response in seconds. + # } + # + # Revision: + # struct { + # Name string // Knative revision name + # Namespace string // Knative revision namespace + # Service string // Knative service name + # Configuration string // Knative configuration name + # PodName string // Name of the pod hosting the revision + # PodIP string // IP of the pod hosting the revision + # } + # + logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}' + + # If true, this enables queue proxy writing request logs for probe requests to stdout. + # It uses the same template for user requests, i.e. logging.request-log-template. + logging.enable-probe-request-log: "false" + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using stackdriver will incur additional charges + metrics.backend-destination: prometheus + + # metrics.request-metrics-backend-destination specifies the request metrics + # destination. It enables queue proxy to send request metrics. + # Currently supported values: prometheus (the default), stackdriver. + metrics.request-metrics-backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used if this field is not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to + # Stackdriver using "global" resource type and custom metric type if the + # metrics are not supported by "knative_revision" resource type. Setting this + # flag to "true" could cause extra Stackdriver charge. + # If metrics.backend-destination is not Stackdriver, this is ignored. + metrics.allow-stackdriver-custom-metrics: "false" + + # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from + # the pods via an HTTP server in the format expected by the pprof visualization tool. When + # enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008. + # The HTTP context root for profiling is then /debug/pprof/. + profiling.enable: "false" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-observability + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # + # This may be "zipkin" or "stackdriver", the default is "none" + backend: "none" + + # URL to zipkin collector where traces are sent. + # This must be specified when backend is "zipkin" + zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans" + + # The GCP project into which stackdriver metrics will be written + # when backend is "stackdriver". If unspecified, the project-id + # is read from GCP metadata when running on GCP. + stackdriver-project-id: "my-project" + + # Enable zipkin debug mode. This allows all spans to be sent to the server + # bypassing sampling. + debug: "false" + + # Percentage (0-1) of requests to trace + sample-rate: "0.1" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config-tracing + namespace: knative-serving + +--- + +apiVersion: v1 +data: + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. The configuration format should be `gateway. + # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. + # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} + # is optional; when it is omitted, the system will search for + # the gateway in the serving system namespace `knative-serving` + gateway.kubeflow.kubeflow-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-lean.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + # The configuration format should be `local-gateway.{{local_gateway_namespace}}. + # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. + # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The + # {{local_gateway_namespace}} is optional; when it is omitted, the system + # will search for the local gateway in the serving system namespace + # `knative-serving` + local-gateway.knative-serving.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no cluster-local-gateway, replace + # all local-gateway.* entries by the following entry. + local-gateway.mesh: "mesh" + + # Feature flag to enable reconciling external Istio Gateways. + # When auto TLS feature is turned on, reconcileExternalGateway will be automatically enforced. + # 1. true: enabling reconciling external gateways. + # 2. false: disabling reconciling external gateways. + reconcileExternalGateway: "false" +kind: ConfigMap +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.11.1" + name: config-istio + namespace: knative-serving diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/deployment.yaml new file mode 100644 index 0000000000..f06eaf8c55 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/deployment.yaml @@ -0,0 +1,359 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + role: activator + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "true" + labels: + app: activator + role: activator + serving.knative.dev/release: "v0.11.1" + spec: + containers: + - env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/internal/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:8e606671215cc029683e8cd633ec5de9eabeaa6e9a4392ff289883304be1f418 + livenessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: activator + path: /healthz + port: 8012 + name: activator + ports: + - containerPort: 8012 + name: http1 + - containerPort: 8013 + name: h2c + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + readinessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: activator + path: /healthz + port: 8012 + resources: + limits: + cpu: 1000m + memory: 600Mi + requests: + cpu: 300m + memory: 60Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + terminationGracePeriodSeconds: 300 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + autoscaling.knative.dev/autoscaler-provider: hpa + serving.knative.dev/release: "v0.11.1" + name: autoscaler-hpa + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: autoscaler-hpa + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: autoscaler-hpa + serving.knative.dev/release: "v0.11.1" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa@sha256:5e0fadf574e66fb1c893806b5c5e5f19139cc476ebf1dff9860789fe4ac5f545 + name: autoscaler-hpa + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: autoscaler + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: autoscaler + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "true" + traffic.sidecar.istio.io/includeInboundPorts: 8080,9090 + labels: + app: autoscaler + serving.knative.dev/release: "v0.11.1" + spec: + containers: + - args: + - --secure-port=8443 + - --cert-dir=/tmp + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:ef1f01b5fb3886d4c488a219687aac72d28e72f808691132f658259e4e02bb27 + livenessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: autoscaler + path: /healthz + port: 8080 + name: autoscaler + ports: + - containerPort: 8080 + name: websocket + - containerPort: 9090 + name: metrics + - containerPort: 8443 + name: custom-metrics + - containerPort: 8008 + name: profiling + readinessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: autoscaler + path: /healthz + port: 8080 + resources: + limits: + cpu: 300m + memory: 400Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.11.1" + name: networking-istio + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + serving.knative.dev/release: "v0.11.2" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio@sha256:61461fa789e19895d7d1e5ab96d8bb52a63788e0607e1bd2948b9570efeb6a8f + name: networking-istio + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: webhook + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: webhook + role: webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "false" + labels: + app: webhook + role: webhook + serving.knative.dev/release: "v0.11.1" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:1ef3328282f31704b5802c1136bd117e8598fd9f437df8209ca87366c5ce9fcb + name: webhook + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 20m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: controller + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: controller + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: controller + serving.knative.dev/release: "v0.11.1" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/internal/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:5ca13e5b3ce5e2819c4567b75c0984650a57272ece44bc1dabf930f9fe1e19a1 + name: controller + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller +--- + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/gateway.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/gateway.yaml new file mode 100644 index 0000000000..378bec3fe6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.11.1" + name: cluster-local-gateway + namespace: knative-serving +spec: + selector: + istio: cluster-local-gateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/hpa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/hpa.yaml new file mode 100644 index 0000000000..4cbde7fa0a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/hpa.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: activator + namespace: knative-serving +spec: + maxReplicas: 20 + metrics: + - resource: + name: cpu + targetAverageUtilization: 100 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: activator +--- + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/image.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/image.yaml new file mode 100644 index 0000000000..21e40846e8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/image.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: caching.internal.knative.dev/v1alpha1 +kind: Image +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: queue-proxy + namespace: knative-serving +spec: + image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:792f6945c7bc73a49a470a5b955c39c8bd174705743abf5fb71aa0f4c04128eb + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/kustomization.yaml new file mode 100644 index 0000000000..9134cafbdf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: knative-serving +resources: +- gateway.yaml +- cluster-role.yaml +- cluster-role-binding.yaml +- service-role.yaml +- service-role-binding.yaml +- role-binding.yaml +- config-map.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +- apiservice.yaml +- image.yaml +- hpa.yaml +- webhook-configuration.yaml +commonLabels: + kustomize.component: knative +images: +- name: gcr.io/knative-releases/knative.dev/serving/cmd/activator + newName: gcr.io/knative-releases/knative.dev/serving/cmd/activator + digest: sha256:8e606671215cc029683e8cd633ec5de9eabeaa6e9a4392ff289883304be1f418 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa + newName: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa + digest: sha256:5e0fadf574e66fb1c893806b5c5e5f19139cc476ebf1dff9860789fe4ac5f545 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler + newName: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler + digest: sha256:ef1f01b5fb3886d4c488a219687aac72d28e72f808691132f658259e4e02bb27 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio + newName: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio + digest: sha256:727a623ccb17676fae8058cb1691207a9658a8d71bc7603d701e23b1a6037e6c +- name: gcr.io/knative-releases/knative.dev/serving/cmd/webhook + newName: gcr.io/knative-releases/knative.dev/serving/cmd/webhook + digest: sha256:1ef3328282f31704b5802c1136bd117e8598fd9f437df8209ca87366c5ce9fcb +- name: gcr.io/knative-releases/knative.dev/serving/cmd/controller + newName: gcr.io/knative-releases/knative.dev/serving/cmd/controller + digest: sha256:5ca13e5b3ce5e2819c4567b75c0984650a57272ece44bc1dabf930f9fe1e19a1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/role-binding.yaml new file mode 100644 index 0000000000..ce3a111147 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/role-binding.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.11.1" + name: custom-metrics-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: controller + namespace: knative-serving diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-account.yaml new file mode 100644 index 0000000000..9517a13f45 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-account.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: controller + namespace: knative-serving + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role-binding.yaml new file mode 100644 index 0000000000..3b131d164c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: istio-service-role-binding + namespace: knative-serving +spec: + roleRef: + kind: ServiceRole + name: istio-service-role + subjects: + - user: '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role.yaml new file mode 100644 index 0000000000..9a1591b05c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: istio-service-role + namespace: knative-serving +spec: + rules: + - methods: + - '*' + services: + - '*' + + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service.yaml new file mode 100644 index 0000000000..f96f1db808 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/service.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: activator + serving.knative.dev/release: "v0.11.1" + name: activator-service + namespace: knative-serving +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8012 + - name: http2 + port: 81 + protocol: TCP + targetPort: 8013 + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: activator + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: controller + serving.knative.dev/release: "v0.11.1" + name: controller + namespace: knative-serving +spec: + ports: + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: controller + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + role: webhook + serving.knative.dev/release: "v0.11.1" + name: webhook + namespace: knative-serving +spec: + ports: + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + role: webhook +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: autoscaler + serving.knative.dev/release: "v0.11.1" + name: autoscaler + namespace: knative-serving +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + - name: https-custom-metrics + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: autoscaler diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/webhook-configuration.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/webhook-configuration.yaml new file mode 100644 index 0000000000..fb77b16079 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/base/webhook-configuration.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: webhook.serving.knative.dev +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: knative-serving + failurePolicy: Fail + name: webhook.serving.knative.dev +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: validation.webhook.serving.knative.dev +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: knative-serving + failurePolicy: Fail + name: validation.webhook.serving.knative.dev +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: config.webhook.serving.knative.dev +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: knative-serving + failurePolicy: Fail + name: config.webhook.serving.knative.dev + namespaceSelector: + matchExpressions: + - key: serving.knative.dev/release + operator: Exists +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + serving.knative.dev/release: "v0.11.1" + name: webhook-certs + namespace: knative-serving + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/application.yaml new file mode 100644 index 0000000000..1c7ff245cf --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: knative-serving-install +spec: + selector: + matchLabels: + app.kubernetes.io/name: knative-serving-install + app.kubernetes.io/instance: knative-serving-install-v0.11.1 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: knative-serving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.11.1 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: knative-serving-install + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - knative-serving-install + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..78f2d6f127 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/knative/knative-serving-install/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: knative-serving-install + app.kubernetes.io/name: knative-serving-install +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..6dcd671884 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubebench-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubebench-operator +subjects: +- kind: ServiceAccount + name: kubebench-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role.yaml new file mode 100644 index 0000000000..beef9f69e2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/cluster-role.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kubebench-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - kubebenchjobs + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - pods + - pods/exec + - services + - endpoints + - persistentvolumeclaims + - events + - secrets + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - pytorchjobs + - mpijobs + verbs: + - '*' +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/config-map.yaml new file mode 100644 index 0000000000..217fa615f3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/config-map.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubebench-config +data: + kubebenchconfig.yaml: | + defaultWorkflowAgent: + container: + name: kubebench-workflow-agent + image: gcr.io/kubeflow-images-public/kubebench/workflow-agent:bc682c1 + defaultManagedVolumes: + experimentVolume: + name: kubebench-experiment-volume + emptyDir: {} + workflowVolume: + name: kubebench-workflow-volume + emptyDir: {} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/crd.yaml new file mode 100644 index 0000000000..fe03e64f64 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/crd.yaml @@ -0,0 +1,11 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: kubebenchjobs.kubeflow.org +spec: + group: kubeflow.org + names: + kind: KubebenchJob + plural: kubebenchjobs + scope: Namespaced + version: v1alpha2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/deployment.yaml new file mode 100644 index 0000000000..441e0c314b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubebench-operator +spec: + selector: + matchLabels: + app: kubebench-operator + template: + metadata: + labels: + app: kubebench-operator + annotations: + sidecar.istio.io/inject: "false" + spec: + volumes: + - name: kubebench-config + configMap: + name: kubebench-config + containers: + - image: gcr.io/kubeflow-images-public/kubebench/kubebench-operator-v1alpha2 + name: kubebench-operator + command: + - /app/kubebench-operator-v1alpha2 + args: + - --config=/config/kubebenchconfig.yaml + volumeMounts: + - mountPath: /config + name: kubebench-config + serviceAccountName: kubebench-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/kustomization.yaml new file mode 100644 index 0000000000..ec2da4db83 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/kustomization.yaml @@ -0,0 +1,30 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- service-account.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- crd.yaml +- config-map.yaml +- deployment.yaml +namespace: kubeflow +commonLabels: + kustomize.component: kubebench +configMapGenerator: +- name: parameters + env: params.env +images: + # NOTE: the image for workflow agent should be configured in config-map.yaml + - name: gcr.io/kubeflow-images-public/kubebench/kubebench-operator-v1alpha2 + newName: gcr.io/kubeflow-images-public/kubebench/kubebench-operator-v1alpha2 + newTag: bc682c1 +vars: +- name: clusterDomain + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.env new file mode 100644 index 0000000000..5023b1c25f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.env @@ -0,0 +1,2 @@ +namespace= +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.yaml new file mode 100644 index 0000000000..c8de9ba235 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/service-account.yaml new file mode 100644 index 0000000000..6a7f723433 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/base/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: kubebench-operator + name: kubebench-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/application.yaml new file mode 100644 index 0000000000..6607a3b773 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: kubebench +spec: + selector: + matchLabels: + app.kubernetes.io/name: kubebench + app.kubernetes.io/instance: kubebench-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kubebench + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: kubebench + version: v1beta1 + description: "Makes it easy to run benchmark jobs on Kubeflow with various system and model settings" + maintainers: [] + owners: [] + keywords: + - kubebench + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubebench + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..fa8b381443 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: kubebench + app.kubernetes.io/name: kubebench +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..fcd00db904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..06f5e11fcb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubebench/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: kubebench-dashboard +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /dashboard/ + rewrite: + uri: /dashboard/ + route: + - destination: + host: kubebench-dashboard.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/OWNERS new file mode 100644 index 0000000000..08bb0d4f9d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/OWNERS @@ -0,0 +1,4 @@ +approvers: + - jlewi + - krishnadurai + - kunmingg diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/README.md new file mode 100644 index 0000000000..85c74e2595 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/README.md @@ -0,0 +1,70 @@ +# Default Kubeflow ClusterRoles + +This manifest package contains the default ClusterRoles Kubeflow uses for defining roles for Kubeflow user Profiles. +These roles are currently assigned to users by Profiles (profile-controller and kfam) Service with the help of Manage Users page in Central Dashboard. + +*Note*: `kfctl` assigns the default Kubernetes role `cluster-admin` to the user who deploys Kubeflow for the [GCP IAP configuration](https://github.com/kubeflow/manifests/blob/master/kfdef/kfctl_gcp_iap.yaml). + +## How to define role privileges for your Kubeflow application? +Each application defines its own ClusterRole for each role here in kubeflow-roles. We use [ClusterRole Aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) for these application ClusterRoles to be aggregated to their corresponding Kubeflow roles. An example implementation showing the same can be found here: + +The example is taken from [istio manifests](../istio/istio/base/cluster-roles.yaml). +``` +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: +- apiGroups: ["istio.io"] + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: ["istio.io"] + resources: ["*"] + verbs: + - get + - list + - watch +``` + +Note the usage of labels in each ClusterRole to indicate ClusterRole Aggregation with Kubeflow ClusterRoles for this application. + +## Reference Links + +- [Define Kubeflow cluster role and combine roles](https://github.com/kubeflow/kubeflow/issues/3938) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/cluster-roles.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/cluster-roles.yaml new file mode 100644 index 0000000000..0d90b460f8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/cluster-roles.yaml @@ -0,0 +1,335 @@ +--- + +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-admin +rules: [] + +--- + +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +rules: [] + +--- + +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kubernetes-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +rules: +- apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-kubernetes-edit +rules: +- apiGroups: + - "" + resources: + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + - secrets + - services/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-kubernetes-view +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - services/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/kustomization.yaml new file mode 100644 index 0000000000..f71ad0a879 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/kubeflow-roles/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-roles.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..dc9c732419 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: meta-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: meta-controller-service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/crd.yaml new file mode 100644 index 0000000000..0ae8700d78 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/crd.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: compositecontrollers.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: CompositeController + plural: compositecontrollers + shortNames: + - cc + - cctl + singular: compositecontroller + scope: Cluster + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: controllerrevisions.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: ControllerRevision + plural: controllerrevisions + singular: controllerrevision + scope: Namespaced + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: decoratorcontrollers.metacontroller.k8s.io +spec: + group: metacontroller.k8s.io + names: + kind: DecoratorController + plural: decoratorcontrollers + shortNames: + - dec + - decorators + singular: decoratorcontroller + scope: Cluster + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/kustomization.yaml new file mode 100644 index 0000000000..fb7f0e8cbe --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- crd.yaml +- service-account.yaml +- stateful-set.yaml +commonLabels: + kustomize.component: metacontroller +images: +- name: metacontroller/metacontroller + newName: metacontroller/metacontroller + newTag: v0.3.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/service-account.yaml new file mode 100644 index 0000000000..85c48de170 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: meta-controller-service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/stateful-set.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/stateful-set.yaml new file mode 100644 index 0000000000..7bbc3870a8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metacontroller/base/stateful-set.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: metacontroller + name: metacontroller +spec: + replicas: 1 + selector: + matchLabels: + app: metacontroller + serviceName: "" + template: + metadata: + labels: + app: metacontroller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - command: + - /usr/bin/metacontroller + - --logtostderr + - -v=4 + - --discovery-interval=20s + image: metacontroller/metacontroller:v0.3.0 + imagePullPolicy: Always + name: metacontroller + ports: + - containerPort: 2345 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: 500m + memory: 1Gi + securityContext: + allowPrivilegeEscalation: true + privileged: true + serviceAccountName: meta-controller-service + # Workaround for https://github.com/kubernetes-sigs/kustomize/issues/677 + volumeClaimTemplates: [] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/OWNERS new file mode 100644 index 0000000000..c814ca1af4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/OWNERS @@ -0,0 +1,4 @@ +approvers: + - neuromage + - prodonjs + - zhenghuiwang diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/grpc-params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/grpc-params.env new file mode 100644 index 0000000000..ce915f8855 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/grpc-params.env @@ -0,0 +1,2 @@ +METADATA_GRPC_SERVICE_HOST=metadata-grpc-service +METADATA_GRPC_SERVICE_PORT=8080 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/kustomization.yaml new file mode 100644 index 0000000000..3030d03f50 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/kustomization.yaml @@ -0,0 +1,73 @@ +namePrefix: metadata- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + kustomize.component: metadata +configMapGenerator: +- name: ui-parameters + env: params.env +- name: grpc-configmap + env: grpc-params.env +generatorOptions: + # TFX pipelines use metadata-grpc-configmap for finding grpc server host and + # port at runtime. Because they don't know the suffix, we have to disable it. + disableNameSuffixHash: true +resources: +- metadata-deployment.yaml +- metadata-service.yaml +- metadata-ui-deployment.yaml +- metadata-ui-role.yaml +- metadata-ui-rolebinding.yaml +- metadata-ui-sa.yaml +- metadata-ui-service.yaml +- metadata-envoy-deployment.yaml +- metadata-envoy-service.yaml +namespace: kubeflow +vars: +# These vars are used internally for the kustomize package. +# i.e to substitute values into fields kustomize isn't aware of. +# The names should be unique enough that we don't get conflicts with other packages +- name: ui-namespace + objref: + kind: Service + name: ui + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: ui-clusterDomain + objref: + kind: ConfigMap + name: ui-parameters + version: v1 + fieldref: + fieldpath: data.uiClusterDomain +- name: metadata-service + objref: + kind: Service + name: ui + apiVersion: v1 + fieldref: + fieldpath: metadata.name +- name: metadata-envoy-service + objref: + kind: Service + name: envoy-service + apiVersion: v1 + fieldref: + fieldpath: metadata.name +images: +- name: gcr.io/kubeflow-images-public/metadata + newName: gcr.io/kubeflow-images-public/metadata + newTag: v0.1.11 +- name: gcr.io/tfx-oss-public/ml_metadata_store_server + newName: gcr.io/tfx-oss-public/ml_metadata_store_server + newTag: v0.21.1 +- name: gcr.io/ml-pipeline/envoy + newName: gcr.io/ml-pipeline/envoy + newTag: metadata-grpc +- name: mysql + newName: mysql + newTag: 8.0.3 +- name: gcr.io/kubeflow-images-public/metadata-frontend + newName: gcr.io/kubeflow-images-public/metadata-frontend + newTag: v0.1.8 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-deployment.yaml new file mode 100644 index 0000000000..584ac5d487 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + labels: + component: server +spec: + replicas: 1 + selector: + matchLabels: + component: server + template: + metadata: + labels: + component: server + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: container + image: gcr.io/kubeflow-images-public/metadata:v0.1.11 + command: ["./server/server", + "--http_port=8080"] + ports: + - name: backendapi + containerPort: 8080 + + readinessProbe: + httpGet: + path: /api/v1alpha1/artifact_types + port: backendapi + httpHeaders: + - name: ContentType + value: application/json + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 + + livenessProbe: + httpGet: + path: /api/v1alpha1/artifact_types + port: backendapi + httpHeaders: + - name: ContentType + value: application/json + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grpc-deployment + labels: + component: grpc-server +spec: + replicas: 1 + selector: + matchLabels: + component: grpc-server + template: + metadata: + labels: + component: grpc-server + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: grpc-configmap + image: gcr.io/tfx-oss-public/ml_metadata_store_server:v0.21.1 + command: ["/bin/metadata_store_server"] + args: ["--grpc_port=$(METADATA_GRPC_SERVICE_PORT)"] + ports: + - name: grpc-backendapi + containerPort: 8080 #The value of the port number needs to be in sync with value specified in grpc-params.env diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-deployment.yaml new file mode 100644 index 0000000000..48c00a38ec --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-deployment.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-deployment + labels: + component: envoy +spec: + replicas: 1 + selector: + matchLabels: + component: envoy + template: + metadata: + labels: + component: envoy + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: container + image: gcr.io/ml-pipeline/envoy:metadata-grpc + ports: + - name: md-envoy + containerPort: 9090 + - name: envoy-admin + containerPort: 9901 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-service.yaml new file mode 100644 index 0000000000..16beb98e41 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-envoy-service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + labels: + app: metadata + name: envoy-service +spec: + selector: + component: envoy + type: ClusterIP + ports: + - port: 9090 + protocol: TCP + name: md-envoy diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-service.yaml new file mode 100644 index 0000000000..63650b4d68 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-service.yaml @@ -0,0 +1,29 @@ +kind: Service +apiVersion: v1 +metadata: + labels: + app: metadata + name: service +spec: + selector: + component: server + type: ClusterIP + ports: + - port: 8080 + protocol: TCP + name: backendapi +--- +kind: Service +apiVersion: v1 +metadata: + labels: + app: grpc-metadata + name: grpc-service +spec: + selector: + component: grpc-server + type: ClusterIP + ports: + - port: 8080 + protocol: TCP + name: grpc-backendapi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-deployment.yaml new file mode 100644 index 0000000000..859f6ec6c4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-deployment.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ui + labels: + app: metadata-ui +spec: + selector: + matchLabels: + app: metadata-ui + template: + metadata: + name: ui + labels: + app: metadata-ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: gcr.io/kubeflow-images-public/metadata-frontend:v0.1.8 + imagePullPolicy: IfNotPresent + name: metadata-ui + ports: + - containerPort: 3000 + serviceAccountName: ui + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-role.yaml new file mode 100644 index 0000000000..a0b45cddf1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: metadata-ui + name: ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - create + - get + - list +- apiGroups: + - "kubeflow.org" + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-rolebinding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-rolebinding.yaml new file mode 100644 index 0000000000..23c5a0e01c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: metadata-ui + name: ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ui +subjects: +- kind: ServiceAccount + name: ui + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-sa.yaml new file mode 100644 index 0000000000..8d7a53abf7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-service.yaml new file mode 100644 index 0000000000..e7a4afa736 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/metadata-ui-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: ui + labels: + app: metadata-ui +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: metadata-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/params.env new file mode 100644 index 0000000000..def9236f86 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/base/params.env @@ -0,0 +1 @@ +uiClusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/application.yaml new file mode 100644 index 0000000000..dc63d231c7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/application.yaml @@ -0,0 +1,40 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: metadata +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + descriptor: + description: Tracking and managing metadata of machine learning workflows in Kubeflow. + keywords: + - metadata + links: + - description: Docs + url: https://www.kubeflow.org/docs/components/misc/metadata/ + maintainers: + - email: zhenghui@google.com + name: Zhenghui Wang + owners: + - email: ajaygopinathan@google.com + name: Ajay Gopinathan + - email: zhenghui@google.com + name: Zhenghui Wang + type: metadata + version: alpha + selector: + matchLabels: + app.kubernetes.io/component: metadata + app.kubernetes.io/instance: metadata-0.2.1 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: metadata + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..a1297a1a1c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: metadata + app.kubernetes.io/name: metadata +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/kustomization.yaml new file mode 100644 index 0000000000..32bb9f4c42 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + kustomize.component: metadata +namespace: kubeflow +generatorOptions: + # name suffix hash is not propagated correctly to base resources + disableNameSuffixHash: true +configMapGenerator: +- name: metadata-db-parameters + env: params.env +secretGenerator: +- name: metadata-db-secrets + env: secrets.env +bases: +- ../../base +resources: +- metadata-db-pvc.yaml +- metadata-db-deployment.yaml +- metadata-db-service.yaml +patchesStrategicMerge: +- metadata-deployment.yaml +images: +- name: mysql + newName: mysql + newTag: 8.0.3 +vars: +- name: metadata-db-service + objref: + kind: Service + name: metadata-db + apiVersion: v1 + fieldref: + fieldpath: metadata.name \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-deployment.yaml new file mode 100644 index 0000000000..c766db38ac --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-db + labels: + component: db +spec: + selector: + matchLabels: + component: db + replicas: 1 + template: + metadata: + name: db + labels: + component: db + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: db-container + image: mysql:8.0.3 + args: + - --datadir + - /var/lib/mysql/datadir + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + ports: + - name: dbapi + containerPort: 3306 + readinessProbe: + exec: + command: + - "/bin/bash" + - "-c" + - "mysql -D $$MYSQL_DATABASE -p$$MYSQL_ROOT_PASSWORD -e 'SELECT 1'" + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 1 + volumeMounts: + - name: metadata-mysql + mountPath: /var/lib/mysql + volumes: + - name: metadata-mysql + persistentVolumeClaim: + claimName: metadata-mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-pvc.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-pvc.yaml new file mode 100644 index 0000000000..b1c083d9f4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: metadata-mysql +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-service.yaml new file mode 100644 index 0000000000..b7a6401714 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-db-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: metadata-db + labels: + component: db +spec: + type: ClusterIP + ports: + - port: 3306 + protocol: TCP + name: dbapi + selector: + component: db diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-deployment.yaml new file mode 100644 index 0000000000..b30d34d8f1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/metadata-deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + labels: + component: server +spec: + replicas: 1 + selector: + matchLabels: + component: server + template: + metadata: + labels: + component: server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + command: ["./server/server", + "--http_port=8080", + "--mysql_service_host=$(metadata-db-service)", + "--mysql_service_port=$(MYSQL_PORT)", + "--mysql_service_user=$(MYSQL_USER_NAME)", + "--mysql_service_password=$(MYSQL_ROOT_PASSWORD)", + "--mlmd_db_name=$(MYSQL_DATABASE)"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grpc-deployment + labels: + component: grpc-server +spec: + replicas: 1 + selector: + matchLabels: + component: grpc-server + template: + metadata: + labels: + component: grpc-server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + - configMapRef: + name: grpc-configmap + args: ["--grpc_port=$(METADATA_GRPC_SERVICE_PORT)", + "--mysql_config_host=$(metadata-db-service)", + "--mysql_config_database=$(MYSQL_DATABASE)", + "--mysql_config_port=$(MYSQL_PORT)", + "--mysql_config_user=$(MYSQL_USER_NAME)", + "--mysql_config_password=$(MYSQL_ROOT_PASSWORD)" + ] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/params.env new file mode 100644 index 0000000000..5ab2adb3bb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/params.env @@ -0,0 +1,3 @@ +MYSQL_DATABASE=metadb +MYSQL_PORT=3306 +MYSQL_ALLOW_EMPTY_PASSWORD=true \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/secrets.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/secrets.env new file mode 100644 index 0000000000..44ac2ee398 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/db/secrets.env @@ -0,0 +1,2 @@ +MYSQL_USER_NAME=root +MYSQL_ROOT_PASSWORD=test \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/kustomization.yaml new file mode 100644 index 0000000000..0d2de7434b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + kustomize.component: metadata +configMapGenerator: +- name: metadata-db-parameters + env: params.env +secretGenerator: +- name: metadata-db-secrets + env: secrets.env +bases: +- ../../base +patchesStrategicMerge: +- metadata-deployment.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/metadata-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/metadata-deployment.yaml new file mode 100644 index 0000000000..44641268ba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/metadata-deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + labels: + component: server +spec: + replicas: 1 + selector: + matchLabels: + component: server + template: + metadata: + labels: + component: server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + command: ["./server/server", + "--http_port=8080", + "--mysql_service_host=$(MYSQL_HOST)", + "--mysql_service_port=$(MYSQL_PORT)", + "--mysql_service_user=$(MYSQL_USERNAME)", + "--mysql_service_password=$(MYSQL_PASSWORD)", + "--mlmd_db_name=$(MYSQL_DATABASE)"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grpc-deployment + labels: + component: grpc-server +spec: + replicas: 1 + selector: + matchLabels: + component: grpc-server + template: + metadata: + labels: + component: grpc-server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + - configMapRef: + name: grpc-configmap + args: ["--grpc_port=$(METADATA_GRPC_SERVICE_PORT)", + "--mysql_config_host=$(MYSQL_HOST)", + "--mysql_config_database=$(MYSQL_DATABASE)", + "--mysql_config_port=$(MYSQL_PORT)", + "--mysql_config_user=$(MYSQL_USERNAME)", + "--mysql_config_password=$(MYSQL_PASSWORD)" + ] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/params.env new file mode 100644 index 0000000000..2ef4580bae --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/params.env @@ -0,0 +1,4 @@ +MYSQL_HOST=external_host +MYSQL_DATABASE=metadb +MYSQL_PORT=3306 +MYSQL_ALLOW_EMPTY_PASSWORD=true \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/secrets.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/secrets.env new file mode 100644 index 0000000000..e3f483e288 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/external-mysql/secrets.env @@ -0,0 +1,2 @@ +MYSQL_USERNAME=root +MYSQ_PASSWORD=test diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/README.md new file mode 100644 index 0000000000..47632ce43b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/README.md @@ -0,0 +1,58 @@ +This directory contains configurations and guidelines on setting up metadata services to connect to a [Google CloudSQL](https://cloud.google.com/sql) instance. +You will get all the benefits of using CloudSQL comparing to managing your own MySQL server in a Kubernetes cluster. + +#### Prerequisites +- Install [kustomize](https://github.com/kubernetes-sigs/kustomize) for building Kubernetes configurations. +- Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) for managing workloads on Kubernetes clusters. + +#### 0. Remove default metadata services. +By default, Metadata component starts a MySQL server in `kubeflow` namespace. Since we are going to deploy metadata services with CloudSQL, you should delete the default services by running + +``` +kustomize build metadata/overlays/db | kubectl delete -n kubeflow -f - +``` + +#### 1. Create a CloudSQL instance. + +If you don't have an existing one, you need to [create a CloudSQL instance](https://cloud.google.com/sql/docs/mysql/create-instance) of type MySQL in your GCP project. +If you want to connect the instance via private IP, you also need to enable the private IP configuration when creating the instance. + +#### 2. Create a Kubernetes secret for accessing the CloudSQL instance. +You can follow [this guide](https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#secrets) +to set up a [service account with permissions](https://cloud.google.com/sql/docs/mysql/sql-proxy#create-service-account) to connect to the instance, download the JSON key file, and name it `credentials.json`. +You need to create a secret via command: +``` +kubectl create secret -n kubeflow generic cloudsql-instance-credentials --from-file /credentials.json +``` +Note that you must name the key file `credentials.json`, because we will later refer to this file name in the deployment configuration. + +#### 3. Create a Kubernetes secret for MySQL account and password. +Besides the service account with permissions, the metadata services also need a MySQL account name and password to be authenticated for accessing databases. Secret is the way how Kubernetes manages sensitive information. + +You need to [create a secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) under `kubeflow` namespace with name `metadata-db-secrets`, containing values of `MYSQL_USERNAME` and `MYSQL_PASSWORD`. +You should be able to see the secret after its creation via command: +``` +kubectl describe secrets -n kubeflow metadata-db-secrets + +Name: metadata-db-secrets +Namespace: kubeflow +Labels: kustomize.component=metadata +Annotations: +Type: Opaque + +Data +==== +MYSQL_PASSWORD: 9 bytes +MYSQL_USERNAME: 4 bytes +``` + +#### 4. Specify the instance connection name. +Change the value of `MYSQL_INSTANCE` in `params.env` to your CloudSQL instance connection name. The connection name is in the form of `::`. + +#### 5. Start metadata services with CloudSQL proxy. +Start metadata services with CloudSQL proxy sidecar containers via command: +``` +kustomize build metadata/overlays/google-cloudsql | kubectl apply -n kubeflow -f - +``` +You may find the CloudSQL proxy container logs useful to debug connection errors. + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/kustomization.yaml new file mode 100644 index 0000000000..1c53d55c02 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generatorOptions: + # name suffix hash is not propagated correctly to base resources due to + # https://github.com/kubernetes-sigs/kustomize/issues/1301 + disableNameSuffixHash: true +commonLabels: + kustomize.component: metadata +configMapGenerator: +- name: metadata-db-parameters + env: params.env +bases: +- ../../base +patchesStrategicMerge: +- metadata-deployment.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/metadata-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/metadata-deployment.yaml new file mode 100644 index 0000000000..8097e7db2f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/metadata-deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + labels: + component: server +spec: + replicas: 1 + selector: + matchLabels: + component: server + template: + metadata: + labels: + component: server + spec: + volumes: + - name: cloudsql-instance-credentials + secret: + secretName: cloudsql-instance-credentials + containers: + - name: cloudsql-proxy + envFrom: + - configMapRef: + name: metadata-db-parameters + image: gcr.io/cloudsql-docker/gce-proxy:1.16 + command: ["/cloud_sql_proxy", + "-instances=$(MYSQL_INSTANCE)=tcp:3306", + # If running on a VPC, the Cloud SQL proxy can connect via Private IP. See: + # https://cloud.google.com/sql/docs/mysql/private-ip for more info. + # "-ip_address_types=PRIVATE", + "-credential_file=/secrets/cloudsql/credentials.json"] + securityContext: + runAsUser: 2 # non-root user + allowPrivilegeEscalation: false + volumeMounts: + - name: cloudsql-instance-credentials + mountPath: /secrets/cloudsql + readOnly: true + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + command: ["./server/server", + "--http_port=8080", + "--mysql_service_host=$(MYSQL_HOST)", + "--mysql_service_port=$(MYSQL_PORT)", + "--mysql_service_user=$(MYSQL_USERNAME)", + "--mysql_service_password=$(MYSQL_PASSWORD)", + "--mlmd_db_name=$(MYSQL_DATABASE)"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grpc-deployment + labels: + component: grpc-server +spec: + replicas: 1 + selector: + matchLabels: + component: grpc-server + template: + metadata: + labels: + component: grpc-server + spec: + volumes: + - name: cloudsql-instance-credentials + secret: + secretName: cloudsql-instance-credentials + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + - configMapRef: + name: metadata-grpc-configmap + args: ["--grpc_port=$(METADATA_GRPC_SERVICE_PORT)", + "--mysql_config_host=$(MYSQL_HOST)", + "--mysql_config_database=$(MYSQL_DATABASE)", + "--mysql_config_port=$(MYSQL_PORT)", + "--mysql_config_user=$(MYSQL_USERNAME)", + "--mysql_config_password=$(MYSQL_PASSWORD)" + ] + - name: cloudsql-proxy + envFrom: + - configMapRef: + name: metadata-db-parameters + image: gcr.io/cloudsql-docker/gce-proxy:1.16 + command: ["/cloud_sql_proxy", + "-instances=$(MYSQL_INSTANCE)=tcp:3306", + # If running on a VPC, the Cloud SQL proxy can connect via Private IP. See: + # https://cloud.google.com/sql/docs/mysql/private-ip for more info. + # "-ip_address_types=PRIVATE", + "-credential_file=/secrets/cloudsql/credentials.json"] + securityContext: + runAsUser: 2 # non-root user + allowPrivilegeEscalation: false + volumeMounts: + - name: cloudsql-instance-credentials + mountPath: /secrets/cloudsql + readOnly: true + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/params.env new file mode 100644 index 0000000000..203ba0d10d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/google-cloudsql/params.env @@ -0,0 +1,5 @@ +MYSQL_HOST=127.0.0.1 +MYSQL_DATABASE=metadb +MYSQL_PORT=3306 +MYSQL_ALLOW_EMPTY_PASSWORD=true +MYSQL_INSTANCE=your-project:your-region:your-mysql-instance-id \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/ibm-storage-config/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/ibm-storage-config/kustomization.yaml new file mode 100644 index 0000000000..d9f7b8e31b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/ibm-storage-config/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +images: + - name: mysql + newTag: "5.6" + newName: mysql diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..8ce7379167 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +- virtual-service-metadata-grpc.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service-metadata-grpc.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service-metadata-grpc.yaml new file mode 100644 index 0000000000..ee316ed639 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service-metadata-grpc.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: metadata-grpc +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /ml_metadata + rewrite: + uri: /ml_metadata + route: + - destination: + host: $(metadata-envoy-service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 9090 + timeout: 300s diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..8e3e13050d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/overlays/istio/virtual-service.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: metadata-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /metadata + rewrite: + uri: /metadata + route: + - destination: + host: $(metadata-service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 80 + timeout: 300s diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/kustomization.yaml new file mode 100644 index 0000000000..ad9706bf14 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../overlays/db +- ../overlays/istio/virtual-service.yaml +- ../overlays/istio/virtual-service-metadata-grpc.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/metadata/v3/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-deployment.yaml new file mode 100644 index 0000000000..cf66617264 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-deployment.yaml @@ -0,0 +1,39 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: modeldb + name: modeldb-artifact-store +spec: + selector: + matchLabels: + app: modeldb + tier: artifact-store + strategy: + type: Recreate + template: + metadata: + labels: + app: modeldb + tier: artifact-store + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - env: + - name: VERTA_ARTIFACT_CONFIG + value: /config/config.yaml + image: vertaaiofficial/modeldb-artifact-store:kubeflow + imagePullPolicy: Always + name: modeldb-artifact-store + ports: + - containerPort: 8086 + volumeMounts: + - mountPath: /config + name: modeldb-artifact-store-config + readOnly: true + volumes: + - configMap: + name: modeldb-artifact-store-config + name: modeldb-artifact-store-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-service.yaml new file mode 100644 index 0000000000..35e591f8bb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/artifact-store-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: modeldb + name: modeldb-artifact-store +spec: + ports: + - port: 8086 + targetPort: 8086 + selector: + app: modeldb + tier: artifact-store + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-deployment.yaml new file mode 100644 index 0000000000..361562b628 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-deployment.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: modeldb + name: modeldb-backend +spec: + selector: + matchLabels: + app: modeldb + tier: backend + strategy: + type: Recreate + template: + metadata: + labels: + app: modeldb + tier: backend + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - env: + - name: VERTA_MODELDB_CONFIG + value: /config-backend/config.yaml + image: vertaaiofficial/modeldb-backend:kubeflow + imagePullPolicy: Always + name: modeldb-backend + ports: + - containerPort: 8085 + volumeMounts: + - mountPath: /config-backend + name: modeldb-backend-secret-volume + readOnly: true + volumes: + - name: modeldb-backend-secret-volume + secret: + secretName: modeldb-backend-config-secret diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-proxy-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-proxy-service.yaml new file mode 100644 index 0000000000..20ed7bb52b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-proxy-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: modeldb + name: modeldb-backend-proxy +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + app: modeldb + tier: backend-proxy + type: LoadBalancer diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-service.yaml new file mode 100644 index 0000000000..8a7e25a0bc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/backend-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: modeldb + name: modeldb-backend +spec: + ports: + - port: 8085 + selector: + app: modeldb + tier: backend + type: LoadBalancer diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/configmap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/configmap.yaml new file mode 100644 index 0000000000..d9a11347a6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/configmap.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +data: + config.yaml: |- + #ArtifactStore Properties + artifactStore_grpcServer: + port: 8086 + + artifactStoreConfig: + initializeBuckets: false + storageTypeName: amazonS3 #amazonS3, googleCloudStorage, nfs + #nfsRootPath: /path/to/my/nfs/storage/location + bucket_names: + - artifactstoredemo +kind: ConfigMap +metadata: + name: modeldb-artifact-store-config +type: Opaque diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/kustomization.yaml new file mode 100644 index 0000000000..e7004fd075 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/kustomization.yaml @@ -0,0 +1,35 @@ +namePrefix: modeldb- + +resources: +- artifact-store-deployment.yaml +- artifact-store-service.yaml +- backend-deployment.yaml +- backend-proxy-service.yaml +- backend-service.yaml +- configmap.yaml +- mysql-backend-deployment.yaml +- mysql-service.yaml +- persistent-volume-claim.yaml +- proxy-deployment.yaml +- secret.yaml +- webapp-deplyment.yaml +- webapp-service.yaml + +commonLabels: + kustomize.component: modeldb +images: +- name: vertaaiofficial/modeldb-frontend + newName: vertaaiofficial/modeldb-frontend + newTag: kubeflow +- name: vertaaiofficial/modeldb-backend + newName: vertaaiofficial/modeldb-backend + newTag: kubeflow +- name: vertaaiofficial/modeldb-artifact-store + newName: vertaaiofficial/modeldb-artifact-store + newTag: kubeflow +- name: mysql + newName: mysql + newTag: '5.7' +- name: vertaaiofficial/modeldb-backend-proxy + newName: vertaaiofficial/modeldb-backend-proxy + newTag: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-backend-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-backend-deployment.yaml new file mode 100644 index 0000000000..875c0cdb07 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-backend-deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: modeldb + name: modeldb-mysql-backend +spec: + selector: + matchLabels: + app: modeldb + tier: mysql + strategy: + type: Recreate + template: + metadata: + labels: + app: modeldb + tier: mysql + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --ignore-db-dir=lost+found + env: + - name: MYSQL_ROOT_PASSWORD + value: root + image: mysql:5.7 + imagePullPolicy: Always + name: modeldb-mysql-backend + ports: + - containerPort: 3306 + volumeMounts: + - mountPath: /var/lib/mysql + name: modeldb-mysql-persistent-storage + volumes: + - name: modeldb-mysql-persistent-storage + persistentVolumeClaim: + claimName: modeldb-mysql-pv-claim diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-service.yaml new file mode 100644 index 0000000000..70558e8cd2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/mysql-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: modeldb + name: modeldb-mysql-backend +spec: + ports: + - port: 3306 + targetPort: 3306 + selector: + app: modeldb + tier: mysql + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/persistent-volume-claim.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/persistent-volume-claim.yaml new file mode 100644 index 0000000000..d7bfea86c5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/persistent-volume-claim.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app: modeldb + name: modeldb-mysql-pv-claim +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/proxy-deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/proxy-deployment.yaml new file mode 100644 index 0000000000..30d583944e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/proxy-deployment.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: modeldb + name: modeldb-backend-proxy +spec: + selector: + matchLabels: + app: modeldb + tier: backend-proxy + strategy: + type: Recreate + template: + metadata: + labels: + app: modeldb + tier: backend-proxy + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - -project_endpoint + - modeldb-backend:8085 + - -experiment_endpoint + - modeldb-backend:8085 + - -experiment_run_endpoint + - modeldb-backend:8085 + command: + - /go/bin/proxy + image: vertaaiofficial/modeldb-backend-proxy:kubeflow + imagePullPolicy: Always + name: modeldb-backend-proxy + ports: + - containerPort: 8080 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/secret.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/secret.yaml new file mode 100644 index 0000000000..086b5259e1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/secret.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Secret +metadata: + name: modeldb-backend-config-secret +stringData: + config.yaml: |- + #ModelDB Properties + grpcServer: + port: 8085 + + #Entity name list + entities: + projectEntity: Project + experimentEntity: Experiment + experimentRunEntity: ExperimentRun + artifactStoreMappingEntity: ArtifactStoreMapping + jobEntity: Job + collaboratorEntity: Collaborator + + # Database settings (type mysql, mongodb, couchbasedb etc..) + database: + DBType: rdbms + RdbConfiguration: + RdbDatabaseName: modeldb + RdbDriver: "com.mysql.cj.jdbc.Driver" + RdbDialect: "org.hibernate.dialect.MySQL5Dialect" + RdbUrl: "jdbc:mysql://modeldb-mysql-backend:3306" + RdbUsername: root + RdbPassword: root + + #ArtifactStore Properties + artifactStore_grpcServer: + host: artifact-store-backend + port: 8086 + + #AuthService Properties + authService: + host: #uacservice # Docker container name OR docker IP + port: #50051 +type: Opaque diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-deplyment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-deplyment.yaml new file mode 100644 index 0000000000..bf01fc6d5b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-deplyment.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: modeldb + name: modeldb-webapp +spec: + selector: + matchLabels: + app: modeldb + tier: webapp + strategy: + type: Recreate + template: + metadata: + labels: + app: modeldb + tier: webapp + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: vertaaiofficial/modeldb-frontend:kubeflow + imagePullPolicy: Always + name: modeldb-webapp + ports: + - containerPort: 3000 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-service.yaml new file mode 100644 index 0000000000..2ef6718181 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/modeldb/base/webapp-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: modeldb + name: modeldb-webapp +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: modeldb + tier: webapp + type: LoadBalancer diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..cc5e4615a5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: mpi-operator + name: mpi-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mpi-operator +subjects: +- kind: ServiceAccount + name: mpi-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role.yaml new file mode 100644 index 0000000000..e0d79d4797 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/cluster-role.yaml @@ -0,0 +1,162 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: mpi-operator + name: mpi-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + verbs: + - create + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - list + - update + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - list + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - list + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get +- apiGroups: + - kubeflow.org + resources: + - mpijobs + - mpijobs/finalizers + - mpijobs/status + verbs: + - "*" +- apiGroups: + - scheduling.incubator.k8s.io + - scheduling.sigs.dev + resources: + - queues + - podgroups + verbs: + - "*" + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-mpijobs-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-mpijobs-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - mpijobs + - mpijobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-mpijobs-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - mpijobs + - mpijobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/crd.yaml new file mode 100644 index 0000000000..a576df3f15 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/crd.yaml @@ -0,0 +1,150 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: mpijobs.kubeflow.org +spec: + group: kubeflow.org + scope: Namespaced + names: + plural: mpijobs + singular: mpijob + kind: MPIJob + shortNames: + - mj + - mpij + versions: + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + properties: + spec: + title: The MPIJob spec + description: Only one of gpus, processingUnits, or replicas should be specified + oneOf: + - properties: + gpus: + title: Total number of GPUs + description: Valid values are 1, 2, 4, or any multiple of 8 + oneOf: + - type: integer + enum: + - 1 + - 2 + - 4 + - type: integer + multipleOf: 8 + minimum: 8 + slotsPerWorker: + title: The number of slots per worker used in hostfile + description: Defaults to the number of processing units per worker + type: integer + minimum: 1 + gpusPerNode: + title: The maximum number of GPUs available per node + description: Defaults to the number of GPUs per worker + type: integer + minimum: 1 + required: + - gpus + - properties: + processingUnits: + title: Total number of processing units + description: Valid values are 1, 2, 4, or any multiple of 8 + oneOf: + - type: integer + enum: + - 1 + - 2 + - 4 + - type: integer + multipleOf: 8 + minimum: 8 + slotsPerWorker: + title: The number of slots per worker used in hostfile + description: Defaults to the number of processing units per worker + type: integer + minimum: 1 + processingUnitsPerNode: + title: The maximum number of processing units available per node + description: Defaults to the number of processing units per worker + type: integer + minimum: 1 + processingResourceType: + title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu' + description: Defaults to 'nvidia.com/gpu' + type: string + enum: + - nvidia.com/gpu + - cpu + required: + - processingUnits + - properties: + replicas: + title: Total number of replicas + description: The processing resource limit should be specified for each replica + type: integer + minimum: 1 + slotsPerWorker: + title: The number of slots per worker used in hostfile + description: Defaults to the number of processing units per worker + type: integer + minimum: 1 + processingResourceType: + title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu' + description: Defaults to 'nvidia.com/gpu' + type: string + enum: + - nvidia.com/gpu + - cpu + required: + - replicas + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + properties: + spec: + properties: + slotsPerWorker: + type: integer + minimum: 1 + mpiReplicaSpecs: + properties: + Launcher: + properties: + replicas: + type: integer + minimum: 1 + maximum: 1 + Worker: + properties: + replicas: + type: integer + minimum: 1 + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + spec: + properties: + slotsPerWorker: + type: integer + minimum: 1 + mpiReplicaSpecs: + properties: + Launcher: + properties: + replicas: + type: integer + minimum: 1 + maximum: 1 + Worker: + properties: + replicas: + type: integer + minimum: 1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/deployment.yaml new file mode 100644 index 0000000000..bf40e6cffd --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/deployment.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mpi-operator +spec: + replicas: 1 + selector: + matchLabels: + app: mpi-operator + template: + metadata: + labels: + app: mpi-operator + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - -alsologtostderr + - --lock-namespace + - $(lock-namespace) + - --kubectl-delivery-image + - $(kubectl-delivery-image) + image: mpioperator/mpi-operator:latest + imagePullPolicy: Always + name: mpi-operator + serviceAccountName: mpi-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/kustomization.yaml new file mode 100644 index 0000000000..dd325fe4c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/kustomization.yaml @@ -0,0 +1,36 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +commonLabels: + kustomize.component: mpi-operator +images: +- name: mpioperator/mpi-operator + newName: mpioperator/mpi-operator + newTag: latest +configMapGenerator: +- name: mpi-operator-config + envs: + - params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: kubectl-delivery-image + objref: + kind: ConfigMap + name: mpi-operator-config + apiVersion: v1 + fieldref: + fieldpath: data.kubectl-delivery-image +- name: lock-namespace + objref: + kind: ConfigMap + name: mpi-operator-config + apiVersion: v1 + fieldref: + fieldpath: data.lock-namespace diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/params.env new file mode 100644 index 0000000000..2c20d58555 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/params.env @@ -0,0 +1,2 @@ +kubectl-delivery-image=mpioperator/kubectl-delivery:latest +lock-namespace=kubeflow \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/service-account.yaml new file mode 100644 index 0000000000..15cf4a0d75 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/base/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: mpi-operator + name: mpi-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..559b4ed3f9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: mpi-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: mpi-operator + app.kubernetes.io/instance: mpi-operator + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: mpijob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0 + componentKinds: + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: MPIJob + descriptor: + type: "mpi-operator" + version: "v1" + description: "Mpi-operator allows users to create and manage the \"MPIJob\" custom resource." + maintainers: + - name: Rong Ou + email: rong.ou@gmail.com + - name: Yuan Tang + email: terrytangyuan@gmail.com + - name: Abhilash Pallerlamudi + email: stp.abhi@gmail.com + owners: + - name: Rong Ou + email: rong.ou@gmail.com + - name: Yuan Tang + email: terrytangyuan@gmail.com + keywords: + - "mpijob" + - "mpi-operator" + links: + - description: About + url: "https://github.com/kubeflow/mpi-operator" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..0da42d7d59 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mpi-job/mpi-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: mpijob + app.kubernetes.io/name: mpi-operator +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..d201e5fc84 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: mxnet-operator + name: mxnet-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mxnet-operator +subjects: +- kind: ServiceAccount + name: mxnet-operator \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role.yaml new file mode 100644 index 0000000000..4d3674ddc9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/cluster-role.yaml @@ -0,0 +1,107 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: mxnet-operator + name: mxnet-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - mxjobs + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - pods + - services + - endpoints + - persistentvolumeclaims + - events + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - '*' + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-mxjobs-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-mxjobs-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - mxjobs + - mxjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-mxjobs-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - mxjobs + - mxjobs/status + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/crd.yaml new file mode 100644 index 0000000000..447ebb46d0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/crd.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: mxjobs.kubeflow.org +spec: + group: kubeflow.org + names: + kind: MXJob + plural: mxjobs + singular: mxjob + version: v1beta1 + scope: Namespaced diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/deployment.yaml new file mode 100644 index 0000000000..b7de789f14 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mxnet-operator +spec: + replicas: 1 + template: + metadata: + labels: + name: mxnet-operator + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - command: + - /opt/kubeflow/mxnet-operator.v1beta1 + - --alsologtostderr + - -v=1 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: mxjob/mxnet-operator:v1beta1 + imagePullPolicy: Always + name: mxnet-operator + serviceAccountName: mxnet-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/kustomization.yaml new file mode 100644 index 0000000000..b5d31a776c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +commonLabels: + kustomize.component: mxnet-operator +images: +- name: mxjob/mxnet-operator + newName: mxjob/mxnet-operator + newTag: v1beta1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/service-account.yaml new file mode 100644 index 0000000000..7fb2f1f915 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/base/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: mxnet-operator + name: mxnet-operator \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..9d74aa03e7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: mxnet-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: mxnet-operator + app.kubernetes.io/instance: mxnet-operator-v0.7.0 + app.kubernetes.io/component: mxnet + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: MXJob + descriptor: + type: "mxnet-operator" + version: "v1beta1" + description: "mxnet-operator allows users to create and manage the \"MXJob\" custom resource." + maintainers: + - name: Lei Su + email: suleisl2000@hotmail.com + - name: Yuan Tang + email: terrytangyuan@gmail.com + owners: + - name: Lei Su + email: suleisl2000@hotmail.com + - name: Yuan Tang + email: terrytangyuan@gmail.com + keywords: + - "MXjob" + - "mxnet-operator" + - "mxnet-training" + links: + - description: About + url: "https://github.com/kubeflow/mxnet-operator" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..cb3e076d2e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/mxnet-job/mxnet-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: mxnet + app.kubernetes.io/name: mxnet-operator +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/kustomization.yaml new file mode 100644 index 0000000000..a010c146f5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespaces.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/namespaces.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/namespaces.yaml new file mode 100644 index 0000000000..9c37d671c5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/namespaces/base/namespaces.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + control-plane: kubeflow + istio-injection: enabled + katib-metricscollector-injection: enabled +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/OWNERS new file mode 100644 index 0000000000..dc1ca5846e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/OWNERS @@ -0,0 +1,4 @@ + approvers: + - Bobgy + - IronPan + - rmgogogo diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/config-map.yaml new file mode 100644 index 0000000000..d005eecd1a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/config-map.yaml @@ -0,0 +1,27 @@ +# The configuration for the ML pipelines APIServer +# Based on https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/config/config.json +apiVersion: v1 +data: + # apiserver assumes the config is named config.json + config.json: | + { + "DBConfig": { + "DriverName": "mysql", + "DataSourceName": "", + "DBName": "mlpipeline", + "GroupConcatMaxLen": "4194304" + }, + "ObjectStoreConfig":{ + "AccessKey": "minio", + "SecretAccessKey": "minio123", + "BucketName": "mlpipeline", + "Secure": false + }, + "InitConnectionTimeout": "6m", + "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", + "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 + } +kind: ConfigMap +metadata: + name: ml-pipeline-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/deployment.yaml new file mode 100644 index 0000000000..67c3eeb1e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: ml-pipeline-api-server + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/api-server + imagePullPolicy: IfNotPresent + command: + - apiserver + - --config=/etc/ml-pipeline-config + - --sampleconfig=/config/sample_config.json + - -logtostderr=true + ports: + - containerPort: 8888 + - containerPort: 8887 + volumeMounts: + - name: config-volume + mountPath: /etc/ml-pipeline-config + serviceAccountName: ml-pipeline + volumes: + - name: config-volume + configMap: + name: ml-pipeline-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/kustomization.yaml new file mode 100644 index 0000000000..c6d5fcbfb2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: ml-pipeline +resources: +- config-map.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +images: +- name: gcr.io/ml-pipeline/api-server + newTag: 0.2.5 + newName: gcr.io/ml-pipeline/api-server diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role-binding.yaml new file mode 100644 index 0000000000..2185bbd511 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: ml-pipeline +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline +subjects: +- kind: ServiceAccount + name: ml-pipeline diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role.yaml new file mode 100644 index 0000000000..a925cc6c2e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/role.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +# TODO: Does this need to be changed to a clusterrole? +# see manifests in kubeflow/pipelines +kind: Role +metadata: + name: ml-pipeline +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service-account.yaml new file mode 100644 index 0000000000..95ff3141e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service.yaml new file mode 100644 index 0000000000..c708e13cd3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/base/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline +spec: + ports: + - name: http + port: 8888 + protocol: TCP + targetPort: 8888 + - name: grpc + port: 8887 + protocol: TCP + targetPort: 8887 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/application.yaml new file mode 100644 index 0000000000..25805d5d9c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: api-service +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - api-service + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: api-service + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: api-service + app.kubernetes.io/instance: api-service-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: api-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..a42bf37b74 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: api-service + app.kubernetes.io/name: api-service +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/config-map.yaml new file mode 100644 index 0000000000..f00c842cee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/config-map.yaml @@ -0,0 +1,28 @@ +# The configuration for the ML pipelines APIServer +# Based on https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/config/config.json +apiVersion: v1 +data: + # apiserver assumes the config is named config.json + config.json: | + { + "DBConfig": { + "DriverName": "mysql", + "DataSourceName": "", + "DBName": "mlpipeline", + "Host": "$(mysqlHost)", + "User": "$(mysqlUser)", + "Password": "$(mysqlPassword)" + }, + "ObjectStoreConfig":{ + "AccessKey": "minio", + "SecretAccessKey": "minio123", + "BucketName": "mlpipeline" + }, + "InitConnectionTimeout": "6m", + "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", + "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 + } +kind: ConfigMap +metadata: + name: ml-pipeline-config diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/kustomization.yaml new file mode 100644 index 0000000000..e86ecf25c6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/kustomization.yaml @@ -0,0 +1,35 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- config-map.yaml +configMapGenerator: +- name: pipeline-external-mysql-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: mysqlHost + objref: + kind: ConfigMap + name: pipeline-external-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlHost +- name: mysqlUser + objref: + kind: ConfigMap + name: pipeline-external-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlUser +- name: mysqlPassword + objref: + kind: ConfigMap + name: pipeline-external-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPassword +configurations: +- params.yaml \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.env new file mode 100644 index 0000000000..45ae6ec499 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.env @@ -0,0 +1,3 @@ +mysqlHost= +mysqlUser= +mysqlPassword= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.yaml new file mode 100644 index 0000000000..93fc4df926 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/external-mysql/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: data + kind: ConfigMap \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/deployment.yaml new file mode 100644 index 0000000000..53541c0489 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/deployment.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + env: + - name: DEFAULTPIPELINERUNNERSERVICEACCOUNT + value: kf-user diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/kustomization.yaml new file mode 100644 index 0000000000..9080da8b20 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/api-service/overlays/use-kf-user/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/deployment.yaml new file mode 100644 index 0000000000..8bd11d397c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio +spec: + strategy: + type: Recreate + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: minio + args: + - server + - /data + env: + - name: MINIO_ACCESS_KEY + value: minio + - name: MINIO_SECRET_KEY + value: minio123 + image: minio/minio:RELEASE.2018-02-09T22-40-05Z + ports: + - containerPort: 9000 + volumeMounts: + - mountPath: /data + name: data + subPath: minio + volumes: + - name: data + persistentVolumeClaim: + claimName: $(minioPvcName) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/kustomization.yaml new file mode 100644 index 0000000000..fb5241d1ce --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: minio +resources: +- deployment.yaml +- secret.yaml +- service.yaml +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-minio-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: minioPvcName + objref: + kind: ConfigMap + name: pipeline-minio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.minioPvcName +images: +- name: minio/minio + newTag: RELEASE.2018-02-09T22-40-05Z + newName: minio/minio +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.env new file mode 100644 index 0000000000..8c50f9eb8e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.env @@ -0,0 +1 @@ +minioPvcName= \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.yaml new file mode 100644 index 0000000000..5f19982ed6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: Deployment +- path: metadata/name + kind: PersistentVolumeClaim \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/persistent-volume-claim.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/persistent-volume-claim.yaml new file mode 100644 index 0000000000..4b4cf714b3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/persistent-volume-claim.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(minioPvcName) +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/secret.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/secret.yaml new file mode 100644 index 0000000000..3ae64f1160 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + accesskey: bWluaW8= + secretkey: bWluaW8xMjM= +kind: Secret +metadata: + name: mlpipeline-minio-artifact +type: Opaque diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/service.yaml new file mode 100644 index 0000000000..f49cf52859 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/base/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-service +spec: + ports: + - port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: minio diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/application.yaml new file mode 100644 index 0000000000..8940b33771 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: minio +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - minio + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: minio + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: minio-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: minio + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..d592946f21 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/name: minio +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/kustomization.yaml new file mode 100644 index 0000000000..e4c0d3ac26 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/kustomization.yaml @@ -0,0 +1,31 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- persistent-volume.yaml +patchesStrategicMerge: +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-minio-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: minioPd + objref: + kind: ConfigMap + name: pipeline-minio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.minioPd +- name: minioPvName + objref: + kind: ConfigMap + name: pipeline-minio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.minioPvName +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.env new file mode 100644 index 0000000000..cc3d9a5c42 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.env @@ -0,0 +1,2 @@ +minioPd=dls-kf-storage-artifact-store +minioPvName= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.yaml new file mode 100644 index 0000000000..ab22818292 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/gcePersistentDisk/pdName + kind: PersistentVolume +- path: metadata/name + kind: PersistentVolume +- path: spec/volumeName + kind: PersistentVolumeClaim +- path: metadata/name + kind: PersistentVolumeClaim diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume-claim.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume-claim.yaml new file mode 100644 index 0000000000..44b1f687ad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume-claim.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(minioPvcName) +spec: + volumeName: $(minioPvName) + storageClassName: "" \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume.yaml new file mode 100644 index 0000000000..e8edd40832 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/minio/overlays/minioPd/persistent-volume.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: $(minioPvName) +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + gcePersistentDisk: + pdName: $(minioPd) + fsType: ext4 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/deployment.yaml new file mode 100644 index 0000000000..34c222cf17 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql +spec: + strategy: + type: Recreate + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: mysql + env: + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "true" + image: mysql:5.6 + ports: + - containerPort: 3306 + name: mysql + volumeMounts: + - mountPath: /var/lib/mysql + name: mysql-persistent-storage + volumes: + - name: mysql-persistent-storage + persistentVolumeClaim: + claimName: $(mysqlPvcName) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/kustomization.yaml new file mode 100644 index 0000000000..5133fdd554 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: mysql +resources: +- deployment.yaml +- service.yaml +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-mysql-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: mysqlPvcName + objref: + kind: ConfigMap + name: pipeline-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPvcName +images: +- name: mysql + newTag: '5.6' + newName: mysql +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.env new file mode 100644 index 0000000000..f17d371b11 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.env @@ -0,0 +1 @@ +mysqlPvcName= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.yaml new file mode 100644 index 0000000000..5f19982ed6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: Deployment +- path: metadata/name + kind: PersistentVolumeClaim \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/persistent-volume-claim.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/persistent-volume-claim.yaml new file mode 100644 index 0000000000..7f0b916cc3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/persistent-volume-claim.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(mysqlPvcName) +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/service.yaml new file mode 100644 index 0000000000..65250ecfc8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: mysql +spec: + ports: + - port: 3306 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/application.yaml new file mode 100644 index 0000000000..fc2f482aa4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: mysql +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - mysql + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: mysql + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: mysql + app.kubernetes.io/instance: mysql-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: mysql + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..b8183decb2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: mysql + app.kubernetes.io/name: mysql +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/kustomization.yaml new file mode 100644 index 0000000000..b0989f75e4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/kustomization.yaml @@ -0,0 +1,31 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- persistent-volume.yaml +patchesStrategicMerge: +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-mysql-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: mysqlPd + objref: + kind: ConfigMap + name: pipeline-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPd +- name: mysqlPvName + objref: + kind: ConfigMap + name: pipeline-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPvName +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.env new file mode 100644 index 0000000000..cb0ad4ad90 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.env @@ -0,0 +1,2 @@ +mysqlPd=dls-kf-storage-metadata-store +mysqlPvName= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.yaml new file mode 100644 index 0000000000..00d90cbaad --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/gcePersistentDisk/pdName + kind: PersistentVolume +- path: metadata/name + kind: PersistentVolume +- path: metadata/name + kind: PersistentVolumeClaim +- path: spec/volumeName + kind: PersistentVolumeClaim diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume-claim.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume-claim.yaml new file mode 100644 index 0000000000..719f7dab6a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume-claim.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(mysqlPvcName) +spec: + storageClassName: "" + volumeName: $(mysqlPvName) diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume.yaml new file mode 100644 index 0000000000..092977556c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/mysql/overlays/mysqlPd/persistent-volume.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: $(mysqlPvName) +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + gcePersistentDisk: + pdName: $(mysqlPd) + fsType: ext4 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole-binding.yaml new file mode 100644 index 0000000000..b7ec1a49de --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: persistenceagent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: persistenceagent diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole.yaml new file mode 100644 index 0000000000..0242d6f4c0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: persistenceagent +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/deployment.yaml new file mode 100644 index 0000000000..7c2e012777 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: persistenceagent +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: ml-pipeline-persistenceagent + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/persistenceagent + imagePullPolicy: IfNotPresent + serviceAccountName: ml-pipeline-persistenceagent diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/kustomization.yaml new file mode 100644 index 0000000000..d68241f594 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +nameprefix: ml-pipeline- +commonLabels: + app: ml-pipeline-persistenceagent +resources: +- clusterrole-binding.yaml +- clusterrole.yaml +- deployment.yaml +- service-account.yaml +images: +- name: gcr.io/ml-pipeline/persistenceagent + newTag: 0.2.5 + newName: gcr.io/ml-pipeline/persistenceagent diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/service-account.yaml new file mode 100644 index 0000000000..3e2b988373 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: persistenceagent diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/application.yaml new file mode 100644 index 0000000000..d022865bd6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: persistent-agent +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - persistent-agent + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: persistent-agent + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: persistent-agent + app.kubernetes.io/instance: persistent-agent-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: persistent-agent + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..56f32854e4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/persistent-agent/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: persistent-agent + app.kubernetes.io/name: persistent-agent +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/deployment.yaml new file mode 100644 index 0000000000..a48dc84009 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ml-pipeline-visualizationserver + name: ml-pipeline-visualizationserver +spec: + selector: + matchLabels: + app: ml-pipeline-visualizationserver + template: + metadata: + labels: + app: ml-pipeline-visualizationserver + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - image: gcr.io/ml-pipeline/visualization-server + imagePullPolicy: IfNotPresent + name: ml-pipeline-visualizationserver + ports: + - containerPort: 8888 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/kustomization.yaml new file mode 100644 index 0000000000..5c149c2b1e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +nameprefix: ml-pipeline- +commonLabels: + app: ml-pipeline-visualizationserver +resources: +- deployment.yaml +- service.yaml +images: +- name: gcr.io/ml-pipeline/visualization-server + newTag: 0.2.5 + newName: gcr.io/ml-pipeline/visualization-server diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/service.yaml new file mode 100644 index 0000000000..a4c7e42cb0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/base/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline-visualizationserver +spec: + ports: + - name: http + port: 8888 + protocol: TCP + targetPort: 8888 + selector: + app: ml-pipeline-visualizationserver diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/application.yaml new file mode 100644 index 0000000000..51bc479fea --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipeline-visualization-service +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - pipeline-visualization-service + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: pipeline-visualization-service + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: pipeline-visualization-service + app.kubernetes.io/instance: pipeline-visualization-service-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipeline-visualization-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..ee88118753 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: pipeline-visualization-service + app.kubernetes.io/name: pipeline-visualization-service +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/deployment.yaml new file mode 100644 index 0000000000..5446155cee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/deployment.yaml @@ -0,0 +1,8 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-visualizationserver +spec: + template: + spec: + serviceAccountName: kf-user diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/kustomization.yaml new file mode 100644 index 0000000000..b1f0331673 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipeline-visualization-service/overlays/use-kf-user/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +kind: Kustomization +patchesStrategicMerge: +- deployment.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..1f1c2c20a8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: pipeline-runner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pipeline-runner +subjects: +- kind: ServiceAccount + name: pipeline-runner diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role.yaml new file mode 100644 index 0000000000..2e84bbb7c2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/cluster-role.yaml @@ -0,0 +1,93 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: pipeline-runner +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumes + - persistentvolumeclaims + verbs: + - '*' +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + - services + verbs: + - '*' +- apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' +- apiGroups: + - kubeflow.org + - serving.kubeflow.org + resources: + - '*' + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - '*' +- apiGroups: + - "sparkoperator.k8s.io" + resources: + - sparkapplications + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/kustomization.yaml new file mode 100644 index 0000000000..0c50f07ee2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +commonLabels: + app: pipeline-runner +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- service-account.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/service-account.yaml new file mode 100644 index 0000000000..8cb2c669fb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pipeline-runner diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/application.yaml new file mode 100644 index 0000000000..b4c2bfbb53 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipelines-runner +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - pipelines-runner + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: pipelines-runner + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: pipelines-runner + app.kubernetes.io/instance: pipelines-runner-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipelines-runner + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..0a36610340 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: pipelines-runner + app.kubernetes.io/name: pipelines-runner +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/cluster-role-binding.yaml new file mode 100644 index 0000000000..168b3aeba2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/cluster-role-binding.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: pipeline-runner +subjects: +# temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default +- kind: ServiceAccount + name: kf-user + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/kustomization.yaml new file mode 100644 index 0000000000..a7f830755a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-runner/overlays/use-kf-user/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- cluster-role-binding.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/deployment.yaml new file mode 100644 index 0000000000..e1b37ed2e5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/deployment.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +spec: + selector: + matchLabels: + app: ml-pipeline-ui + template: + metadata: + labels: + app: ml-pipeline-ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: ml-pipeline-ui + image: gcr.io/ml-pipeline/frontend + imagePullPolicy: IfNotPresent + env: + - name: ALLOW_CUSTOM_VISUALIZATIONS + value: "true" + ports: + - containerPort: 3000 + serviceAccountName: ml-pipeline-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/kustomization.yaml new file mode 100644 index 0000000000..0a5af4472e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/kustomization.yaml @@ -0,0 +1,45 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +configMapGenerator: +- name: ui-parameters + env: params.env +images: +- name: gcr.io/ml-pipeline/frontend + newTag: 0.2.5 + newName: gcr.io/ml-pipeline/frontend +vars: +- name: ui-namespace + objref: + kind: Service + name: ml-pipeline-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: ui-clusterDomain + objref: + kind: ConfigMap + name: ui-parameters + version: v1 + fieldref: + fieldpath: data.uiClusterDomain +- name: service + objref: + kind: Service + name: ml-pipeline-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.name +- name: tensorboard-service + objref: + kind: Service + name: ml-pipeline-tensorboard-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.name diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/params.env new file mode 100644 index 0000000000..def9236f86 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/params.env @@ -0,0 +1 @@ +uiClusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role-binding.yaml new file mode 100644 index 0000000000..ab8654e923 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline-ui +subjects: +- kind: ServiceAccount + name: ml-pipeline-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role.yaml new file mode 100644 index 0000000000..1726f081b4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - create + - get + - list +- apiGroups: + - "kubeflow.org" + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service-account.yaml new file mode 100644 index 0000000000..4c890a27bb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service.yaml new file mode 100644 index 0000000000..e1d92e3939 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/base/service.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline-ui + labels: + app: ml-pipeline-ui +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: ml-pipeline-ui +--- +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline-tensorboard-ui + labels: + app: ml-pipeline-tensorboard-ui +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: ml-pipeline-tensorboard-ui diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/application.yaml new file mode 100644 index 0000000000..00a7765053 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipelines-ui +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - pipelines-ui + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: pipelines-ui + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: pipelines-ui + app.kubernetes.io/instance: pipelines-ui-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipelines-ui + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..6a3747009b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: pipelines-ui + app.kubernetes.io/name: pipelines-ui +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/configmap.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/configmap.yaml new file mode 100644 index 0000000000..65fcbe5ec7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ml-pipeline-ui-configmap +data: + viewer-pod-template.json: |- + { + "spec": { + "serviceAccountName": "kf-user" + } + } diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/deployment.yaml new file mode 100644 index 0000000000..5e12e769d8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + volumes: + - name: gcp-sa-token + secret: + secretName: user-gcp-sa + - name: config-volume + configMap: + name: ml-pipeline-ui-configmap + containers: + - name: ml-pipeline-ui + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /etc/credentials/user-gcp-sa.json + - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH + value: /etc/config/viewer-pod-template.json + volumeMounts: + - name: gcp-sa-token + mountPath: "/etc/credentials" + readOnly: true + - name: config-volume + mountPath: /etc/config + readOnly: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/kustomization.yaml new file mode 100644 index 0000000000..c14186bec7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/gcp/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml +resources: +- configmap.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..fcd00db904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..1888b7c2ca --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-ui/overlays/istio/virtual-service.yaml @@ -0,0 +1,43 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ml-pipeline-tensorboard-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /data + rewrite: + uri: /data + route: + - destination: + host: $(tensorboard-service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 80 + timeout: 300s +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ml-pipeline-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /pipeline + rewrite: + uri: /pipeline + route: + - destination: + host: $(service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 80 + timeout: 300s diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..91eaab5361 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: crd-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: controller-role +subjects: +- kind: ServiceAccount + name: crd-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role.yaml new file mode 100644 index 0000000000..f8b3e8f659 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/cluster-role.yaml @@ -0,0 +1,86 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: controller-role +rules: +- apiGroups: + - '*' + resources: + - deployments + - services + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipeline-viewers-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-viewers-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipeline-viewers-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-viewers-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipeline-viewers-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/crd.yaml new file mode 100644 index 0000000000..dcb5db0f88 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/crd.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: viewers.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Viewer + listKind: ViewerList + plural: viewers + shortNames: + - vi + singular: viewer + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/deployment.yaml new file mode 100644 index 0000000000..6115812097 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-deployment +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/viewer-crd-controller:0.1.31 + imagePullPolicy: Always + name: ml-pipeline-viewer-controller + serviceAccountName: crd-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/kustomization.yaml new file mode 100644 index 0000000000..cb5f051567 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +nameprefix: ml-pipeline-viewer- +commonLabels: + app: ml-pipeline-viewer-crd +resources: +- crd.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +images: +- name: gcr.io/ml-pipeline/viewer-crd-controller + newTag: 0.2.5 + newName: gcr.io/ml-pipeline/viewer-crd-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/service-account.yaml new file mode 100644 index 0000000000..96b13b17e4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: crd-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/application.yaml new file mode 100644 index 0000000000..1c4e9a63e3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipelines-viewer +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - pipelines-viewer + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: pipelines-viewer + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: pipelines-viewer + app.kubernetes.io/instance: pipelines-viewer-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipelines-viewer + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..9c95c91e7d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/pipelines-viewer/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: pipelines-viewer + app.kubernetes.io/name: pipelines-viewer +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/cluster-role.yaml new file mode 100644 index 0000000000..b33dd8c8ee --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/cluster-role.yaml @@ -0,0 +1,55 @@ +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-scheduledworkflows-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-scheduledworkflows-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-scheduledworkflows-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-scheduledworkflows-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-scheduledworkflows-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/crd.yaml new file mode 100644 index 0000000000..22dc3c8a00 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/crd.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: scheduledworkflows.kubeflow.org +spec: + group: kubeflow.org + names: + kind: ScheduledWorkflow + listKind: ScheduledWorkflowList + plural: scheduledworkflows + shortNames: + - swf + singular: scheduledworkflow + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/deployment.yaml new file mode 100644 index 0000000000..5dcd152728 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-scheduledworkflow +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: ml-pipeline-scheduledworkflow + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/scheduledworkflow + imagePullPolicy: IfNotPresent + serviceAccountName: ml-pipeline-scheduledworkflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/kustomization.yaml new file mode 100644 index 0000000000..3de5fe71e1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +commonLabels: + app: ml-pipeline-scheduledworkflow +resources: +- cluster-role.yaml +- crd.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +images: +- name: gcr.io/ml-pipeline/scheduledworkflow + newTag: 0.2.5 + newName: gcr.io/ml-pipeline/scheduledworkflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role-binding.yaml new file mode 100644 index 0000000000..18ebc938a6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-scheduledworkflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: ml-pipeline-scheduledworkflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role.yaml new file mode 100644 index 0000000000..e922eae79b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/role.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: ml-pipeline-scheduledworkflow +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/service-account.yaml new file mode 100644 index 0000000000..285c13742f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-scheduledworkflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/application.yaml new file mode 100644 index 0000000000..e1ca998418 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: scheduledworkflow +spec: + addOwnerRef: true + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + description: '' + keywords: + - scheduledworkflow + - kubeflow + links: + - description: About + url: '' + maintainers: [] + owners: [] + type: scheduledworkflow + version: v1beta1 + selector: + matchLabels: + app.kubernetes.io/component: scheduledworkflow + app.kubernetes.io/instance: scheduledworkflow-0.2.5 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: scheduledworkflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.2.5 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..63b8d9743f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pipeline/scheduledworkflow/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: scheduledworkflow + app.kubernetes.io/name: scheduledworkflow +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/README.md new file mode 100644 index 0000000000..66cb68b782 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/README.md @@ -0,0 +1,5 @@ +When profile-controller image updated, you can run below command to update it in manifest. + +``` +kustomize edit set image gcr.io/kubeflow-images-public/profile-controller:$NEW_TAG +``` diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..9f55fc3b13 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: controller-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/crd.yaml new file mode 100644 index 0000000000..5df4fbbb13 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/crd.yaml @@ -0,0 +1,156 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: profiles.kubeflow.org +spec: + conversion: + strategy: None + group: kubeflow.org + names: + kind: Profile + plural: profiles + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + description: Profile is the Schema for the profiles API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProfileSpec defines the desired state of Profile + properties: + owner: + description: The profile owner + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + required: + - kind + - name + type: object + plugins: + items: + description: Plugin is for customize actions on different platform. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + spec: + type: object + type: object + type: array + resourceQuotaSpec: + description: Resourcequota that will be applied to target namespace + properties: + hard: + additionalProperties: + type: string + description: 'hard is the set of desired hard limits for each named + resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + scopeSelector: + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by scope + of the resources. + items: + description: A scoped-resource selector requirement is a selector + that contains values, a scope name, and an operator that + relates the scope name and values. + properties: + operator: + description: Represents a scope's relationship to a set + of values. Valid operators are In, NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector applies + to. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array + type: object + scopes: + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all objects. + items: + description: A ResourceQuotaScope defines a filter that must match + each object tracked by a quota + type: string + type: array + type: object + type: object + status: + description: ProfileStatus defines the observed state of Profile + properties: + conditions: + items: + properties: + message: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/deployment.yaml new file mode 100644 index 0000000000..20568ed438 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + replicas: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - command: + - /manager + args: + - "-userid-header" + - $(userid-header) + - "-userid-prefix" + - $(userid-prefix) + - "-workload-identity" + - $(gcp-sa) + image: gcr.io/kubeflow-images-public/profile-controller:v20190619-v0-219-gbd3daa8c-dirty-1ced0e + imagePullPolicy: Always + name: manager + livenessProbe: + httpGet: + path: /metrics + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + ports: + - containerPort: 8080 + name: manager-http + protocol: TCP + - command: + - /access-management + args: + - "-cluster-admin" + - $(admin) + - "-userid-header" + - $(userid-header) + - "-userid-prefix" + - $(userid-prefix) + image: gcr.io/kubeflow-images-public/kfam:v20190612-v0-170-ga06cdb79-dirty-a33ee4 + imagePullPolicy: Always + name: kfam + livenessProbe: + httpGet: + path: /metrics + port: 8081 + initialDelaySeconds: 30 + periodSeconds: 30 + ports: + - containerPort: 8081 + name: kfam-http + protocol: TCP + serviceAccountName: controller-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/kustomization.yaml new file mode 100644 index 0000000000..a8a688cdc1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/kustomization.yaml @@ -0,0 +1,65 @@ +# TODO(jlewi): This kustomization.yaml is deprecated. We want the +# base_v3 version. This version uses a bunch of problematic patterns e.g. +# i) Using vars to do command line substitution +# ii) Not using a configmap to make application and global config available +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- crd.yaml +- deployment.yaml +- service.yaml +- service-account.yaml +namePrefix: profiles- +namespace: kubeflow +commonLabels: + kustomize.component: profiles +configMapGenerator: +- envs: + - params.env + name: profiles-parameters +images: +- name: gcr.io/kubeflow-images-public/kfam + newName: gcr.io/kubeflow-images-public/kfam + newTag: vmaster-gf3e09203 +- name: gcr.io/kubeflow-images-public/profile-controller + newName: gcr.io/kubeflow-images-public/profile-controller + newTag: vmaster-g34aa47c2 +vars: +- fieldref: + fieldPath: data.admin + name: admin + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: data.gcp-sa + name: gcp-sa + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: data.userid-header + name: userid-header + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: data.userid-prefix + name: userid-prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: Service + name: kfam +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.env new file mode 100644 index 0000000000..85b8dce36b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.env @@ -0,0 +1,4 @@ +admin=anonymous +gcp-sa= +userid-header= +userid-prefix= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.yaml new file mode 100644 index 0000000000..567144bdd0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/params.yaml @@ -0,0 +1,13 @@ +varReference: +- path: spec/template/spec/containers/0/args/1 + kind: Deployment +- path: spec/template/spec/containers/0/args/3 + kind: Deployment +- path: spec/template/spec/containers/0/args/5 + kind: Deployment +- path: spec/template/spec/containers/1/args/1 + kind: Deployment +- path: spec/template/spec/containers/1/args/3 + kind: Deployment +- path: spec/template/spec/containers/1/args/5 + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service-account.yaml new file mode 100644 index 0000000000..dde6b0761e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service.yaml new file mode 100644 index 0000000000..9c0e659e08 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: kfam +spec: + ports: + - port: 8081 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/deployment_patch.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/deployment_patch.yaml new file mode 100644 index 0000000000..a630e22053 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/deployment_patch.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - command: + - /manager + - -userid-header + - $(USERID_HEADER) + - -userid-prefix + - $(USERID_PREFIX) + - -workload-identity + - $(WORKLOAD_IDENTITY) + args: [] + name: manager + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-header + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-prefix + - name: WORKLOAD_IDENTITY + valueFrom: + configMapKeyRef: + name: profiles-config + key: gcp-sa + - command: + - /access-management + - -cluster-admin + - $(CLUSTER_ADMIN) + - -userid-prefix + - $(USERID_PREFIX) + args: [] + name: kfam + env: + - name: USERID_HEADER + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-header + - name: USERID_PREFIX + valueFrom: + configMapKeyRef: + name: kubeflow-config + key: userid-prefix + - name: CLUSTER_ADMIN + valueFrom: + configMapKeyRef: + name: profiles-config + key: admin diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/kustomization.yaml new file mode 100644 index 0000000000..40fbc5f1e9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/base_v3/kustomization.yaml @@ -0,0 +1,29 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namePrefix: profiles- +commonLabels: + kustomize.component: profiles +images: +- name: gcr.io/kubeflow-images-public/kfam + newName: gcr.io/kubeflow-images-public/kfam + newTag: vmaster-gf3e09203 +- name: gcr.io/kubeflow-images-public/profile-controller + newName: gcr.io/kubeflow-images-public/profile-controller + newTag: vmaster-g34aa47c2 +resources: +- ../base/cluster-role-binding.yaml +- ../base/crd.yaml +- ../base/deployment.yaml +- ../base/service.yaml +- ../base/service-account.yaml +- ../overlays/istio/virtual-service.yaml +- ../overlays/application/application.yaml +patchesStrategicMerge: +- deployment_patch.yaml +configMapGenerator: +# We need the name to be unique without the suffix because the original name is what +# gets used with patches +- name: profiles-config + literals: + - admin= + - gcp-sa= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/application.yaml new file mode 100644 index 0000000000..855a36f6d7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/application.yaml @@ -0,0 +1,43 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: profiles +spec: + selector: + matchLabels: + app.kubernetes.io/name: profiles + app.kubernetes.io/instance: profiles-v1.0.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: profiles + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v1.0.0 + componentKinds: + # Do not select any cluster scoped resources + # as that will cause problems. + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: kubeflow.org + kind: Profile + descriptor: + type: profiles + version: v1 + description: "" + maintainers: + - name: Kunming Qu + email: kunming@google.com + owners: + - name: Kunming Qu + email: kunming@google.com + keywords: + - profiles + - kubeflow + links: + - description: profiles + url: "https://github.com/kubeflow/kubeflow/tree/master/components/profile-controller" + - description: kfam + url: "https://github.com/kubeflow/kubeflow/tree/master/components/access-management" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..41d8e15f9f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: profiles + app.kubernetes.io/name: profiles +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/deployment.yaml new file mode 100644 index 0000000000..6c007d7a7e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + command: ["/go/bin/dlv"] + args: ["--listen=:2345", "--headless=true", "--api-version=2", "exec", "/go/src/github.com/kubeflow/kubeflow/components/profile-controller/manager"] + env: + - name: project + valueFrom: + configMapKeyRef: + name: parameters + key: project + image: gcr.io/$(project)/profile-controller:latest + ports: + - containerPort: 2345 + securityContext: + privileged: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/kustomization.yaml new file mode 100644 index 0000000000..f333a72f75 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/kustomization.yaml @@ -0,0 +1,25 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml +configMapGenerator: +- name: parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: project + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.project +configurations: +- params.yaml +images: +- name: gcr.io/$(project)/profile-controller + newName: gcr.io/$(project)/profile-controller + newTag: latest diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.env new file mode 100644 index 0000000000..8a76300feb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.env @@ -0,0 +1 @@ +project= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.yaml new file mode 100644 index 0000000000..3d38939728 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/debug/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/image + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/deployment.yaml new file mode 100644 index 0000000000..6fd2207017 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/deployment.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/kustomization.yaml new file mode 100644 index 0000000000..9080da8b20 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/devices/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..fcd00db904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..daf2dec0c0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/istio/virtual-service.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: kfam +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /kfam + match: + - uri: + prefix: /kfam/ + rewrite: + uri: /kfam/ + route: + - destination: + host: profiles-kfam.$(namespace).svc.cluster.local + port: + number: 8081 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/app_test.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/app_test.yaml new file mode 100644 index 0000000000..345d067915 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/app_test.yaml @@ -0,0 +1,23 @@ +apiVersion: kfdef.apps.kubeflow.org/v1alpha1 +kind: KfDef +metadata: + name: plugin-test +spec: + appdir: . + componentParams: + profiles: + - name: overlay + value: debug + - name: overlay + value: devices + components: + - profiles + manifestsRepo: /Users/kdkasrav/plugin-test/.cache/manifests/pull/31/head + packageManager: kustomize@pull/31 + packages: + - profiles + repo: /Users/kdkasrav/plugin-test/.cache/kubeflow/master/kubeflow + useBasicAuth: false + useIstio: true + version: master +status: {} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/kustomization.yaml new file mode 100644 index 0000000000..de10db8635 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/profiles/overlays/test/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +#generators: +#- app_test.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/prow_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/prow_config.yaml new file mode 100644 index 0000000000..1ebe6236d0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/prow_config.yaml @@ -0,0 +1,33 @@ +# This file configures the workflows to trigger in our Prow jobs. +# see https://github.com/kubeflow/testing/blob/master/py/kubeflow/testing/run_e2e_workflow.py +python_paths: + # Need to place kubeflow/testing in front of kubeflow/testing so that the package can + # be correctly located. + - kubeflow/testing/py + - kubeflow/kfctl/py +workflows: + - app_dir: kubeflow/manifests/tests/workflows + component: workflows + name: unit + job_types: + - presubmit + - postsubmit + - periodic + + # Run the e2e tests to ensure that changes to manifests don't break deployments. + - py_func: kubeflow.kfctl.testing.ci.kfctl_e2e_workflow.create_workflow + name: e2e + job_types: + - presubmit + - postsubmit + - periodic + kwargs: + use_basic_auth: false + # Run build and then apply rather than just apply + build_and_apply: true + # test_endpoint flag is actually deprecated; we use pytest annotations to skip on + # presubmit. + test_endpoint: true + # The path for the config should depend on the commit we are testing manifests on. + # so we use the local path which will be checked out to the correct commit + config_path: "{srcrootdir}/kubeflow/manifests/kfdef/kfctl_gcp_iap.yaml" diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/crd.yaml new file mode 100644 index 0000000000..4a8cf899d9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/crd.yaml @@ -0,0 +1,42 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pytorchjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: PyTorchJob + plural: pytorchjobs + singular: pytorchjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + pytorchReplicaSpecs: + properties: + Master: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/kustomization.yaml new file mode 100644 index 0000000000..6e120e7b63 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/application.yaml new file mode 100644 index 0000000000..4946a1cf85 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pytorch-job-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: pytorch-job-crds + app.kubernetes.io/instance: pytorch-job-crds-v0.7.0 + app.kubernetes.io/version: v0.7.0 + app.kubernetes.io/component: pytorch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/managed-by: kfctl + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + type: "pytorch-job-crds" + version: "v1" + description: "Pytorch-job-crds contains the \"PyTorchJob\" custom resource definition." + maintainers: + - name: Johnu George + email: johnugeo@cisco.com + owners: + - name: Johnu George + email: johnugeo@cisco.com + keywords: + - "pytorchjob" + - "pytorch-operator" + - "pytorch-training" + links: + - description: About + url: "https://github.com/kubeflow/pytorch-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..8647a23c20 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-job-crds/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-job-crds +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..595f0fd26c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: pytorch-operator + name: pytorch-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pytorch-operator +subjects: +- kind: ServiceAccount + name: pytorch-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role.yaml new file mode 100644 index 0000000000..1676c3168b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/cluster-role.yaml @@ -0,0 +1,86 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: pytorch-operator + name: pytorch-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pytorchjobs-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pytorchjobs-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pytorchjobs-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/deployment.yaml new file mode 100644 index 0000000000..4e1f6a8bde --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pytorch-operator +spec: + replicas: 1 + selector: + matchLabels: + name: pytorch-operator + template: + metadata: + labels: + name: pytorch-operator + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - command: + - /pytorch-operator.v1 + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/pytorch-operator:v0.6.0-18-g5e36a57 + name: pytorch-operator + serviceAccountName: pytorch-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/kustomization.yaml new file mode 100644 index 0000000000..f9acb98bc2 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + kustomize.component: pytorch-operator +images: +- name: gcr.io/kubeflow-images-public/pytorch-operator + newName: gcr.io/kubeflow-images-public/pytorch-operator + newTag: vmaster-g047cf0f diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/params.env new file mode 100644 index 0000000000..47e9d44b57 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/params.env @@ -0,0 +1,3 @@ +pytorchDefaultImage=null +deploymentScope=cluster +deploymentNamespace=null diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service-account.yaml new file mode 100644 index 0000000000..3fe6033e18 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: pytorch-operator + name: pytorch-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service.yaml new file mode 100644 index 0000000000..c788ab2dba --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/base/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8443" + prometheus.io/scrape: "true" + labels: + app: pytorch-operator + name: pytorch-operator +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + name: pytorch-operator + type: ClusterIP + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..c2eb602917 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/application.yaml @@ -0,0 +1,44 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pytorch-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: pytorch-operator + app.kubernetes.io/instance: pytorch-operator-v0.7.0 + app.kubernetes.io/version: v0.7.0 + app.kubernetes.io/component: pytorch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/managed-by: kfctl + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + type: "pytorch-operator" + version: "v1" + description: "Pytorch-operator allows users to create and manage the \"PyTorchJob\" custom resource." + maintainers: + - name: Johnu George + email: johnugeo@cisco.com + owners: + - name: Johnu George + email: johnugeo@cisco.com + keywords: + - "pytorchjob" + - "pytorch-operator" + - "pytorch-training" + links: + - description: About + url: "https://github.com/kubeflow/pytorch-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..3cfee77228 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/pytorch-job/pytorch-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/name: pytorch-operator +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/Makefile b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/Makefile new file mode 100644 index 0000000000..69680d2a45 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/Makefile @@ -0,0 +1,15 @@ + +# If updating values.yaml +# certManager: true +# Istio.enabled: true +# istio gateway +# kubeflow: true + +seldon-core-operator/base: clean-kustomize + mkdir -p seldon-core-operator/base + cd seldon-core-operator/base && helm template -f ../../values.yaml seldon-core seldon-core-operator --repo https://storage.googleapis.com/seldon-charts --namespace kubeflow --version 1.1.0 > resources.yaml + cp kustomization.tpl seldon-core-operator/base/kustomization.yaml + +.PHONY:clean-kustomize +clean-kustomize: + rm -rf seldon-core-operator/base diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/README.md new file mode 100644 index 0000000000..ac14782e45 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/README.md @@ -0,0 +1,18 @@ +# Seldon Kustomize + +## Install Seldon Operator + + * The yaml assumes you will install in kubeflow namespace + * You need to have installed istio first + +``` +kustomize build seldon-core-operator/base | kubectl apply -n kubeflow -f - +``` + +## Updating + +This kustomize spec was created from the seldon-core-operator helm chart with: + +``` +make clean seldon-core-operator/base +``` diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/kustomization.tpl b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/kustomization.tpl new file mode 100644 index 0000000000..776f42bf42 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/kustomization.tpl @@ -0,0 +1,4 @@ +# List of resource files that kustomize reads, modifies +# and emits as a YAML string +resources: +- resources.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/kustomization.yaml new file mode 100644 index 0000000000..776f42bf42 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/kustomization.yaml @@ -0,0 +1,4 @@ +# List of resource files that kustomize reads, modifies +# and emits as a YAML string +resources: +- resources.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/resources.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/resources.yaml new file mode 100644 index 0000000000..c29a092f6a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/base/resources.yaml @@ -0,0 +1,4980 @@ +--- +# Source: seldon-core-operator/templates/serviceaccount_seldon-manager.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: 'seldon-manager' + namespace: 'kubeflow' +--- +# Source: seldon-core-operator/templates/configmap_seldon-config.yaml +apiVersion: v1 +data: + credentials: '{"gcs":{"gcsCredentialFileName":"gcloud-application-credentials.json"},"s3":{"s3AccessKeyIDName":"awsAccessKeyID","s3SecretAccessKeyName":"awsSecretAccessKey"}}' + predictor_servers: '{"MLFLOW_SERVER":{"grpc":{"defaultImageVersion":"0.4","image":"seldonio/mlflowserver_grpc"},"rest":{"defaultImageVersion":"0.4","image":"seldonio/mlflowserver_rest"}},"SKLEARN_SERVER":{"grpc":{"defaultImageVersion":"0.2","image":"seldonio/sklearnserver_grpc"},"rest":{"defaultImageVersion":"0.2","image":"seldonio/sklearnserver_rest"}},"TENSORFLOW_SERVER":{"grpc":{"defaultImageVersion":"0.7","image":"seldonio/tfserving-proxy_grpc"},"rest":{"defaultImageVersion":"0.7","image":"seldonio/tfserving-proxy_rest"},"tensorflow":true,"tfImage":"tensorflow/serving:2.1.0"},"XGBOOST_SERVER":{"grpc":{"defaultImageVersion":"0.3","image":"seldonio/xgboostserver_grpc"},"rest":{"defaultImageVersion":"0.3","image":"seldonio/xgboostserver_rest"}}}' + storageInitializer: '{"cpuLimit":"1","cpuRequest":"100m","image":"gcr.io/kfserving/storage-initializer:0.2.2","memoryLimit":"1Gi","memoryRequest":"100Mi"}' +kind: ConfigMap +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + control-plane: seldon-controller-manager + name: seldon-config + namespace: 'kubeflow' +--- +# Source: seldon-core-operator/templates/customresourcedefinition_seldondeployments.machinelearning.seldon.io.yaml +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: 'kubeflow/seldon-serving-cert' + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldondeployments.machinelearning.seldon.io +spec: + group: machinelearning.seldon.io + names: + kind: SeldonDeployment + listKind: SeldonDeploymentList + plural: seldondeployments + shortNames: + - sdep + singular: seldondeployment + scope: Namespaced + subresources: + scale: + specReplicasPath: .spec.replicas + statusReplicasPath: .status.replicas + status: {} + validation: + openAPIV3Schema: + description: SeldonDeployment is the Schema for the seldondeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SeldonDeploymentSpec defines the desired state of SeldonDeployment + properties: + annotations: + additionalProperties: + type: string + type: object + name: + description: Name is Deprecated will be removed in future + type: string + oauth_key: + type: string + oauth_secret: + type: string + predictors: + items: + properties: + annotations: + additionalProperties: + type: string + type: object + componentSpecs: + items: + properties: + hpaSpec: + properties: + maxReplicas: + format: int32 + type: integer + metrics: + items: + description: MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once). + properties: + external: + description: external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). + properties: + metricName: + description: metricName is the name of the metric in question. + type: string + metricSelector: + description: metricSelector is used to identify a specific time series within a given metric. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + targetAverageValue: + anyOf: + - type: integer + - type: string + description: targetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + targetValue: + anyOf: + - type: integer + - type: string + description: targetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - metricName + type: object + object: + description: object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object). + properties: + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of the average of the metric across all relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + metricName: + description: metricName is the name of the metric in question. + type: string + selector: + description: selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + target: + description: target is the described Kubernetes object. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + type: string + name: + description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' + type: string + required: + - kind + - name + type: object + targetValue: + anyOf: + - type: integer + - type: string + description: targetValue is the target value of the metric (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - metricName + - target + - targetValue + type: object + pods: + description: pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value. + properties: + metricName: + description: metricName is the name of the metric in question + type: string + selector: + description: selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + targetAverageValue: + anyOf: + - type: integer + - type: string + description: targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - metricName + - targetAverageValue + type: object + resource: + description: resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. + properties: + name: + description: name is the name of the resource in question. + type: string + targetAverageUtilization: + description: targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. + format: int32 + type: integer + targetAverageValue: + anyOf: + - type: integer + - type: string + description: targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - name + type: object + type: + description: type is the type of metric source. It should be one of "Object", "Pods" or "Resource", each mapping to a matching field in the object. + type: string + required: + - type + type: object + type: array + minReplicas: + format: int32 + type: integer + required: + - maxReplicas + type: object + metadata: + type: object + replicas: + format: int32 + type: integer + spec: + description: PodSpec is a description of a pod. + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements by node's fields. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements by node's fields. + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + type: boolean + containers: + description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. + items: + description: A single application container that you want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. Cannot be updated. + items: + description: EnvVar represents an environment variable present in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + type: object + type: array + image: + description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. + items: + description: ContainerPort represents a network port in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + securityContext: + description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. + type: boolean + procMount: + description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + windowsOptions: + description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + runAsUserName: + description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is beta-level and may be disabled with the WindowsRunAsUserName feature flag. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. + items: + description: volumeDevice describes a mapping of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume within a container. + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature. + items: + description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag. + properties: + args: + description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. Cannot be updated. + items: + description: EnvVar represents an environment variable present in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + type: object + type: array + image: + description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral containers. + properties: + postStart: + description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers. + type: string + ports: + description: Ports are not allowed for ephemeral containers. + items: + description: ContainerPort represents a network port in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + securityContext: + description: SecurityContext is not allowed for ephemeral containers. + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. + type: boolean + procMount: + description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + windowsOptions: + description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + runAsUserName: + description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is beta-level and may be disabled with the WindowsRunAsUserName feature flag. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral containers. + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false + type: boolean + targetContainerName: + description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature. + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. + items: + description: volumeDevice describes a mapping of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume within a container. + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods. + items: + description: HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: Default to false.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + items: + description: A single application container that you want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. Cannot be updated. + items: + description: EnvVar represents an environment variable present in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + type: object + type: array + image: + description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. + items: + description: ContainerPort represents a network port in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + securityContext: + description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. + type: boolean + procMount: + description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + windowsOptions: + description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + runAsUserName: + description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is beta-level and may be disabled with the WindowsRunAsUserName feature flag. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. + items: + description: volumeDevice describes a mapping of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume within a container. + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.' + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature. + type: string + priority: + description: The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' + items: + description: PodReadinessGate contains the reference to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.' + type: string + schedulerName: + description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.' + properties: + fsGroup: + description: "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \n If unset, the Kubelet will not modify the ownership and permissions of any volume." + format: int64 + type: integer + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + supplementalGroups: + description: A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + runAsUserName: + description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is beta-level and may be disabled with the WindowsRunAsUserName feature flag. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + shareProcessNamespace: + description: 'Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread feature. All topologySpreadConstraints are ANDed. + items: + description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + maxSkew: + description: 'MaxSkew describes the degree to which pods may be unevenly distributed. It''s the maximum permitted difference between the number of matching pods in any two topology domains of a given topology type. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. It''s a required field. Default value is 1 and 0 is not allowed.' + format: int32 + type: integer + topologyKey: + description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it - ScheduleAnyway tells the scheduler to still schedule it It''s considered as "Unsatisfiable" if and only if placing incoming pod on any topology violates "MaxSkew". For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + type: object + type: array + required: + - containers + type: object + type: object + type: array + engineResources: + description: ResourceRequirements describes the compute resource requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + explainer: + properties: + config: + additionalProperties: + type: string + type: object + containerSpec: + description: A single application container that you want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. Cannot be updated. + items: + description: EnvVar represents an environment variable present in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + type: object + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + type: object + type: array + image: + description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. + items: + description: ContainerPort represents a network port in a single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + securityContext: + description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. + type: boolean + procMount: + description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + level: + description: Level is SELinux level label that applies to the container. + type: string + role: + description: Role is a SELinux role label that applies to the container. + type: string + type: + description: Type is a SELinux type label that applies to the container. + type: string + user: + description: User is a SELinux user label that applies to the container. + type: string + type: object + windowsOptions: + description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. + type: string + runAsUserName: + description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is beta-level and may be disabled with the WindowsRunAsUserName feature flag. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. + items: + description: volumeDevice describes a mapping of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume within a container. + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + endpoint: + properties: + service_host: + type: string + service_port: + format: int32 + type: integer + type: + type: string + type: object + envSecretRefName: + type: string + modelUri: + type: string + serviceAccountName: + type: string + type: + type: string + type: object + graph: + properties: + children: + items: + properties: + children: + items: + properties: + children: + items: + properties: + children: + items: + properties: + endpoint: + properties: + service_host: + type: string + service_port: + format: int32 + type: integer + type: + type: string + type: object + envSecretRefName: + type: string + implementation: + type: string + logger: + description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + methods: + items: + type: string + type: array + modelUri: + type: string + name: + type: string + parameters: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + type: object + type: array + serviceAccountName: + type: string + type: + type: string + type: object + type: array + endpoint: + properties: + service_host: + type: string + service_port: + format: int32 + type: integer + type: + type: string + type: object + envSecretRefName: + type: string + implementation: + type: string + logger: + description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + methods: + items: + type: string + type: array + modelUri: + type: string + name: + type: string + parameters: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + type: object + type: array + serviceAccountName: + type: string + type: + type: string + type: object + type: array + endpoint: + properties: + service_host: + type: string + service_port: + format: int32 + type: integer + type: + type: string + type: object + envSecretRefName: + type: string + implementation: + type: string + logger: + description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + methods: + items: + type: string + type: array + modelUri: + type: string + name: + type: string + parameters: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + type: object + type: array + serviceAccountName: + type: string + type: + type: string + type: object + type: array + endpoint: + properties: + service_host: + type: string + service_port: + format: int32 + type: integer + type: + type: string + type: object + envSecretRefName: + type: string + implementation: + type: string + logger: + description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + methods: + items: + type: string + type: array + modelUri: + type: string + name: + type: string + parameters: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + type: object + type: array + serviceAccountName: + type: string + type: + type: string + type: object + type: array + endpoint: + properties: + service_host: + type: string + service_port: + format: int32 + type: integer + type: + type: string + type: object + envSecretRefName: + type: string + implementation: + type: string + logger: + description: Request/response payload logging. v2alpha1 feature that is added to v1 for backwards compatibility while v1 is the storage version. + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + methods: + items: + type: string + type: array + modelUri: + type: string + name: + type: string + parameters: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + required: + - name + - type + - value + type: object + type: array + serviceAccountName: + type: string + type: + type: string + required: + - name + type: object + labels: + additionalProperties: + type: string + type: object + name: + type: string + replicas: + format: int32 + type: integer + shadow: + type: boolean + svcOrchSpec: + properties: + env: + items: + description: EnvVar represents an environment variable present in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + replicas: + format: int32 + type: integer + resources: + description: ResourceRequirements describes the compute resource requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + type: object + traffic: + format: int32 + type: integer + required: + - graph + - name + type: object + type: array + protocol: + type: string + replicas: + format: int32 + type: integer + transport: + type: string + required: + - predictors + type: object + status: + description: SeldonDeploymentStatus defines the observed state of SeldonDeployment + properties: + address: + description: 'Addressable placeholder until duckv1 issue is fixed: https://github.com/kubernetes-sigs/controller-tools/issues/391' + properties: + url: + type: string + type: object + deploymentStatus: + additionalProperties: + properties: + availableReplicas: + format: int32 + type: integer + description: + type: string + explainerFor: + type: string + name: + type: string + replicas: + format: int32 + type: integer + status: + type: string + type: object + type: object + description: + type: string + replicas: + format: int32 + type: integer + serviceStatus: + additionalProperties: + properties: + explainerFor: + type: string + grpcEndpoint: + type: string + httpEndpoint: + type: string + svcName: + type: string + type: object + type: object + state: + type: string + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1alpha2 + served: true + storage: false + - name: v1alpha3 + served: true + storage: false +--- +# Source: seldon-core-operator/templates/clusterrole_seldon-manager-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-manager-role-kubeflow +rules: +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +- apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - patch + - update +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers/status + verbs: + - get + - patch + - update +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments/finalizers + verbs: + - get + - patch + - update +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.istio.io + resources: + - destinationrules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.istio.io + resources: + - destinationrules/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.istio.io + resources: + - virtualservices/status + verbs: + - get + - patch + - update +- apiGroups: + - v1 + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - v1 + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - v1 + resources: + - services/status + verbs: + - get + - patch + - update +--- +# Source: seldon-core-operator/templates/clusterrole_seldon-manager-sas-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-manager-sas-role-kubeflow +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: seldon-core-operator/templates/clusterrole_seldon-webhook-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-webhook-role-kubeflow +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - create + - update +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions/finalizers + verbs: + - get + - patch + - update +--- +# Source: seldon-core-operator/templates/clusterrolebinding_seldon-manager-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-manager-rolebinding-kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: seldon-manager-role-kubeflow +subjects: +- kind: ServiceAccount + name: 'seldon-manager' + namespace: 'kubeflow' +--- +# Source: seldon-core-operator/templates/clusterrolebinding_seldon-manager-sas-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-manager-sas-rolebinding-kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: seldon-manager-sas-role-kubeflow +subjects: +- kind: ServiceAccount + name: seldon-manager + namespace: 'kubeflow' +--- +# Source: seldon-core-operator/templates/clusterrolebinding_seldon-webhook-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-webhook-rolebinding-kubeflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: seldon-webhook-role-kubeflow +subjects: +- kind: ServiceAccount + name: seldon-manager + namespace: 'kubeflow' +--- +# Source: seldon-core-operator/templates/role_seldon-leader-election-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-leader-election-role + namespace: 'kubeflow' +rules: +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - '' + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - '' + resources: + - events + verbs: + - create +--- +# Source: seldon-core-operator/templates/rolebinding_seldon-leader-election-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-leader-election-rolebinding + namespace: 'kubeflow' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: seldon-leader-election-role +subjects: +- kind: ServiceAccount + name: seldon-manager + namespace: 'kubeflow' +--- +# Source: seldon-core-operator/templates/service_seldon-webhook-service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-webhook-service + namespace: 'kubeflow' +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: seldon + app.kubernetes.io/instance: seldon1 + app.kubernetes.io/name: seldon + app.kubernetes.io/version: v0.5 + control-plane: seldon-controller-manager +--- +# Source: seldon-core-operator/templates/deployment_seldon-controller-manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + control-plane: seldon-controller-manager + name: seldon-controller-manager + namespace: 'kubeflow' +spec: + replicas: 1 + selector: + matchLabels: + app: seldon + app.kubernetes.io/instance: seldon1 + app.kubernetes.io/name: seldon + app.kubernetes.io/version: v0.5 + control-plane: seldon-controller-manager + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' + labels: + app: seldon + app.kubernetes.io/instance: seldon1 + app.kubernetes.io/name: seldon + app.kubernetes.io/version: v0.5 + control-plane: seldon-controller-manager + spec: + containers: + - args: + - --enable-leader-election + - --webhook-port=443 + - --create-resources=$(CREATE_RESOURCES) + - '' + command: + - /manager + env: + - name: WATCH_NAMESPACE + value: '' + - name: RELATED_IMAGE_EXECUTOR + value: '' + - name: RELATED_IMAGE_ENGINE + value: '' + - name: CREATE_RESOURCES + value: 'false' + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONTROLLER_ID + value: '' + - name: AMBASSADOR_ENABLED + value: 'true' + - name: AMBASSADOR_SINGLE_NAMESPACE + value: 'false' + - name: ENGINE_CONTAINER_IMAGE_AND_VERSION + value: 'docker.io/seldonio/engine:1.1.0' + - name: ENGINE_CONTAINER_IMAGE_PULL_POLICY + value: 'IfNotPresent' + - name: ENGINE_CONTAINER_SERVICE_ACCOUNT_NAME + value: 'default' + - name: ENGINE_CONTAINER_USER + value: '8888' + - name: ENGINE_LOG_MESSAGES_EXTERNALLY + value: 'false' + - name: PREDICTIVE_UNIT_SERVICE_PORT + value: '9000' + - name: PREDICTIVE_UNIT_DEFAULT_ENV_SECRET_REF_NAME + value: '' + - name: ENGINE_SERVER_GRPC_PORT + value: '5001' + - name: ENGINE_SERVER_PORT + value: '8000' + - name: ENGINE_PROMETHEUS_PATH + value: '/prometheus' + - name: ISTIO_ENABLED + value: 'true' + - name: ISTIO_GATEWAY + value: 'kubeflow/kubeflow-gateway' + - name: ISTIO_TLS_MODE + value: '' + - name: USE_EXECUTOR + value: 'true' + - name: EXECUTOR_CONTAINER_IMAGE_AND_VERSION + value: 'docker.io/seldonio/seldon-core-executor:1.1.0' + - name: EXECUTOR_CONTAINER_IMAGE_PULL_POLICY + value: 'IfNotPresent' + - name: EXECUTOR_PROMETHEUS_PATH + value: '/prometheus' + - name: EXECUTOR_SERVER_GRPC_PORT + value: '5001' + - name: EXECUTOR_SERVER_PORT + value: '8000' + - name: EXECUTOR_CONTAINER_USER + value: '8888' + - name: EXECUTOR_CONTAINER_SERVICE_ACCOUNT_NAME + value: 'default' + - name: EXECUTOR_REQUEST_LOGGER_DEFAULT_ENDPOINT_PREFIX + value: 'http://default-broker.' + - name: DEFAULT_USER_ID + value: '' + image: 'docker.io/seldonio/seldon-core-operator:1.1.0' + imagePullPolicy: 'IfNotPresent' + name: manager + ports: + - containerPort: 443 + name: webhook-server + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + limits: + cpu: '500m' + memory: '300Mi' + requests: + cpu: '100m' + memory: '200Mi' + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + serviceAccountName: seldon-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: seldon-webhook-server-cert +--- +# Source: seldon-core-operator/templates/certificate_seldon-serving-cert.yaml +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-serving-cert + namespace: 'kubeflow' +spec: + commonName: 'seldon-webhook-service.kubeflow.svc' + dnsNames: + - 'seldon-webhook-service.kubeflow.svc.cluster.local' + - 'seldon-webhook-service.kubeflow.svc' + issuerRef: + kind: Issuer + name: seldon-selfsigned-issuer + secretName: seldon-webhook-server-cert +--- +# Source: seldon-core-operator/templates/issuer_seldon-selfsigned-issuer.yaml +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-selfsigned-issuer + namespace: 'kubeflow' +spec: + selfSigned: {} +--- +# Source: seldon-core-operator/templates/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: 'kubeflow/seldon-serving-cert' + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-mutating-webhook-configuration-kubeflow +webhooks: +- clientConfig: + caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRUzQ4aWc4UDJxYytTZ2o1dXBXcllDekFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGamRYTjBiMjB0YldWMGNtbGpjeTFqWVRBZUZ3MHlNREEwTVRjd09UQTROREZhRncweQpNVEEwTVRjd09UQTROREZhTUJ3eEdqQVlCZ05WQkFNVEVXTjFjM1J2YlMxdFpYUnlhV056TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXV4L0wzb2F6N1JkVGhWc3dKV1JJZVhjV1RLYS8KbDZaK0kxZVIxUEZKd0gwZko5aisrWjdTMWxsMGRxT3ZiZUxmejJ4cHpaNGZZdy9zZFhkYSswd2xxTHVxdmJJbgpUL0hJRTA0aFFBYW1zcXBFRzFlR3RrSkpuTXMxTTRiSUVPT0tjZHkyNlNYN3JmV2cxaHZBdmJ3ekExY0hMQklsCk1kZmxSUDFyVmNZWFNRNmNhWDNWK1d0YnhZbWcvT3RsRHR5bGxISGlGQld0d2ZyaTlNVjJZbitQQ2lZZllUTzUKOEp2VXFxcHYrS3R2UmxrVUxPZzVLeUJzZlk3SGdaK1B6ZzJHZ2NZc2ZDeHdQMFFrRVpQZEpZeWZxSm9Dd3U0cQpWdVJTRWVGRSt4bnhpcnZRQUhSRTFpTFFjQ2IrQ2lOQWR3aU5hano4cHFiTmhJeXFQZUo3MjRIM0tRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETlhYTzBvNzVOUgpQWmRDNks2Y2g5bUlJWlV5dFJ0QnVrK0tLVHFtMk5kOW5lVFFoRUg5dGl0eGZjRmNEMmUyOVdnSjBvTDlaNkFUCnZEbUVrQ3pxbm11K3hHRjdJR2ZGZ0t1ZGFpVU9LZXVMazNVeVVDeXI1VVVHUWRUWDI2cFVrd011RllHSTU5ZU4KY0gxeUI4VDZaQ1dtYWhzZTJHU2hkVVVZNmYyYytDNmJTZ3owZDNnMnVSVk5kc1RjVjV2amczVGd2a3VIUlZNZQp0UXJDeFRJV005VUEwUWo4VUdQKzNCVGNhZlE0LzIzTVczTWxiZTBOVG9McTNiMHZ0ZFhNbmlFb1ZrUmJpaDNsClA4dnhTVXFmQ2JlbFF0ZXBhdWZxRTJXb25WWDRha092dnNKVUtpcmcxbENoZ3k3YXJwMjhydmQxdkMwVDJqdHYKMW9nSlh6Sk5MUlk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' + service: + name: seldon-webhook-service + namespace: 'kubeflow' + path: /mutate-machinelearning-seldon-io-v1-seldondeployment + failurePolicy: Fail + name: v1.mseldondeployment.kb.io + namespaceSelector: + matchExpressions: + - key: seldon.io/controller-id + operator: DoesNotExist + matchLabels: + serving.kubeflow.org/inferenceservice: enabled + rules: + - apiGroups: + - machinelearning.seldon.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - seldondeployments +- clientConfig: + caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRUzQ4aWc4UDJxYytTZ2o1dXBXcllDekFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGamRYTjBiMjB0YldWMGNtbGpjeTFqWVRBZUZ3MHlNREEwTVRjd09UQTROREZhRncweQpNVEEwTVRjd09UQTROREZhTUJ3eEdqQVlCZ05WQkFNVEVXTjFjM1J2YlMxdFpYUnlhV056TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXV4L0wzb2F6N1JkVGhWc3dKV1JJZVhjV1RLYS8KbDZaK0kxZVIxUEZKd0gwZko5aisrWjdTMWxsMGRxT3ZiZUxmejJ4cHpaNGZZdy9zZFhkYSswd2xxTHVxdmJJbgpUL0hJRTA0aFFBYW1zcXBFRzFlR3RrSkpuTXMxTTRiSUVPT0tjZHkyNlNYN3JmV2cxaHZBdmJ3ekExY0hMQklsCk1kZmxSUDFyVmNZWFNRNmNhWDNWK1d0YnhZbWcvT3RsRHR5bGxISGlGQld0d2ZyaTlNVjJZbitQQ2lZZllUTzUKOEp2VXFxcHYrS3R2UmxrVUxPZzVLeUJzZlk3SGdaK1B6ZzJHZ2NZc2ZDeHdQMFFrRVpQZEpZeWZxSm9Dd3U0cQpWdVJTRWVGRSt4bnhpcnZRQUhSRTFpTFFjQ2IrQ2lOQWR3aU5hano4cHFiTmhJeXFQZUo3MjRIM0tRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETlhYTzBvNzVOUgpQWmRDNks2Y2g5bUlJWlV5dFJ0QnVrK0tLVHFtMk5kOW5lVFFoRUg5dGl0eGZjRmNEMmUyOVdnSjBvTDlaNkFUCnZEbUVrQ3pxbm11K3hHRjdJR2ZGZ0t1ZGFpVU9LZXVMazNVeVVDeXI1VVVHUWRUWDI2cFVrd011RllHSTU5ZU4KY0gxeUI4VDZaQ1dtYWhzZTJHU2hkVVVZNmYyYytDNmJTZ3owZDNnMnVSVk5kc1RjVjV2amczVGd2a3VIUlZNZQp0UXJDeFRJV005VUEwUWo4VUdQKzNCVGNhZlE0LzIzTVczTWxiZTBOVG9McTNiMHZ0ZFhNbmlFb1ZrUmJpaDNsClA4dnhTVXFmQ2JlbFF0ZXBhdWZxRTJXb25WWDRha092dnNKVUtpcmcxbENoZ3k3YXJwMjhydmQxdkMwVDJqdHYKMW9nSlh6Sk5MUlk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' + service: + name: seldon-webhook-service + namespace: 'kubeflow' + path: /mutate-machinelearning-seldon-io-v1alpha2-seldondeployment + failurePolicy: Fail + name: v1alpha2.mseldondeployment.kb.io + namespaceSelector: + matchExpressions: + - key: seldon.io/controller-id + operator: DoesNotExist + matchLabels: + serving.kubeflow.org/inferenceservice: enabled + rules: + - apiGroups: + - machinelearning.seldon.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - seldondeployments +- clientConfig: + caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRUzQ4aWc4UDJxYytTZ2o1dXBXcllDekFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGamRYTjBiMjB0YldWMGNtbGpjeTFqWVRBZUZ3MHlNREEwTVRjd09UQTROREZhRncweQpNVEEwTVRjd09UQTROREZhTUJ3eEdqQVlCZ05WQkFNVEVXTjFjM1J2YlMxdFpYUnlhV056TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXV4L0wzb2F6N1JkVGhWc3dKV1JJZVhjV1RLYS8KbDZaK0kxZVIxUEZKd0gwZko5aisrWjdTMWxsMGRxT3ZiZUxmejJ4cHpaNGZZdy9zZFhkYSswd2xxTHVxdmJJbgpUL0hJRTA0aFFBYW1zcXBFRzFlR3RrSkpuTXMxTTRiSUVPT0tjZHkyNlNYN3JmV2cxaHZBdmJ3ekExY0hMQklsCk1kZmxSUDFyVmNZWFNRNmNhWDNWK1d0YnhZbWcvT3RsRHR5bGxISGlGQld0d2ZyaTlNVjJZbitQQ2lZZllUTzUKOEp2VXFxcHYrS3R2UmxrVUxPZzVLeUJzZlk3SGdaK1B6ZzJHZ2NZc2ZDeHdQMFFrRVpQZEpZeWZxSm9Dd3U0cQpWdVJTRWVGRSt4bnhpcnZRQUhSRTFpTFFjQ2IrQ2lOQWR3aU5hano4cHFiTmhJeXFQZUo3MjRIM0tRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETlhYTzBvNzVOUgpQWmRDNks2Y2g5bUlJWlV5dFJ0QnVrK0tLVHFtMk5kOW5lVFFoRUg5dGl0eGZjRmNEMmUyOVdnSjBvTDlaNkFUCnZEbUVrQ3pxbm11K3hHRjdJR2ZGZ0t1ZGFpVU9LZXVMazNVeVVDeXI1VVVHUWRUWDI2cFVrd011RllHSTU5ZU4KY0gxeUI4VDZaQ1dtYWhzZTJHU2hkVVVZNmYyYytDNmJTZ3owZDNnMnVSVk5kc1RjVjV2amczVGd2a3VIUlZNZQp0UXJDeFRJV005VUEwUWo4VUdQKzNCVGNhZlE0LzIzTVczTWxiZTBOVG9McTNiMHZ0ZFhNbmlFb1ZrUmJpaDNsClA4dnhTVXFmQ2JlbFF0ZXBhdWZxRTJXb25WWDRha092dnNKVUtpcmcxbENoZ3k3YXJwMjhydmQxdkMwVDJqdHYKMW9nSlh6Sk5MUlk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' + service: + name: seldon-webhook-service + namespace: 'kubeflow' + path: /mutate-machinelearning-seldon-io-v1alpha3-seldondeployment + failurePolicy: Fail + name: v1alpha3.mseldondeployment.kb.io + namespaceSelector: + matchExpressions: + - key: seldon.io/controller-id + operator: DoesNotExist + matchLabels: + serving.kubeflow.org/inferenceservice: enabled + rules: + - apiGroups: + - machinelearning.seldon.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - seldondeployments +--- +# Source: seldon-core-operator/templates/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: 'kubeflow/seldon-serving-cert' + creationTimestamp: null + labels: + app: seldon + app.kubernetes.io/instance: 'seldon-core' + app.kubernetes.io/name: 'seldon-core-operator' + app.kubernetes.io/version: '1.1.0' + name: seldon-validating-webhook-configuration-kubeflow +webhooks: +- clientConfig: + caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRUzQ4aWc4UDJxYytTZ2o1dXBXcllDekFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGamRYTjBiMjB0YldWMGNtbGpjeTFqWVRBZUZ3MHlNREEwTVRjd09UQTROREZhRncweQpNVEEwTVRjd09UQTROREZhTUJ3eEdqQVlCZ05WQkFNVEVXTjFjM1J2YlMxdFpYUnlhV056TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXV4L0wzb2F6N1JkVGhWc3dKV1JJZVhjV1RLYS8KbDZaK0kxZVIxUEZKd0gwZko5aisrWjdTMWxsMGRxT3ZiZUxmejJ4cHpaNGZZdy9zZFhkYSswd2xxTHVxdmJJbgpUL0hJRTA0aFFBYW1zcXBFRzFlR3RrSkpuTXMxTTRiSUVPT0tjZHkyNlNYN3JmV2cxaHZBdmJ3ekExY0hMQklsCk1kZmxSUDFyVmNZWFNRNmNhWDNWK1d0YnhZbWcvT3RsRHR5bGxISGlGQld0d2ZyaTlNVjJZbitQQ2lZZllUTzUKOEp2VXFxcHYrS3R2UmxrVUxPZzVLeUJzZlk3SGdaK1B6ZzJHZ2NZc2ZDeHdQMFFrRVpQZEpZeWZxSm9Dd3U0cQpWdVJTRWVGRSt4bnhpcnZRQUhSRTFpTFFjQ2IrQ2lOQWR3aU5hano4cHFiTmhJeXFQZUo3MjRIM0tRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETlhYTzBvNzVOUgpQWmRDNks2Y2g5bUlJWlV5dFJ0QnVrK0tLVHFtMk5kOW5lVFFoRUg5dGl0eGZjRmNEMmUyOVdnSjBvTDlaNkFUCnZEbUVrQ3pxbm11K3hHRjdJR2ZGZ0t1ZGFpVU9LZXVMazNVeVVDeXI1VVVHUWRUWDI2cFVrd011RllHSTU5ZU4KY0gxeUI4VDZaQ1dtYWhzZTJHU2hkVVVZNmYyYytDNmJTZ3owZDNnMnVSVk5kc1RjVjV2amczVGd2a3VIUlZNZQp0UXJDeFRJV005VUEwUWo4VUdQKzNCVGNhZlE0LzIzTVczTWxiZTBOVG9McTNiMHZ0ZFhNbmlFb1ZrUmJpaDNsClA4dnhTVXFmQ2JlbFF0ZXBhdWZxRTJXb25WWDRha092dnNKVUtpcmcxbENoZ3k3YXJwMjhydmQxdkMwVDJqdHYKMW9nSlh6Sk5MUlk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' + service: + name: seldon-webhook-service + namespace: 'kubeflow' + path: /validate-machinelearning-seldon-io-v1-seldondeployment + failurePolicy: Fail + name: v1.vseldondeployment.kb.io + namespaceSelector: + matchExpressions: + - key: seldon.io/controller-id + operator: DoesNotExist + matchLabels: + serving.kubeflow.org/inferenceservice: enabled + rules: + - apiGroups: + - machinelearning.seldon.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - seldondeployments +- clientConfig: + caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRUzQ4aWc4UDJxYytTZ2o1dXBXcllDekFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGamRYTjBiMjB0YldWMGNtbGpjeTFqWVRBZUZ3MHlNREEwTVRjd09UQTROREZhRncweQpNVEEwTVRjd09UQTROREZhTUJ3eEdqQVlCZ05WQkFNVEVXTjFjM1J2YlMxdFpYUnlhV056TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXV4L0wzb2F6N1JkVGhWc3dKV1JJZVhjV1RLYS8KbDZaK0kxZVIxUEZKd0gwZko5aisrWjdTMWxsMGRxT3ZiZUxmejJ4cHpaNGZZdy9zZFhkYSswd2xxTHVxdmJJbgpUL0hJRTA0aFFBYW1zcXBFRzFlR3RrSkpuTXMxTTRiSUVPT0tjZHkyNlNYN3JmV2cxaHZBdmJ3ekExY0hMQklsCk1kZmxSUDFyVmNZWFNRNmNhWDNWK1d0YnhZbWcvT3RsRHR5bGxISGlGQld0d2ZyaTlNVjJZbitQQ2lZZllUTzUKOEp2VXFxcHYrS3R2UmxrVUxPZzVLeUJzZlk3SGdaK1B6ZzJHZ2NZc2ZDeHdQMFFrRVpQZEpZeWZxSm9Dd3U0cQpWdVJTRWVGRSt4bnhpcnZRQUhSRTFpTFFjQ2IrQ2lOQWR3aU5hano4cHFiTmhJeXFQZUo3MjRIM0tRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETlhYTzBvNzVOUgpQWmRDNks2Y2g5bUlJWlV5dFJ0QnVrK0tLVHFtMk5kOW5lVFFoRUg5dGl0eGZjRmNEMmUyOVdnSjBvTDlaNkFUCnZEbUVrQ3pxbm11K3hHRjdJR2ZGZ0t1ZGFpVU9LZXVMazNVeVVDeXI1VVVHUWRUWDI2cFVrd011RllHSTU5ZU4KY0gxeUI4VDZaQ1dtYWhzZTJHU2hkVVVZNmYyYytDNmJTZ3owZDNnMnVSVk5kc1RjVjV2amczVGd2a3VIUlZNZQp0UXJDeFRJV005VUEwUWo4VUdQKzNCVGNhZlE0LzIzTVczTWxiZTBOVG9McTNiMHZ0ZFhNbmlFb1ZrUmJpaDNsClA4dnhTVXFmQ2JlbFF0ZXBhdWZxRTJXb25WWDRha092dnNKVUtpcmcxbENoZ3k3YXJwMjhydmQxdkMwVDJqdHYKMW9nSlh6Sk5MUlk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' + service: + name: seldon-webhook-service + namespace: 'kubeflow' + path: /validate-machinelearning-seldon-io-v1alpha2-seldondeployment + failurePolicy: Fail + name: v1alpha2.vseldondeployment.kb.io + namespaceSelector: + matchExpressions: + - key: seldon.io/controller-id + operator: DoesNotExist + matchLabels: + serving.kubeflow.org/inferenceservice: enabled + rules: + - apiGroups: + - machinelearning.seldon.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - seldondeployments +- clientConfig: + caBundle: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRUzQ4aWc4UDJxYytTZ2o1dXBXcllDekFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGamRYTjBiMjB0YldWMGNtbGpjeTFqWVRBZUZ3MHlNREEwTVRjd09UQTROREZhRncweQpNVEEwTVRjd09UQTROREZhTUJ3eEdqQVlCZ05WQkFNVEVXTjFjM1J2YlMxdFpYUnlhV056TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXV4L0wzb2F6N1JkVGhWc3dKV1JJZVhjV1RLYS8KbDZaK0kxZVIxUEZKd0gwZko5aisrWjdTMWxsMGRxT3ZiZUxmejJ4cHpaNGZZdy9zZFhkYSswd2xxTHVxdmJJbgpUL0hJRTA0aFFBYW1zcXBFRzFlR3RrSkpuTXMxTTRiSUVPT0tjZHkyNlNYN3JmV2cxaHZBdmJ3ekExY0hMQklsCk1kZmxSUDFyVmNZWFNRNmNhWDNWK1d0YnhZbWcvT3RsRHR5bGxISGlGQld0d2ZyaTlNVjJZbitQQ2lZZllUTzUKOEp2VXFxcHYrS3R2UmxrVUxPZzVLeUJzZlk3SGdaK1B6ZzJHZ2NZc2ZDeHdQMFFrRVpQZEpZeWZxSm9Dd3U0cQpWdVJTRWVGRSt4bnhpcnZRQUhSRTFpTFFjQ2IrQ2lOQWR3aU5hano4cHFiTmhJeXFQZUo3MjRIM0tRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETlhYTzBvNzVOUgpQWmRDNks2Y2g5bUlJWlV5dFJ0QnVrK0tLVHFtMk5kOW5lVFFoRUg5dGl0eGZjRmNEMmUyOVdnSjBvTDlaNkFUCnZEbUVrQ3pxbm11K3hHRjdJR2ZGZ0t1ZGFpVU9LZXVMazNVeVVDeXI1VVVHUWRUWDI2cFVrd011RllHSTU5ZU4KY0gxeUI4VDZaQ1dtYWhzZTJHU2hkVVVZNmYyYytDNmJTZ3owZDNnMnVSVk5kc1RjVjV2amczVGd2a3VIUlZNZQp0UXJDeFRJV005VUEwUWo4VUdQKzNCVGNhZlE0LzIzTVczTWxiZTBOVG9McTNiMHZ0ZFhNbmlFb1ZrUmJpaDNsClA4dnhTVXFmQ2JlbFF0ZXBhdWZxRTJXb25WWDRha092dnNKVUtpcmcxbENoZ3k3YXJwMjhydmQxdkMwVDJqdHYKMW9nSlh6Sk5MUlk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' + service: + name: seldon-webhook-service + namespace: 'kubeflow' + path: /validate-machinelearning-seldon-io-v1alpha3-seldondeployment + failurePolicy: Fail + name: v1alpha3.vseldondeployment.kb.io + namespaceSelector: + matchExpressions: + - key: seldon.io/controller-id + operator: DoesNotExist + matchLabels: + serving.kubeflow.org/inferenceservice: enabled + rules: + - apiGroups: + - machinelearning.seldon.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - seldondeployments diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..6a5e4d1c01 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/application.yaml @@ -0,0 +1,41 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: seldon-core-operator +spec: + componentKinds: + - group: apps/v1 + kind: StatefulSet + - group: v1 + kind: Service + - group: apps/v1 + kind: Deployment + - group: v1 + kind: Secret + - group: v1 + kind: ConfigMap + description: Seldon allows users to create ML Inference Graphs to deploy their models + and serve predictions + icons: null + keywords: + - seldon + - inference + links: + - description: Docs + url: https://docs.seldon.io/projects/seldon-core/en/v1.1.0/ + maintainers: + - email: dev@seldon.io + name: Seldon + owners: + - email: dev@seldon.io + name: Seldon + selector: + matchLabels: + app.kubernetes.io/component: seldon + app.kubernetes.io/instance: seldon-1.15 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: seldon + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: '1.15' + type: seldon-core-operator + version: v1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..905ed600a8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/seldon-core-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: seldon + app.kubernetes.io/name: seldon-core-operator +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/values.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/values.yaml new file mode 100644 index 0000000000..039b12fc25 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/seldon/values.yaml @@ -0,0 +1,160 @@ +# # Seldon Core Operator +# Below are the default values when installing Seldon Core + +# ## Ingress Options +# You are able to choose between Istio and Ambassador + +# If you have ambassador installed you can just use the enabled flag +ambassador: + enabled: true + singleNamespace: false +# When activating Istio, respecive virtual services will be created +# You must make sure you create the seldon-gateway as well +istio: + enabled: true + gateway: kubeflow/kubeflow-gateway + tlsMode: "" + +# ## Install with Cert Manager +# See installation page in documentation for more information +certManager: + enabled: true + +# ## Install with limited namespace visibility +# If you want to ensure seldon-core-controller can only have visibility +# to specifci namespaces you can set the controllerId +controllerId: "" + +# Whether to create the webhook service, and webhookconfigurations on startup +createResources: false + +# Default user id to add to all Pod Security Context as the default +# Use this to ensure all container run as non-root by default +# For openshift leave blank as usually this will be injected automatically on an openshift cluster +# to all pods. +defaultUserID: "" + +# ## Service Orchestrator (Executor) +# The executor is the default service orchestrator which has superceeded the "Java Engine" +executor: + enabled: true + port: 8000 + grpc: + port: 5001 + image: + pullPolicy: IfNotPresent + registry: docker.io + repository: seldonio/seldon-core-executor + tag: 1.1.0 + prometheus: + path: /prometheus + serviceAccount: + name: default + user: 8888 +# If you want to make available your own request logger for ELK integration you can set this +# For more information see the Production Integration for Payload Request Logging with ELK in the docs + defaultRequestLoggerEndpointPrefix: 'http://default-broker.' + +# ## Seldon Core Controller Manager Options +image: + pullPolicy: IfNotPresent + registry: docker.io + repository: seldonio/seldon-core-operator + tag: 1.1.0 +manager: + cpuLimit: 500m + cpuRequest: 100m + memoryLimit: 300Mi + memoryRequest: 200Mi +rbac: + configmap: + create: true + create: true +serviceAccount: + create: true + name: seldon-manager +singleNamespace: false +storageInitializer: + cpuLimit: "1" + cpuRequest: 100m + image: gcr.io/kfserving/storage-initializer:0.2.2 + memoryLimit: 1Gi + memoryRequest: 100Mi +usageMetrics: + enabled: false +webhook: + port: 443 + +# ## Predictive Unit Values +predictiveUnit: + port: 9000 + # If you would like to add extra environment variables to the init container to make available + # secrets such as cloud credentials, you can provide a default secret name that will be loaded + # to all the containers. You can then override this using the envSecretRefName in SeldonDeployments + defaultEnvSecretRefName: "" +predictor_servers: + MLFLOW_SERVER: + grpc: + defaultImageVersion: "0.4" + image: seldonio/mlflowserver_grpc + rest: + defaultImageVersion: "0.4" + image: seldonio/mlflowserver_rest + SKLEARN_SERVER: + grpc: + defaultImageVersion: "0.2" + image: seldonio/sklearnserver_grpc + rest: + defaultImageVersion: "0.2" + image: seldonio/sklearnserver_rest + TENSORFLOW_SERVER: + grpc: + defaultImageVersion: "0.7" + image: seldonio/tfserving-proxy_grpc + rest: + defaultImageVersion: "0.7" + image: seldonio/tfserving-proxy_rest + tensorflow: true + tfImage: tensorflow/serving:2.1.0 + XGBOOST_SERVER: + grpc: + defaultImageVersion: "0.3" + image: seldonio/xgboostserver_grpc + rest: + defaultImageVersion: "0.3" + image: seldonio/xgboostserver_rest + +# ## Other +# You can choose the crds to not be installed if you already installed them +crd: + create: true + +# Warning: credentials will be depricated soon, please use defaultEnvSecretRefName above +# For more info please check the documentation +credentials: + gcs: + gcsCredentialFileName: gcloud-application-credentials.json + s3: + s3AccessKeyIDName: awsAccessKeyID + s3SecretAccessKeyName: awsSecretAccessKey + +kubeflow: true + +# ## Engine parameters +# Warning: Engine is being depricated in favour of Orchestrator +# FOr more information please read the Upgrading section in the documentation +engine: + grpc: + port: 5001 + image: + pullPolicy: IfNotPresent + registry: docker.io + repository: seldonio/engine + tag: 1.1.0 + logMessagesExternally: false + port: 8000 + prometheus: + path: /prometheus + serviceAccount: + name: default + user: 8888 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/Kube-descriptor.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/Kube-descriptor.yaml new file mode 100644 index 0000000000..7174effa26 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/Kube-descriptor.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v1beta2-1.1.0-2.4.5 +description: Spark operator based on https://github.com/GoogleCloudPlatform/spark-on-k8s-operator +home: https://github.com/kubeflow/manifests/spark-operator +keywords: +- spark +kubeVersion: '>=1.8.0-0' +maintainers: +- email: holden.karau@gmail.com + name: holdenk +name: sparkoperator +version: 0.4.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/cr-clusterrole.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/cr-clusterrole.yaml new file mode 100644 index 0000000000..aa94476386 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/cr-clusterrole.yaml @@ -0,0 +1,72 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-cr +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - '*' +- apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - create + - get + - delete + - update +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - get + - delete +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - update + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - create + - get + - update + - delete +- apiGroups: + - sparkoperator.k8s.io + resources: + - sparkapplications + - scheduledsparkapplications + - sparkapplications/status + - scheduledsparkapplications/status + verbs: + - '*' diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/crb.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/crb.yaml new file mode 100644 index 0000000000..13ff66827a --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/crb.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sparkoperator-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator-cr +subjects: +- kind: ServiceAccount + name: operator-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/deploy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/deploy.yaml new file mode 100644 index 0000000000..3e28da57f3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/deploy.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sparkoperator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/version: v1beta2-1.1.0-2.4.5 + kustomize.component: spark-operator + strategy: + type: Recreate + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/version: v1beta2-1.1.0-2.4.5 + kustomize.component: spark-operator + spec: + containers: + - args: + - -v=2 + - -namespace= + - -ingress-url-format= + - -controller-threads=10 + - -resync-interval=30 + - -logtostderr + - -enable-metrics=true + - -metrics-labels=app_type + - -metrics-port=10254 + - -metrics-endpoint=/metrics + - -metrics-prefix= + image: gcr.io/spark-operator/spark-operator:v1beta2-1.1.0-2.4.5 + imagePullPolicy: IfNotPresent + name: sparkoperator + ports: + - containerPort: 10254 + serviceAccountName: operator-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/kustomization.yaml new file mode 100644 index 0000000000..50eb16bb3e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +commonLabels: + app.kubernetes.io/name: sparkoperator + kustomize.component: spark-operator +images: +- name: gcr.io/spark-operator/spark-operator + newName: gcr.io/spark-operator/spark-operator + newTag: v1beta2-1.1.0-2.4.5 +kind: Kustomization +namePrefix: spark-operator +namespace: kubeflow +resources: +- spark-sa.yaml +- cr-clusterrole.yaml +- crb.yaml +- deploy.yaml +- operator-sa.yaml +- role.yaml +- rolebinding.yaml +- sparkapplications.sparkoperator.k8s.io-crd.yaml +- scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/operator-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/operator-sa.yaml new file mode 100644 index 0000000000..a0754ee50d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/operator-sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: operator-sa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/role.yaml new file mode 100644 index 0000000000..b32b86ec65 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/role.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: spark-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/rolebinding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/rolebinding.yaml new file mode 100644 index 0000000000..fc3ae1d7e1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: spark-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: spark-role +subjects: +- kind: ServiceAccount + name: spark + diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml new file mode 100644 index 0000000000..7bcfba7719 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml @@ -0,0 +1,2546 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: scheduledsparkapplications.sparkoperator.k8s.io +spec: + group: sparkoperator.k8s.io + names: + kind: ScheduledSparkApplication + listKind: ScheduledSparkApplicationList + plural: scheduledsparkapplications + shortNames: + - scheduledsparkapp + singular: scheduledsparkapplication + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + concurrencyPolicy: + type: string + failedRunHistoryLimit: + format: int32 + type: integer + schedule: + type: string + successfulRunHistoryLimit: + format: int32 + type: integer + suspend: + type: boolean + template: + properties: + arguments: + items: + type: string + type: array + batchScheduler: + type: string + batchSchedulerOptions: + properties: + priorityClassName: + type: string + queue: + type: string + type: object + deps: + properties: + downloadTimeout: + format: int32 + minimum: 1 + type: integer + files: + items: + type: string + type: array + filesDownloadDir: + type: string + jars: + items: + type: string + type: array + jarsDownloadDir: + type: string + maxSimultaneousDownloads: + format: int32 + minimum: 1 + type: integer + pyFiles: + items: + type: string + type: array + type: object + driver: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + podName: + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + type: string + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + serviceAccount: + type: string + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + executor: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + coreRequest: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + instances: + format: int32 + minimum: 1 + type: integer + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + failureRetries: + format: int32 + type: integer + hadoopConf: + additionalProperties: + type: string + type: object + hadoopConfigMap: + type: string + image: + type: string + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + initContainerImage: + type: string + mainApplicationFile: + type: string + mainClass: + type: string + memoryOverheadFactor: + type: string + mode: + enum: + - cluster + - client + type: string + monitoring: + properties: + exposeDriverMetrics: + type: boolean + exposeExecutorMetrics: + type: boolean + metricsProperties: + type: string + prometheus: + properties: + configFile: + type: string + configuration: + type: string + jmxExporterJar: + type: string + port: + format: int32 + maximum: 49151 + minimum: 1024 + type: integer + required: + - jmxExporterJar + type: object + required: + - exposeDriverMetrics + - exposeExecutorMetrics + type: object + nodeSelector: + additionalProperties: + type: string + type: object + pythonVersion: + enum: + - "2" + - "3" + type: string + restartPolicy: + properties: + onFailureRetries: + format: int32 + minimum: 0 + type: integer + onFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + onSubmissionFailureRetries: + format: int32 + minimum: 0 + type: integer + onSubmissionFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + type: + enum: + - Never + - Always + - OnFailure + type: string + type: object + retryInterval: + format: int64 + type: integer + sparkConf: + additionalProperties: + type: string + type: object + sparkConfigMap: + type: string + sparkVersion: + type: string + timeToLiveSeconds: + format: int64 + type: integer + type: + enum: + - Java + - Python + - Scala + - R + type: string + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + type: string + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + required: + - sources + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - driver + - executor + - mainApplicationFile + - sparkVersion + - type + type: object + required: + - schedule + - template + type: object + required: + - metadata + - spec + type: object + version: v1beta2 + versions: + - name: v1beta2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/spark-sa.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/spark-sa.yaml new file mode 100644 index 0000000000..ebbc7dff7b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/spark-sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spark + namespace: kubeflow diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml new file mode 100644 index 0000000000..74065d68f7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml @@ -0,0 +1,2528 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sparkapplications.sparkoperator.k8s.io +spec: + group: sparkoperator.k8s.io + names: + kind: SparkApplication + listKind: SparkApplicationList + plural: sparkapplications + shortNames: + - sparkapp + singular: sparkapplication + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + arguments: + items: + type: string + type: array + batchScheduler: + type: string + batchSchedulerOptions: + properties: + priorityClassName: + type: string + queue: + type: string + type: object + deps: + properties: + downloadTimeout: + format: int32 + minimum: 1 + type: integer + files: + items: + type: string + type: array + filesDownloadDir: + type: string + jars: + items: + type: string + type: array + jarsDownloadDir: + type: string + maxSimultaneousDownloads: + format: int32 + minimum: 1 + type: integer + pyFiles: + items: + type: string + type: array + type: object + driver: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + podName: + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + type: string + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + serviceAccount: + type: string + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + executor: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + coreRequest: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + instances: + format: int32 + minimum: 1 + type: integer + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + failureRetries: + format: int32 + type: integer + hadoopConf: + additionalProperties: + type: string + type: object + hadoopConfigMap: + type: string + image: + type: string + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + initContainerImage: + type: string + mainApplicationFile: + type: string + mainClass: + type: string + memoryOverheadFactor: + type: string + mode: + enum: + - cluster + - client + type: string + monitoring: + properties: + exposeDriverMetrics: + type: boolean + exposeExecutorMetrics: + type: boolean + metricsProperties: + type: string + prometheus: + properties: + configFile: + type: string + configuration: + type: string + jmxExporterJar: + type: string + port: + format: int32 + maximum: 49151 + minimum: 1024 + type: integer + required: + - jmxExporterJar + type: object + required: + - exposeDriverMetrics + - exposeExecutorMetrics + type: object + nodeSelector: + additionalProperties: + type: string + type: object + pythonVersion: + enum: + - "2" + - "3" + type: string + restartPolicy: + properties: + onFailureRetries: + format: int32 + minimum: 0 + type: integer + onFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + onSubmissionFailureRetries: + format: int32 + minimum: 0 + type: integer + onSubmissionFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + type: + enum: + - Never + - Always + - OnFailure + type: string + type: object + retryInterval: + format: int64 + type: integer + sparkConf: + additionalProperties: + type: string + type: object + sparkConfigMap: + type: string + sparkVersion: + type: string + timeToLiveSeconds: + format: int64 + type: integer + type: + enum: + - Java + - Python + - Scala + - R + type: string + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + type: string + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + required: + - sources + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - driver + - executor + - mainApplicationFile + - sparkVersion + - type + type: object + required: + - metadata + - spec + type: object + version: v1beta2 + versions: + - name: v1beta2 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..3c6d8c3b6c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/application.yaml @@ -0,0 +1,37 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: spark-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/instance: spark-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: sppark-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: SparkOperator + descriptor: + type: "spark-operator" + version: "v1" + description: "Spark-operator allows users to create and manage the \"SparkApplication\" custom resource." + maintainers: + - name: Holden Karau + email: holden@pigscanfly.ca + owners: + - name: Holden Karau + email: holden@pigscanfly.ca + keywords: + - "spark" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..6a652ddd5f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/spark/spark-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: spark-operator + app.kubernetes.io/name: sparkoperator +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/README.md b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/README.md new file mode 100644 index 0000000000..797b80412b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/README.md @@ -0,0 +1,2 @@ +This directory contains examples illustrating how users would leverage kustomize +to do various kubeflow kustomizations. \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/configs/spawner_ui_config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/configs/spawner_ui_config.yaml new file mode 100644 index 0000000000..24a89b6290 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/configs/spawner_ui_config.yaml @@ -0,0 +1,15 @@ +# This is a custom spawnerUiConfig. +# +# It looks like the entire file is replaced; so the user would need to supply a complete +# spawner config. +spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: alicerepo/tensorflow-1.14.0-notebook-cpu:v-base-ef41372-1177829795472347138 + # The list of available standard container Images + options: + - alicerepo/tensorflow-1.15.2-notebook-cpu:1.0.0 + - alicerepo/tensorflow-1.15.2-notebook-gpu:1.0.0 + - alicerepo//tensorflow-2.1.0-notebook-cpu:1.0.0 + - alicerepo//tensorflow-2.1.0-notebook-gpu:1.0.0 \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kubeflow-config.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kubeflow-config.yaml new file mode 100644 index 0000000000..8c39c00160 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kubeflow-config.yaml @@ -0,0 +1,13 @@ +# This file demonstrates how a user would kustomize +# "global" config like userid-header, userid-prefix etc.. +apiVersion: v1 +kind: ConfigMap +metadata: + # kubelfow-config is the name of the global (as opposed to applicaiton specific + # config map. + name: kubeflow-config +data: + # For GCP we can use these to define GCP + # parameters that should be common across applications + project: alice-gcp + zone: us-east1-d \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kustomization.yaml new file mode 100644 index 0000000000..7b1b11d292 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/alice_gcp/kustomization.yaml @@ -0,0 +1,20 @@ +# This is an example of a kustomize package a user +# might create to kustomize it on GCP +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +generatorOptions: + disableNameSuffixHash: true +resources: +# Users start by inheriting the gcp stack and then customizing it +- ../../gcp +patchesStrategicMerge: +# Patch in modifications to the global config +- kubeflow-config.yaml +configMapGenerator: +- name: jupyter-web-app-config + # TODO(jlewi): I think merge only applies to the keys but not the + # contents of the file; so the entire contents of the file are replaced. + behavior: merge + files: + - configs/spawner_ui_config.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/kfctl_gcp_stacks.experimental.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/kfctl_gcp_stacks.experimental.yaml new file mode 100644 index 0000000000..ee41e69726 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/examples/kfctl_gcp_stacks.experimental.yaml @@ -0,0 +1,94 @@ +# An experimental example file for using KFDef with the new specs +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + namespace: kubeflow +spec: + applications: + # One of the primary reasons for splitting out packages into separate kustomize + # directories is when the resources needed to be installed in a different namespace. + # TODO(jlewi): This should be replaced by ACM when its ready. + # Its a separate package because it needs to be in a different namespace + - kustomizeConfig: + repoRef: + name: manifests + path: istio/gcp-1-1-6 + name: istio-stack + # Create Kubeflow specific ISTIO resources. + - kustomizeConfig: + repoRef: + name: manifests + path: istio/istio/base + name: kubeflow-istio + # Install controllers that other applications depend on + # e.g. metacontroller and application controller. + - kustomizeConfig: + repoRef: + name: manifests + path: metacontroller/base + name: metacontroller + - kustomizeConfig: + repoRef: + name: manifests + path: application/v3 + name: application + # Install GCP ingress related packages + - kustomizeConfig: + repoRef: + name: manifests + path: gcp/cloud-endpoints/overlays/application + name: cloud-endpoints + - kustomizeConfig: + repoRef: + name: manifests + path: gcp/iap-ingress/v3 + name: iap-ingress + # Certmanager gets installed in a different namespace so it needs to be a separate package + - kustomizeConfig: + repoRef: + name: manifests + path: cert-manager/cert-manager-crds/base + name: cert-manager-crds + - kustomizeConfig: + repoRef: + name: manifests + path: cert-manager/cert-manager-kube-system-resources/base + name: cert-manager-kube-system-resources + - kustomizeConfig: + repoRef: + name: manifests + path: cert-manager/cert-manager/v3 + name: cert-manager + # Install Kubeflow applications. + - kustomizeConfig: + repoRef: + name: manifests + path: stacks/gcp + name: kubeflow-apps + # Spartakus is a separate applications so that kfctl can remove it + # to disable usage reporting + - kustomizeConfig: + repoRef: + name: manifests + path: common/spartakus/overlays/application + name: spartakus + plugins: + # TODO(jlewi): The plugin is currently commented out because we don't want to run the + # generate logic + - kind: KfGcpPlugin + metadata: + creationTimestamp: null + name: gcp + spec: + createPipelinePersistentStorage: true + deploymentManagerConfig: + repoRef: + name: manifests + path: gcp/deployment_manager_configs + enableWorkloadIdentity: true + skipInitProject: true + useBasicAuth: false + repos: + - name: manifests + uri: https://github.com/jlewi/manifests/archive/stacks.tar.gz + version: master diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/OWNERS b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/OWNERS new file mode 100644 index 0000000000..45ea5b5d30 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/OWNERS @@ -0,0 +1,4 @@ +# Owners file should only contain Googlers +# since these are Google's oppinionated configs. +approvers: +- jlewi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/config/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/config/params.env new file mode 100644 index 0000000000..680214110d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/config/params.env @@ -0,0 +1,3 @@ +clusterDomain=cluster.local +userid-header=X-Goog-Authenticated-User-Email +userid-prefix=accounts.google.com: diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/kustomization.yaml new file mode 100644 index 0000000000..62fb331564 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/stacks/gcp/kustomization.yaml @@ -0,0 +1,41 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + # List the Kubeflow applications that should be included + # TODO(https://github.com/kubeflow/manifests/issues/1073): + # We need to switch the admission webhook to use cert-manager. + - ../../admission-webhook/webhook/v3 + - ../../common/centraldashboard/overlays/stacks + - ../../gcp/gpu-driver/overlays/application/ + - ../../kubeflow-roles/base + - ../../jupyter/jupyter-web-app/base_v3 + - ../../jupyter/notebook-controller/base_v3 + - ../../profiles/base_v3 + - ../../pytorch-job/pytorch-job-crds/overlays/application + - ../../pytorch-job/pytorch-operator/overlays/application + - ../../tf-training/tf-job-crds/overlays/application + - ../../tf-training/tf-job-operator/overlays/application + # This package will create a profile resource so it needs to be installed after the profiles CR + - ../../default-install/base +configMapGenerator: +- envs: + - ./config/params.env + name: kubeflow-config +vars: +# We need to define vars at the top level otherwise we will get +# conflicts. +- fieldref: + fieldPath: data.clusterDomain + name: clusterDomain + objref: + apiVersion: v1 + kind: ConfigMap + name: kubeflow-config +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: ConfigMap + name: kubeflow-config \ No newline at end of file diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..3f62bcacd9 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-dashboard-minimal +subjects: + - kind: ServiceAccount + name: tekton-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-dashboard-minimal diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role.yaml new file mode 100644 index 0000000000..adaccf9291 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/cluster-role.yaml @@ -0,0 +1,38 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-dashboard-minimal +rules: + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + verbs: ["use"] + - apiGroups: ["extensions", "apps"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "update", "patch"] + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: [""] + resources: ["pods/log", "namespaces", "events"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["get", "list", "create", "update", "watch", "delete"] + - apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["taskruns/finalizers", "pipelineruns/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["dashboard.tekton.dev"] + resources: ["extensions"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/crds.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/crds.yaml new file mode 100644 index 0000000000..5424cac40e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/crds.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: extensions.dashboard.tekton.dev +spec: + group: dashboard.tekton.dev + names: + kind: Extension + plural: extensions + categories: + - all + - tekton-pipelines + scope: Namespaced + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/deployment.yaml new file mode 100644 index 0000000000..c04d07f552 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/deployment.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-dashboard +spec: + replicas: 1 + template: + metadata: + name: tekton-dashboard + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: tekton-dashboard + image: gcr.io/tekton-nightly/dashboard@sha256:e3e63e7a5e11a14927008cf61f6e6a1bfc36e9e13608e9c044570c162198f01d + ports: + - containerPort: 9097 + livenessProbe: + httpGet: + path: /health + port: 9097 + readinessProbe: + httpGet: + path: /readiness + port: 9097 + resources: + env: + - name: PORT + value: "9097" + - name: WEB_RESOURCES_DIR + value: /var/run/ko/web + - name: PIPELINE_RUN_SERVICE_ACCOUNT + value: "" + - name: INSTALLED_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + serviceAccountName: tekton-dashboard diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/kustomization.yaml new file mode 100644 index 0000000000..91ad89c53e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crds.yaml +- service-account.yaml +- cluster-role.yaml +- cluster-role-binding.yaml +- deployment.yaml +- task.yaml +- pipeline.yaml +- service.yaml +namespace: tekton-pipelines +images: +- name: gcr.io/tekton-nightly/dashboard + newName: gcr.io/tekton-nightly/dashboard + digest: sha256:e3e63e7a5e11a14927008cf61f6e6a1bfc36e9e13608e9c044570c162198f01d diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/pipeline.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/pipeline.yaml new file mode 100644 index 0000000000..b7e1d6f69e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/pipeline.yaml @@ -0,0 +1,33 @@ +apiVersion: tekton.dev/v1alpha1 +kind: Pipeline +metadata: + name: pipeline0 +spec: + resources: + - name: git-source + type: git + params: + - name: pathToResourceFiles + description: The path to the resource files to apply + default: /workspace/git-source + - name: apply-directory + description: The directory from which resources are to be applied + default: "." + - name: target-namespace + description: The namespace in which to create the resources being imported + default: tekton-pipelines + tasks: + - name: pipeline0-task + taskRef: + name: pipeline0-task + params: + - name: pathToResourceFiles + value: ${params.pathToResourceFiles} + - name: apply-directory + value: ${params.apply-directory} + - name: target-namespace + value: ${params.target-namespace} + resources: + inputs: + - name: git-source + resource: git-source diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service-account.yaml new file mode 100644 index 0000000000..7042d07f99 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-dashboard diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service.yaml new file mode 100644 index 0000000000..9bfa10eccb --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/service.yaml @@ -0,0 +1,10 @@ +kind: Service +apiVersion: v1 +metadata: + name: tekton-dashboard +spec: + ports: + - name: http + protocol: TCP + port: 9097 + targetPort: 9097 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/task.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/task.yaml new file mode 100644 index 0000000000..58f001a432 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/base/task.yaml @@ -0,0 +1,30 @@ +apiVersion: tekton.dev/v1alpha1 +kind: Task +metadata: + name: pipeline0-task +spec: + inputs: + resources: + - name: git-source + type: git + params: + - name: pathToResourceFiles + description: The path to the resource files to apply + default: /workspace/git-source + - name: apply-directory + description: The directory from which resources are to be applied + default: "." + - name: target-namespace + description: The namespace in which to create the resources being imported + default: tekton-pipelines + steps: + - name: kubectl-apply + image: lachlanevenson/k8s-kubectl + command: + - kubectl + args: + - apply + - -f + - ${inputs.params.pathToResourceFiles}/${inputs.params.apply-directory} + - -n + - ${inputs.params.target-namespace} diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/application.yaml new file mode 100644 index 0000000000..787437d089 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/application.yaml @@ -0,0 +1,33 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: $(generateName) +spec: + componentKinds: + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: tekton.dev + kind: Pipeline + - group: tekton.dev + kind: Task + descriptor: + type: tektoncd-dashboard + version: v1beta1 + description: installs tektoncd pipeline dashboard + maintainers: + - name: Kam Kasravi + email: kam.d.kasravi@intel.com + owners: + - name: Kam Kasravi + email: kam.d.kasravi@intel.com + keywords: + - tektoncd-dashboard + - kubeflow + links: + - description: About + url: "https://kubeflow.org" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..5ad6da134f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app: tekton-dashboard + app.kubernetes.io/component: tektoncd + app.kubernetes.io/name: tektoncd-dashboard +configMapGenerator: +- env: params.env + name: tektoncd-dashboard-app-parameters +configurations: +- params.yaml +kind: Kustomization +resources: +- application.yaml +vars: +- fieldref: + fieldPath: data.generateName + name: generateName + objref: + apiVersion: v1 + kind: ConfigMap + name: tektoncd-dashboard-app-parameters diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.env new file mode 100644 index 0000000000..115937b9f8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.env @@ -0,0 +1 @@ +generateName= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.yaml new file mode 100644 index 0000000000..a8d8a85fde --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/application/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: metadata/name + kind: Application +- path: spec/selector/app.kubernetes.io\/instance + kind: Service +- path: spec/selector/matchLabels/app.kubernetes.io\/instance + kind: Deployment +- path: spec/template/metadata/labels/app.kubernetes.io\/instance + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..ca6e17d28c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configMapGenerator: +- name: tektoncd-dashboard-parameters + env: params.env +vars: +- name: namespace + objref: + kind: ConfigMap + name: tektoncd-dashboard-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +- name: clusterDomain + objref: + kind: ConfigMap + name: tektoncd-dashboard-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.env new file mode 100644 index 0000000000..5023b1c25f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.env @@ -0,0 +1,2 @@ +namespace= +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..5ddba28475 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-dashboard/overlays/istio/virtual-service.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tektoncd-dashboard +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /tektoncd-dashboard + rewrite: + uri: /tektoncd-dashboard + route: + - destination: + host: tekton-dashboard.$(namespace).svc.$(clusterDomain) + port: + number: 80 + timeout: 300s diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..1583bcc3c8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-pipelines-admin +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role.yaml new file mode 100644 index 0000000000..68c6b9f3c7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/cluster-role.yaml @@ -0,0 +1,166 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-pipelines-admin +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + - namespaces + - secrets + - events + - serviceaccounts + - configmaps + - persistentvolumeclaims + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - tekton.dev + resources: + - tasks + - clustertasks + - taskruns + - pipelines + - pipelineruns + - pipelineresources + - conditions + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - tekton.dev + resources: + - taskruns/finalizers + - pipelineruns/finalizers + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - tekton.dev + resources: + - tasks/status + - clustertasks/status + - taskruns/status + - pipelines/status + - pipelineruns/status + - pipelineresources/status + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - policy + resourceNames: + - tekton-pipelines + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: tekton-aggregate-edit +rules: +- apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - pipelineresources + - conditions + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: tekton-aggregate-view +rules: +- apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - pipelineresources + - conditions + verbs: + - get + - list + - watch +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/config-map.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/config-map.yaml new file mode 100644 index 0000000000..0b18762b5d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/config-map.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + name: config-artifact-bucket +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + name: config-artifact-pvc +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # default-timeout-minutes contains the default number of + # minutes to use for TaskRun and PipelineRun, if none is specified. + default-timeout-minutes: "60" # 60 minutes +kind: ConfigMap +metadata: + name: config-defaults +--- +apiVersion: v1 +data: + loglevel.controller: info + loglevel.webhook: info + zap-logger-config: | + { + "level": "info", + "development": false, + "sampling": { + "initial": 100, + "thereafter": 100 + }, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "", + "levelKey": "level", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "msg", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "", + "durationEncoder": "", + "callerEncoder": "" + } + } +kind: ConfigMap +metadata: + name: config-logging +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using Stackdriver will incur additional charges. + metrics.backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used and metrics will be sent to the cluster's project if this field is + # not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed + # to send metrics to Stackdriver using "global" resource type and custom + # metric type. Setting this flag to "true" could cause extra Stackdriver + # charge. If metrics.backend-destination is not Stackdriver, this is + # ignored. + metrics.allow-stackdriver-custom-metrics: "false" +kind: ConfigMap +metadata: + name: config-observability +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/crds.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/crds.yaml new file mode 100644 index 0000000000..0838645338 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/crds.yaml @@ -0,0 +1,174 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clustertasks.tekton.dev +spec: + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: ClusterTask + plural: clustertasks + scope: Cluster + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: conditions.tekton.dev +spec: + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: Condition + plural: conditions + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + name: images.caching.internal.knative.dev +spec: + group: caching.internal.knative.dev + names: + categories: + - knative-internal + - caching + kind: Image + plural: images + shortNames: + - img + singular: image + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pipelines.tekton.dev +spec: + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: Pipeline + plural: pipelines + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pipelineruns.tekton.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - JSONPath: .status.conditions[?(@.type=="Succeeded")].reason + name: Reason + type: string + - JSONPath: .status.startTime + name: StartTime + type: date + - JSONPath: .status.completionTime + name: CompletionTime + type: date + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: PipelineRun + plural: pipelineruns + shortNames: + - pr + - prs + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pipelineresources.tekton.dev +spec: + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: PipelineResource + plural: pipelineresources + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: Task + plural: tasks + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: taskruns.tekton.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - JSONPath: .status.conditions[?(@.type=="Succeeded")].reason + name: Reason + type: string + - JSONPath: .status.startTime + name: StartTime + type: date + - JSONPath: .status.completionTime + name: CompletionTime + type: date + group: tekton.dev + names: + categories: + - all + - tekton-pipelines + kind: TaskRun + plural: taskruns + shortNames: + - tr + - trs + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/deployment.yaml new file mode 100644 index 0000000000..267a4ab915 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/deployment.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: +# labels: +# app.kubernetes.io/component: controller +# app.kubernetes.io/name: tekton-pipelines + name: tekton-pipelines-controller +spec: + replicas: 1 + selector: + matchLabels: + app: tekton-pipelines-controller + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "false" + labels: + app: tekton-pipelines-controller +# app.kubernetes.io/component: controller +# app.kubernetes.io/name: tekton-pipelines + spec: + containers: + - args: + - -logtostderr + - -stderrthreshold + - INFO + - -kubeconfig-writer-image + - $(registry)/$(kubeconfigwriter) + - -creds-image + - $(registry)/$(creds-init) + - -git-image + - $(registry)/$(git-init) + - -nop-image + - $(registry)/$(nop) + - -bash-noop-image + - $(registry)/$(bash) + - -gsutil-image + - $(registry)/$(gsutil) + - -entrypoint-image + - $(registry)/$(entrypoint) + - -imagedigest-exporter-image + - $(registry)/$(imagedigestexporter) + - -pr-image + - $(registry)/$(pullrequest-init) + - -build-gcs-fetcher-image + - $(registry)/$(gcs-fetcher) + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + image: $(registry)/$(controller) + name: tekton-pipelines-controller + volumeMounts: + - mountPath: /etc/config-logging + name: config-logging + serviceAccountName: tekton-pipelines-controller + volumes: + - configMap: + name: config-logging + name: config-logging +--- +apiVersion: apps/v1 +kind: Deployment +metadata: +# labels: +# app.kubernetes.io/component: webhook-controller +# app.kubernetes.io/name: tekton-pipelines + name: tekton-pipelines-webhook +spec: + replicas: 1 + selector: + matchLabels: + app: tekton-pipelines-webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "false" + labels: + app: tekton-pipelines-webhook +# app.kubernetes.io/component: webhook-controller +# app.kubernetes.io/name: tekton-pipelines + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: $(registry)/$(webhook) + name: webhook + volumeMounts: + - mountPath: /etc/config-logging + name: config-logging + serviceAccountName: tekton-pipelines-controller + volumes: + - configMap: + name: config-logging + name: config-logging +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/kustomization.yaml new file mode 100644 index 0000000000..9653a80c43 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/kustomization.yaml @@ -0,0 +1,119 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespace.yaml +- crds.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- pod-security-policy.yaml +- service-account.yaml +- service.yaml +- deployment.yaml +namespace: tekton-pipelines +configMapGenerator: +- name: tektoncd-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: registry + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.registry +- name: entrypoint + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.entrypoint +- name: nop + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.nop +- name: webhook + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.webhook +- name: gcs-fetcher + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.gcs-fetcher +- name: gsutil + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.gsutil +- name: bash + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.bash +- name: git-init + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.git-init +- name: creds-init + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.creds-init +- name: pullrequest-init + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.pullrequest-init +- name: imagedigestexporter + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.imagedigestexporter +- name: kubeconfigwriter + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.kubeconfigwriter +- name: controller + objref: + kind: ConfigMap + name: tektoncd-parameters + apiVersion: v1 + fieldref: + fieldpath: data.controller +configurations: +- params.yaml +images: +- name: $(registry)/$(controller) + newName: $(registry)/$(controller) + newTag: latest +- name: $(registry)/$(webhook) + newName: $(registry)/$(webhook) + newTag: latest diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/namespace.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/namespace.yaml new file mode 100644 index 0000000000..5439a25ef3 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-pipelines diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.env new file mode 100644 index 0000000000..af5323bc2f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.env @@ -0,0 +1,13 @@ +registry=gcr.io/tekton-releases +webhook=github.com/tektoncd/pipeline/cmd/webhook@sha256:7215a25a58c074bbe30a50db93e6a47d2eb5672f9af7570a4e4ab75e50329131 +nop=github.com/tektoncd/pipeline/cmd/nop@sha256:b372d0cb991cb960854880957c93c460d35e75339016ca6472b5ea2955f08dcb +entrypoint=github.com/tektoncd/pipeline/cmd/entrypoint@sha256:ac46866bd14ac38960c6aa100ee7468e707a955324ea4c88ce8d39b8cdfee11e +gsutil=github.com/tektoncd/pipeline/cmd/gsutil@sha256:c404edde7ec5ccf550784f2d71ea4b184ec1378329bdad316e26bce81d5f466c +gcs-fetcher=github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher@sha256:7741f416742ac14744e8c8d0c1a628ce93d801dadfdb1ff9da8a4b9df4d6573c +bash=github.com/tektoncd/pipeline/cmd/bash@sha256:d101b69175e60cf43956ba850ec62c2db8eead17d3aa9cfb40ad7f7f3f6a3f53 +creds-init=github.com/tektoncd/pipeline/cmd/creds-init@sha256:beff30d239273c4986b2e8f9d26a23cc84cc4ffda074e4e83f1cc50905c2d3da +git-init=github.com/tektoncd/pipeline/cmd/git-init@sha256:b0e6fb4f8fdd6728c6ff5bd63be30e04f88f103b9a1e972e204125aeb6a04d33 +pullrequest-init=github.com/tektoncd/pipeline/cmd/pullrequest-init@sha256:c7e2a8178bc3e87405303212290836de9f781409fd60cee25cac1383aaa76f1b +imagedigestexporter=github.com/tektoncd/pipeline/cmd/imagedigestexporter@sha256:04e1eda72b3db4e4b12cc4caa2c01f33384ba80702a4dd8c41a1a940e0d69296 +kubeconfigwriter=github.com/tektoncd/pipeline/cmd/kubeconfigwriter@sha256:8f8aee782bb47d7436c40e5b10a19966b21d00e1d35d2f3cd8713e206ce24841 +controller=github.com/tektoncd/pipeline/cmd/controller@sha256:ebc6f768038aa3e31f3d7acda4bc26bf1380b5f2a132f0618181cacc30e295fa diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.yaml new file mode 100644 index 0000000000..3d38939728 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/image + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/pod-security-policy.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/pod-security-policy.yaml new file mode 100644 index 0000000000..e406af0811 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/pod-security-policy.yaml @@ -0,0 +1,28 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: tekton-pipelines +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - configMap + - secret diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service-account.yaml new file mode 100644 index 0000000000..2f2da31b58 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-controller diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service.yaml new file mode 100644 index 0000000000..ac6d46d7dc --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/base/service.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: tekton-pipelines-controller + name: tekton-pipelines-controller +spec: + ports: + - name: metrics + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: tekton-pipelines-controller +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: tekton-pipelines-webhook + name: tekton-pipelines-webhook +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + app: tekton-pipelines-webhook +--- diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/application.yaml new file mode 100644 index 0000000000..7c1ca672a4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/application.yaml @@ -0,0 +1,24 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: $(generateName) +spec: + componentKinds: + - group: app.k8s.io + kind: Application + descriptor: + type: tektoncd-install + version: v1beta1 + description: installs tektoncd pipeline + maintainers: + - name: Kam Kasravi + email: kam.d.kasravi@intel.com + owners: + - name: Kam Kasravi + email: kam.d.kasravi@intel.com + keywords: + - kubeflow + links: + - description: About + url: "https://kubeflow.org" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..497945b541 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/kustomization.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: kubeflow + app.kubernetes.io/name: tektoncd-install +configMapGenerator: +- env: params.env + name: tektoncd-install-parameters +configurations: +- params.yaml +kind: Kustomization +resources: +- application.yaml +vars: +- fieldref: + fieldPath: data.generateName + name: generateName + objref: + apiVersion: v1 + kind: ConfigMap + name: tektoncd-install-parameters diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.env new file mode 100644 index 0000000000..115937b9f8 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.env @@ -0,0 +1 @@ +generateName= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.yaml new file mode 100644 index 0000000000..a8d8a85fde --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/application/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: metadata/name + kind: Application +- path: spec/selector/app.kubernetes.io\/instance + kind: Service +- path: spec/selector/matchLabels/app.kubernetes.io\/instance + kind: Deployment +- path: spec/template/metadata/labels/app.kubernetes.io\/instance + kind: Deployment diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..49616ef259 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configMapGenerator: +- name: tektoncd-install-istio-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: clusterDomain + objref: + kind: ConfigMap + name: tektoncd-install-istio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +- name: namespace + objref: + kind: ConfigMap + name: tektoncd-install-istio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.env new file mode 100644 index 0000000000..5023b1c25f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.env @@ -0,0 +1,2 @@ +namespace= +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..173d7b333b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tektoncd/tektoncd-install/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tektoncd +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /tektoncd/ + rewrite: + uri: /tektoncd/ + route: + - destination: + host: tekton-pipelines-controller.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/deployment.yaml new file mode 100644 index 0000000000..12a856d24c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: tensorboard + name: tensorboard +spec: + replicas: 1 + template: + metadata: + labels: + app: tensorboard + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --logdir=logs + - --port=6006 + command: + - /usr/local/bin/tensorboard + image: tensorflow/tensorflow:1.8.0 + imagePullPolicy: IfNotPresent + name: tensorboard + ports: + - containerPort: 6006 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/kustomization.yaml new file mode 100644 index 0000000000..3cff0b6ba0 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- deployment.yaml +- service.yaml +commonLabels: + kustomize.component: tensorboard +configMapGenerator: +- name: parameters + env: params.env +vars: +- name: namespace + objref: + kind: Service + name: tensorboard + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: clusterDomain + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml +images: +- name: tensorflow/tensorflow + newName: tensorflow/tensorflow + newTag: 1.8.0 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.env new file mode 100644 index 0000000000..48ef6be18d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.env @@ -0,0 +1,27 @@ +# GCP +# @optionalParam logDir string logs Name of the log directory holding the TF events file +# @optionalParam targetPort number 6006 Name of the targetPort +# @optionalParam servicePort number 9000 Name of the servicePort +# @optionalParam serviceType string ClusterIP The service type for Jupyterhub. +# @optionalParam defaultTbImage string tensorflow/tensorflow:1.8.0 default tensorboard image to use +# @optionalParam gcpCredentialSecretName string null Name of the k8s secrets containing gcp credentials +# AWS +# @optionalParam logDir string logs Name of the log directory holding the TF events file +# @optionalParam targetPort number 6006 Name of the targetPort +# @optionalParam servicePort number 9000 Name of the servicePort +# @optionalParam serviceType string ClusterIP The service type for tensorboard service +# @optionalParam defaultTbImage string tensorflow/tensorflow:1.8.0 default tensorboard image to use +# @optionalParam s3Enabled string false Whether or not to use S3 +# @optionalParam s3SecretName string null Name of the k8s secrets containing S3 credentials +# @optionalParam s3SecretAccesskeyidKeyName string null Name of the key in the k8s secret containing AWS_ACCESS_KEY_ID +# @optionalParam s3SecretSecretaccesskeyKeyName string null Name of the key in the k8s secret containing AWS_SECRET_ACCESS_KEY +# @optionalParam s3AwsRegion string us-west-1 S3 region +# @optionalParam s3UseHttps string true Whether or not to use https +# @optionalParam s3VerifySsl string true Whether or not to verify https certificates for S3 connections +# @optionalParam s3Endpoint string s3.us-west-1.amazonaws.com URL for your s3-compatible endpoint +# @optionalParam efsEnabled string false Whether or not to use EFS +# @optionalParam efsPvcName string null Name of the Persistent Volume Claim used for EFS +# @optionalParam efsVolumeName string null Name of the Volume to mount to the pod +# @optionalParam efsMountPath string null Where to mount the EFS Volume +namespace= +clusterDomain=cluster.local diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.yaml new file mode 100644 index 0000000000..c8de9ba235 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/service.yaml new file mode 100644 index 0000000000..086dd27185 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/base/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: tb-mapping-tensorboard-get + prefix: /tensorboard/ tensorboard/ + rewrite: / + method: GET + service: tensorboard.$(namespace):9000 + labels: + app: tensorboard + name: tensorboard +spec: + ports: + - name: tb + port: 9000 + targetPort: 6006 + selector: + app: tensorboard + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/kustomization.yaml new file mode 100644 index 0000000000..fcd00db904 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/params.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/params.yaml new file mode 100644 index 0000000000..eea869e0d4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/virtual-service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000000..b0068b6916 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tensorboard/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tensorboard +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /tensorboard/tensorboard/ + rewrite: + uri: / + route: + - destination: + host: tensorboard.$(namespace).svc.$(clusterDomain) + port: + number: 9000 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/crd.yaml new file mode 100644 index 0000000000..b693c4069b --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/crd.yaml @@ -0,0 +1,47 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tfjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: TFJob + plural: tfjobs + singular: tfjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + tfReplicaSpecs: + properties: + Chief: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + PS: + properties: + replicas: + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/kustomization.yaml new file mode 100644 index 0000000000..6e120e7b63 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/application.yaml new file mode 100644 index 0000000000..fca72d2d27 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: tf-job-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: tf-job-crds + app.kubernetes.io/instance: tf-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: tfjob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + type: "tf-job-crds" + version: "v1" + description: "Tf-job-crds contains the \"TFJob\" custom resource definition." + maintainers: + - name: Richard Liu + email: ricliu@google.com + owners: + - name: Richard Liu + email: ricliu@google.com + keywords: + - "tfjob" + - "tf-operator" + - "tf-training" + links: + - description: About + url: "https://github.com/kubeflow/tf-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..ae51ba2708 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-crds/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-crds +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..e05aad7fc4 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: tf-job-operator + name: tf-job-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tf-job-operator +subjects: +- kind: ServiceAccount + name: tf-job-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role.yaml new file mode 100644 index 0000000000..444db13b41 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/cluster-role.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: tf-job-operator + name: tf-job-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + - tfjobs/finalizers + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - '*' + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-tfjobs-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-tfjobs-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-tfjobs-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/deployment.yaml new file mode 100644 index 0000000000..10b2917878 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/deployment.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tf-job-operator +spec: + replicas: 1 + template: + metadata: + labels: + name: tf-job-operator + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/tf_operator:kubeflow-tf-operator-postsubmit-v1-5adee6f-6109-a25c + name: tf-job-operator + serviceAccountName: tf-job-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/kustomization.yaml new file mode 100644 index 0000000000..a2f136902e --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + kustomize.component: tf-job-operator +images: +- name: gcr.io/kubeflow-images-public/tf_operator + newName: gcr.io/kubeflow-images-public/tf_operator + newTag: vmaster-gd455e6ef diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/params.env new file mode 100644 index 0000000000..ce6615ad6c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/params.env @@ -0,0 +1 @@ +namespace= diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service-account.yaml new file mode 100644 index 0000000000..c7be4e33e6 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service-account.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-dashboard + name: tf-job-dashboard +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-operator + name: tf-job-operator diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service.yaml new file mode 100644 index 0000000000..97f92e3ea1 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/base/service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/scrape: "true" + prometheus.io/port: "8443" + labels: + app: tf-job-operator + name: tf-job-operator +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + name: tf-job-operator + type: ClusterIP diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..7ca46fb0c7 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: tf-job-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: tf-job-operator + app.kubernetes.io/instance: tf-job-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: tfjob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + type: "tf-job-operator" + version: "v1" + description: "Tf-operator allows users to create and manage the \"TFJob\" custom resource." + maintainers: + - name: Richard Liu + email: ricliu@google.com + owners: + - name: Richard Liu + email: ricliu@google.com + keywords: + - "tfjob" + - "tf-operator" + - "tf-training" + links: + - description: About + url: "https://github.com/kubeflow/tf-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..418c718035 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/tf-training/tf-job-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/name: tf-job-operator +kind: Kustomization +resources: +- application.yaml diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role-binding.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000000..f7fe51dff5 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role.yaml new file mode 100644 index 0000000000..6c252e8c6f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/cluster-role.yaml @@ -0,0 +1,75 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - apps + resources: + - deployments + - deployments/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - xgboostjob.kubeflow.org + resources: + - xgboostjobs + - xgboostjobs/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - persistentvolumeclaims + - pods + - secrets + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/crd.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/crd.yaml new file mode 100644 index 0000000000..e8ce939091 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/crd.yaml @@ -0,0 +1,121 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: xgboostjobs.xgboostjob.kubeflow.org +spec: + group: xgboostjob.kubeflow.org + names: + kind: XGBoostJob + plural: xgboostjobs + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the startTime + that the job may be active before the system tries to terminate it; + value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after the + job completes. Default to Running. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + type: object + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. It + may take extra ReconcilePeriod seconds for the cleanup, since reconcile + gets called periodically. Default to infinite. + format: int32 + type: integer + xgbReplicaSpecs: + type: object + required: + - xgbReplicaSpecs + type: object + status: + properties: + completionTime: + description: Represents time when the job was completed. It is not guaranteed + to be set in happens-before order across separate operations. It is + represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - type + - status + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It is + not guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the job + controller. It is not guaranteed to be set in happens-before order + across separate operations. It is represented in RFC3339 form and + is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + version: v1alpha1 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/deployment.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/deployment.yaml new file mode 100644 index 0000000000..3eb5425aec --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/deployment.yaml @@ -0,0 +1,18 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: deployment +spec: + template: + metadata: + labels: + app: xgboost-operator + spec: + containers: + - name: xgboost-operator + command: + - /root/manager + - -mode=in-cluster + image: gcr.io/kubeflow-images-public/xgboost-operator:v1.0 + imagePullPolicy: Always + serviceAccountName: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/kustomization.yaml new file mode 100644 index 0000000000..b9a6bf7f30 --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role.yaml +- cluster-role-binding.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +namespace: kubeflow +nameprefix: xgboost-operator- +configMapGenerator: +- name: xgboost-operator-config + env: params.env +images: + - name: gcr.io/kubeflow-images-public/xgboost-operator + newName: gcr.io/kubeflow-images-public/xgboost-operator + newTag: 8e29825 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/params.env b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/params.env new file mode 100644 index 0000000000..e69de29bb2 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service-account.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service-account.yaml new file mode 100644 index 0000000000..a36cbd800f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service.yaml new file mode 100644 index 0000000000..13c8dd1b0f --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/base/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: service + annotations: + prometheus.io/path: /metrics + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + labels: + app: xgboost-operator +spec: + type: ClusterIP + selector: + app: xgboost-operator + ports: + - port: 443 diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/application.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/application.yaml new file mode 100644 index 0000000000..431b5bca1c --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/application.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: xgboost-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: xgboost-operator + app.kubernetes.io/instance: xgboost-operator + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: xgboostjob + app.kubernetes.io/part-of: kubeflow + componentKinds: + - group: core + kind: Service + - group: extensions/v1beta1 + kind: Deployment + - group: core + kind: ServiceAccount + - group: xgboostjob.kubeflow.org + kind: XGBoostJob + descriptor: + type: xgboostjob + version: v1alpha1 + description: XGBoost is an optimized distributed gradient boosting library designed to be highly efficient, flexible and portable + maintainers: + - name: Yuan Tang + email: terrytangyuan@gmail.com + - name: Hemantha kumara + email: mshemantha@gmail.com + owners: + - name: Yuan Tang + email: terrytangyuan@gmail.com + keywords: + - xgboost + links: + - description: About + url: "https://xgboost.ai/about" + addOwnerRef: true diff --git a/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/kustomization.yaml b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000000..cdfc5a7e1d --- /dev/null +++ b/kubeflow_clusters/code-intelligence/upstream/manifests/xgboost-job/xgboost-operator/overlays/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../base +commonLabels: + app.kubernetes.io/component: xgboostjob + app.kubernetes.io/name: xgboost-operator +kind: Kustomization +resources: +- application.yaml