From 0640a15e594afacd88e340a91b6b5aec95701a96 Mon Sep 17 00:00:00 2001 From: Jeremy Lewi Date: Fri, 20 Dec 2019 11:11:32 -0800 Subject: [PATCH] Make the Tekton CD pipeline for profile controller run on KF release cluster (#4568) * Get rid of the PVC used to pass the image digest file between the build and update manifests step * Creating a PVC just creates operational complexity * We combine the build and update manifests step into one task. We can then use /workspace (a pod volume) to pass data like the image digest file between the steps * Update pipelineRun to work with version 0.9 of Tekton * Field serviceAccount has been renamed serviceAccountName * TaskRun no longer supports outputImageDir so we remove it; we will have to use Tekton to pass the image digest file * Remove the namespace.yaml and secrets.yaml from the kustomize package * The secrets should be created out of band and not checked in * So the behavior should be to deploy the kustomize package in a namespace that already exists with the appropriate secrets * Checking in secrets is confusing * If we check in dummy secrets then users will get confused about whether the secrets are valid or not * Furthermore, the file secrets.yaml is an invitation to end up checking the secrets into source control. * Configure some values to use gcr.io/kubeflow-images-public * Disable ISTIO sidecar in the pipelines * For kaniko we don't need the secret to be named a certain way we just need to set GOOGLE_APPLICATION_CREDENTIALS to point to the correct value * We change kaniko to use the user-gcp-sa secret that Kubeflow creates * We shouldn't need an image pull secret since kubeflow-images-public is public * GOOGLE_APPLICATION_CREDENTIALS should be used for pushing images * Change the name of the secret containing ssh credentials for kubeflow-bot to kubeflow-bot-github-ssh * rebuild-manifests.sh should use /workspace to get the image digest rather than the PVC. * Simplify rebuild-manifests.ssh * Tekton will mount the .ssh information in /tekton/home/.ssh so we just need to create a symbolic link to /root/.ssh * The image digest file should be fetched from /workspace and not some PVC. * Set GITHUB_TOKEN environment variable using secrets so that we don't need to use kubectl get to fetch it * We need to make the clone of kubeflow/manifests a non-shallow clone before we can push changes to the remote repo * I was able to successfully run the profile controller workflow and create a PR https://github.com/kubeflow/manifests/pull/669 Next steps: * This PR only updated the profile controller * We need to refactor how the PipelineRun's are laid out * I think we may want the PipelineRun's to be separate from the reused resurces like Task * rebuil-manifests.sh should only regenerate tests for changed files * The created PRs don't satisfy the Kubeflow CLA check. Related to: kubeflow/testing#450 --- components/base/README.md | 60 ++++++++++---- components/base/kustomization.yaml | 3 - components/base/namespace.yaml | 4 - components/base/params.env | 6 +- components/base/persistent-volume-claim.yaml | 10 --- components/base/pipeline.yaml | 40 ++++++---- components/base/secrets.yaml | 52 ------------- components/base/service-account.yaml | 10 ++- components/base/task.yaml | 78 +++++++------------ components/profile-controller/ci/params.env | 3 + .../profile-controller/ci/pipeline-run.yaml | 2 +- py/kubeflow/kubeflow/ci/rebuild-manifests.sh | 78 ++++++++++++++----- 12 files changed, 169 insertions(+), 177 deletions(-) delete mode 100644 components/base/namespace.yaml delete mode 100644 components/base/persistent-volume-claim.yaml delete mode 100644 components/base/secrets.yaml diff --git a/components/base/README.md b/components/base/README.md index 9bb2b3562e6..9858475feb4 100644 --- a/components/base/README.md +++ b/components/base/README.md @@ -10,7 +10,11 @@ -## Kubeflow CI with tektoncd pipelines +## Kubeflow CD with tektoncd pipelines + +This directory contains Tekton pipelines intended to rebuild Kubeflow docker images +and open PRs to update Kubeflow kustomize manifests to use the newly built images. + ### Use Cases @@ -19,7 +23,7 @@ The following use cases can be run on the following components (should be run fr - `kustomize build --reorder none `*jupyter-web-app*`/ci | kubectl apply -f -` - `kustomize build --reorder none `*notebook-controller*`/ci | kubectl apply -f -` - `kustomize build --reorder none `*profile-controller*`/ci | kubectl apply -f - - + This uses TektonCD [pipelinerun](https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md) to enable the following use case: 1. A PR is merged into kubeflow/kubeflow updating the component @@ -59,11 +63,10 @@ In this use case the following instance is created: │    └── manifests+revision └── pipeline    └── tasks -    ├── build-push -    └── update-manifests +    ├── build-push   ``` -The PipelineRun includes a Pipeline that has 2 tasks and 3 PipelineResources of type image (component) and git (kubeflow, manifests). The Tasks reference these resources in their inputs or outputs. +The PipelineRun includes a Pipeline that has 1 tasks and 3 PipelineResources of type image (component) and git (kubeflow, manifests). The Tasks reference these resources in their inputs or outputs. ### Parameterization @@ -72,8 +75,7 @@ The Pipeline uses parameterized Tasks. Reusing this pipeline only requires changing parameters in params.env in the target component The parameters are noted below, those with an asterix should change per component: -Those parameters without an asterix allow different gcr.io locations, namespace and pvc_mount_path. -This can be run locally (for example using a local cluster via `kind create cluster`) +Those parameters without an asterix allow different gcr.io locations and namespace. ``` container_image=gcr.io/kubeflow-ci/test-worker:latest @@ -91,13 +93,41 @@ This can be run locally (for example using a local cluster via `kind create clus pvc_mount_path=/kubeflow ``` -### Secrets +### Setting up a cluster to run the pipelines + +The kustomize manifests are currently written so as to run in a Kubeflow releasing cluster. + +The current release cluster is + +* **project**: **kf-releasing** +* **cluster**: **kf-releasing-0-6-2** +* **namespace**: **kf-releasing** + +This is a Kubeflow cluster (v0.6.2) and we rely on that to configure certain things like the secrets and service accounts. + +1. Follow [Tektons' instructions](https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#ssh-authentication-git) for + creating a secret containing ssh credentials for use with GitHub + + * We are currently using the secret named **kubeflow-bot-github-ssh** + + +1. Ensure the GCP service account used with Kaniko has storage admin permissions for the project + where the images are pushed. + + * most likely **gcr.io/kubeflow-images-public** + +1. Create a secret named **github-token** containing a github token to be used by the hub CLI to create PRs. + +### Run a pipeline + +1. Modify `base/params.env` + + * set namespace to the namespace where it will run + +1. Run + + ``` + kustomize build --reorder none `*profile-controller*`/ci | kubectl apply -f - + ``` -The secrets file has been supplied with no tokens and should have tokens generated. -The file itself should not be checked in with valid tokens. -- gcp-credentials -- kaniko-secret (same as gcp-credentials, use by kaniko) -- github-ssh -- github-token -For the github-ssh and github-token secrets the kubeflow-bot github user and it's forked repo should be used. diff --git a/components/base/kustomization.yaml b/components/base/kustomization.yaml index e40bbc3d3c4..6e0037fbea9 100644 --- a/components/base/kustomization.yaml +++ b/components/base/kustomization.yaml @@ -1,9 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml -- persistent-volume-claim.yaml -- secrets.yaml - service-account.yaml - role-binding.yaml - pipeline-resource.yaml diff --git a/components/base/namespace.yaml b/components/base/namespace.yaml deleted file mode 100644 index 4a7da48228c..00000000000 --- a/components/base/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: $(namespace) diff --git a/components/base/params.env b/components/base/params.env index cda23fb3f96..6436a4e8a6c 100644 --- a/components/base/params.env +++ b/components/base/params.env @@ -1,6 +1,6 @@ -namespace=kubeflow-ci -container_image=gcr.io/constant-cubist-173123/test-worker@sha256:08cc88cf7cac0742f52822716ec5da8137d82378a2b05dc11e7d813c04d4c572 -image_url=gcr.io/constant-cubist-173123 +namespace=kf-releasing +container_image=gcr.io/kubeflow-releasing/test-worker@sha256:35138a42b57160a078e802b7d69aec3c3e79a3e2e55518af7798275ebcc84d25 +image_url=gcr.io/kubeflow-images-public kubeflow_repo_revision=master kubeflow_repo_url=git@github.com:kubeflow/kubeflow.git manifests_repo_revision=master diff --git a/components/base/persistent-volume-claim.yaml b/components/base/persistent-volume-claim.yaml deleted file mode 100644 index 0b85f948058..00000000000 --- a/components/base/persistent-volume-claim.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: ci-pipeline-run-persistent-volume-claim -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi diff --git a/components/base/pipeline.yaml b/components/base/pipeline.yaml index 8e59510ef4e..556d10d8cb0 100644 --- a/components/base/pipeline.yaml +++ b/components/base/pipeline.yaml @@ -21,20 +21,6 @@ spec: value: $(path_to_context) - name: path_to_docker_file value: $(path_to_docker_file) - resources: - inputs: - - name: kubeflow - resource: kubeflow - outputs: - - name: $(image_name) - resource: $(image_name) - taskRef: - name: build-push - kind: namespaced - - name: update-manifests - runAfter: - - build-push - params: - name: container_image value: "$(container_image)" - name: path_to_manifests_dir @@ -45,10 +31,30 @@ spec: resource: kubeflow - name: manifests resource: manifests + outputs: - name: $(image_name) resource: $(image_name) - from: - - build-push taskRef: - name: update-manifests + name: build-push kind: namespaced + #- name: update-manifests + # runAfter: + # - build-push + # params: + # - name: container_image + # value: "$(container_image)" + # - name: path_to_manifests_dir + # value: "$(path_to_manifests_dir)" + # resources: + # inputs: + # - name: kubeflow + # resource: kubeflow + # - name: manifests + # resource: manifests + # - name: $(image_name) + # resource: $(image_name) + # from: + # - build-push + # taskRef: + # name: update-manifests + # kind: namespaced diff --git a/components/base/secrets.yaml b/components/base/secrets.yaml deleted file mode 100644 index 301d59f8857..00000000000 --- a/components/base/secrets.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -data: - .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2djci5pbyI6eyJ1c2VybmFtZSI6Il9qc29uX2tleSIsInBhc3N3b3JkIjoie1xuICBcInR5cGVcIjogXCJzZXJ2aWNlX2FjY291bnRcIixcbiAgXCJwcm9qZWN0X2lkXCI6IFwiY29uc3RhbnQtY3ViaXN0LTE3MzEyM1wiLFxuICBcInByaXZhdGVfa2V5X2lkXCI6IFwiYWRiMzY3M2NiOTkzNzkyNjZiY2MxZDU1YmIxZTdiZDFlYzM5NGI1Y1wiLFxuICBcInByaXZhdGVfa2V5XCI6IFwiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXFxuTUlJRXZRSUJBREFOQmdrcWhraUc5dzBCQVFFRkFBU0NCS2N3Z2dTakFnRUFBb0lCQVFDNm8zN0o4S2kxUWp3RVxcbnhNT3ROUVZaK2xsWUxIdlNXV2tDeXp1a3JwbHdZRU9KRk5VR00yQ3NySHpjM0pDUDhGYWo1RVRHMjlvT1pLVkJcXG5MSjU3eVdKSEpyekhIb2JyOHNsNytpcjRjYUovSzNiS2lybmZWYTZFeXk5azFIa0RMSlZ4T1lsaXFTbkdtRlZ5XFxuQ3lpYXltNTI1V3VqanZIQkRaZUdsYzlqb1RLMG9yQXYvUCthZzhleUUvY05DS0FwTkk4ZTFXYmlhMFNCdWEwblxcblVZbFB1RXRxdzJ3NDhJbkh6akVQY0VmdENzWjBOZGhkY3hTdVNuSVB5NW9ua2JuVXhZWnAzUjF3TmQ3eDdaQk5cXG5ESmFCWEJTMlVkR1M0ditzeWJVQlU1aXFBckRNbVNmWUwxN09TU3ZzdEZSdVEydkJaa0M3TU96RWd2MUlIZjBXXFxubzlOSzBFaHZBZ01CQUFFQ2dnRUFDUm1MbkZaSzJORHFrdU9kRkJ3dnIwYTdoY2NLeW5pOWhxWURaSERNTTduSVxcbmU5aUkxN2ZpNWgyMWdNeVM1OUcwc21KTGV0UDJwUmtCemFtdjdjMGwwNGp2VDFpM3IxZ0pFWU1Oc1V0VHZFRG1cXG42OUorWkRDTjc3K1FYS21DQ2tZKzRHUmVieHhjV0doNC9MUjZrd0Y5Qi9oV1JTL2xBdlZNc1ZmVjRyK3JTZVNjXFxubU1KOTRBUTROM3hyV0VRc3Vpd1ZIZldMdElMTWZGN1JoV3VzdjJiZ1gvRCs0ajdISHRoODVrYlcxSzR0MnFkN1xcbkIwaEJEcVlQTEtjYzJVNkNJR0NRZ1h3THNlYUUxRkptYWpsdnNVK0pXdmY2MmZTNk8wSlVMeVFLMzZkczZkRlJcXG5qaDg1TWJsZVlHMWdpaFpPTXJtcENvWklUazdFT01lU2pQZ0VaWG5pVVFLQmdRRDNtUHJrZmVKVWNXWmpNZndCXFxuYnJJNE1NRWl2R1JJVDR5RzZxZHZpZFIrd1U3djMxbG1Oa1A3S2s4K1hoQWtGMk1pQkRSakFGVm8rNHQ3a3paRFxcbk45Zk9NSlgwakZnUVpLajFuR1gxekZ2ZERqRTh3ZWRTN2ZMV3BOczJlZm5GWUpQRm5SRU16eG81VWpGNTZ4V1pcXG5ZQmI2VHlNaTNRa1lEblA0WTVjTUZCVUpiUUtCZ1FEQStPNDlUc2EyYWdWUnJYbC8xRDNzWHd0UjdKSGhuRURkXFxuNWlZM0FtOVQxV2pVVTE1T2lwTUxOaXpBb3lRWGlKRVlaMmNuRHZnbHdkNEsvMWFLbityc3hzWUdFZjhoWVBIclxcbkJoN3FueW44SzJseTJoakUxY0xpVFg4NEVnd1VMcFJjeGo3bkM0ZWFLOEdJeUdLNnZrR3NoNCs1bnJLVFlkaUtcXG5MeUhSMUc2cnl3S0JnUURnLzJqSGFNbmEySzRsYUUvTWNXNk05MmtiQ3IzS3BGZGNaeksrZmk3Vy9RMmhsNEtqXFxuQ3A4ZVNDVjQxSHV3Z0h3NmRqMncxYVhINEFheHhtWWlFVVlQL2tEVzJRNVIzMWRXMHNnbzVJdDZSeUpoUndmU1xcbmFaOHFoT2NjQ3gzNXlqaWU5SXVBNjFhMlRrWGR0ODZKOFRNUVJnZjA3NDRMQ1Y5RGtpUzUraW5meFFLQmdFMVdcXG5ObHlacXFmR203VWRPZmxSL1RNeThCMTRHd3I1RFVJaEQ2V3lNeDI5QkpNN2lpc2QvRXBjL3RpQlNXQ3BHY1ZYXFxuQTQ4eXY1NmFNTHZsa3pCaFlNeGQ2VlRiZDQxUUJnUXo0c1lTM2Nlek9rS09SNmp6Sm5SOXJJT3pMK1lTdU9EcFxcbmpxSVlDOU5zdjlacXdLNm91emRDNlFYeUpRMU9CSE4wNmkvbTNDZTdBb0dBU01wRStscDlxV2ZWYXlGV2tlWVBcXG5OOFhId2FNUWNkT0ZkbDZFdlF0ZWtQY0xiQ1F6UzRSdEhBT01NTDN5ci9DQUk5SmZkanhWMHdicW1oNlJ3WFAzXFxuKzhkOVJpNjhsMGV3NUhLMDJWRHFhZE8vOTJhaHNrNmYxV1ZOL0dMcFg4Yk9NZEZFdnJOS09zUVk0RW9DV0JTa1xcblF1ZmRBdFZueE1UZG9ydTNxY0N4RG1vPVxcbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cXG5cIixcbiAgXCJjbGllbnRfZW1haWxcIjogXCJrZi1hY2NvdW50QGNvbnN0YW50LWN1YmlzdC0xNzMxMjMuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb21cIixcbiAgXCJjbGllbnRfaWRcIjogXCIxMDkyODcyODAxMzE5ODQ2MTA2MTZcIixcbiAgXCJhdXRoX3VyaVwiOiBcImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoXCIsXG4gIFwidG9rZW5fdXJpXCI6IFwiaHR0cHM6Ly9vYXV0aDIuZ29vZ2xlYXBpcy5jb20vdG9rZW5cIixcbiAgXCJhdXRoX3Byb3ZpZGVyX3g1MDlfY2VydF91cmxcIjogXCJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHNcIixcbiAgXCJjbGllbnRfeDUwOV9jZXJ0X3VybFwiOiBcImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3JvYm90L3YxL21ldGFkYXRhL3g1MDkva2YtYWNjb3VudCU0MGNvbnN0YW50LWN1YmlzdC0xNzMxMjMuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb21cIlxufSIsImVtYWlsIjoia2YtYWNjb3VudEBjb25zdGFudC1jdWJpc3QtMTczMTIzLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXV0aCI6IlgycHpiMjVmYTJWNU9uc0tJQ0FpZEhsd1pTSTZJQ0p6WlhKMmFXTmxYMkZqWTI5MWJuUWlMQW9nSUNKd2NtOXFaV04wWDJsa0lqb2dJbU52Ym5OMFlXNTBMV04xWW1semRDMHhOek14TWpNaUxBb2dJQ0p3Y21sMllYUmxYMnRsZVY5cFpDSTZJQ0poWkdJek5qY3pZMkk1T1RNM09USTJObUpqWXpGa05UVmlZakZsTjJKa01XVmpNemswWWpWaklpd0tJQ0FpY0hKcGRtRjBaVjlyWlhraU9pQWlMUzB0TFMxQ1JVZEpUaUJRVWtsV1FWUkZJRXRGV1MwdExTMHRYRzVOU1VsRmRsRkpRa0ZFUVU1Q1oydHhhR3RwUnpsM01FSkJVVVZHUVVGVFEwSkxZM2RuWjFOcVFXZEZRVUZ2U1VKQlVVTTJiek0zU2poTGFURlJhbmRGWEc1NFRVOTBUbEZXV2l0c2JGbE1TSFpUVjFkclEzbDZkV3R5Y0d4M1dVVlBTa1pPVlVkTk1rTnpja2g2WXpOS1ExQTRSbUZxTlVWVVJ6STViMDlhUzFaQ1hHNU1TalUzZVZkS1NFcHlla2hJYjJKeU9ITnNOeXRwY2pSallVb3ZTek5pUzJseWJtWldZVFpGZVhrNWF6RklhMFJNU2xaNFQxbHNhWEZUYmtkdFJsWjVYRzVEZVdsaGVXMDFNalZYZFdwcWRraENSRnBsUjJ4ak9XcHZWRXN3YjNKQmRpOVFLMkZuT0dWNVJTOWpUa05MUVhCT1NUaGxNVmRpYVdFd1UwSjFZVEJ1WEc1VldXeFFkVVYwY1hjeWR6UTRTVzVJZW1wRlVHTkZablJEYzFvd1RtUm9aR040VTNWVGJrbFFlVFZ2Ym10aWJsVjRXVnB3TTFJeGQwNWtOM2czV2tKT1hHNUVTbUZDV0VKVE1sVmtSMU0wZGl0emVXSlZRbFUxYVhGQmNrUk5iVk5tV1V3eE4wOVRVM1p6ZEVaU2RWRXlka0phYTBNM1RVOTZSV2QyTVVsSVpqQlhYRzV2T1U1TE1FVm9ka0ZuVFVKQlFVVkRaMmRGUVVOU2JVeHVSbHBMTWs1RWNXdDFUMlJHUW5kMmNqQmhOMmhqWTB0NWJtazVhSEZaUkZwSVJFMU5OMjVKWEc1bE9XbEpNVGRtYVRWb01qRm5UWGxUTlRsSE1ITnRTa3hsZEZBeWNGSnJRbnBoYlhZM1l6QnNNRFJxZGxReGFUTnlNV2RLUlZsTlRuTlZkRlIyUlVSdFhHNDJPVW9yV2tSRFRqYzNLMUZZUzIxRFEydFpLelJIVW1WaWVIaGpWMGRvTkM5TVVqWnJkMFk1UWk5b1YxSlRMMnhCZGxaTmMxWm1WalJ5SzNKVFpWTmpYRzV0VFVvNU5FRlJORTR6ZUhKWFJWRnpkV2wzVmtobVYweDBTVXhOWmtZM1VtaFhkWE4yTW1KbldDOUVLelJxTjBoSWRHZzROV3RpVnpGTE5IUXljV1EzWEc1Q01HaENSSEZaVUV4TFkyTXlWVFpEU1VkRFVXZFlkMHh6WldGRk1VWktiV0ZxYkhaelZTdEtWM1ptTmpKbVV6WlBNRXBWVEhsUlN6TTJaSE0yWkVaU1hHNXFhRGcxVFdKc1pWbEhNV2RwYUZwUFRYSnRjRU52V2tsVWF6ZEZUMDFsVTJwUVowVmFXRzVwVlZGTFFtZFJSRE50VUhKclptVktWV05YV21wTlpuZENYRzVpY2trMFRVMUZhWFpIVWtsVU5IbEhObkZrZG1sa1VpdDNWVGQyTXpGc2JVNXJVRGRMYXpncldHaEJhMFl5VFdsQ1JGSnFRVVpXYnlzMGREZHJlbHBFWEc1T09XWlBUVXBZTUdwR1oxRmFTMm94YmtkWU1YcEdkbVJFYWtVNGQyVmtVemRtVEZkd1RuTXlaV1p1UmxsS1VFWnVVa1ZOZW5odk5WVnFSalUyZUZkYVhHNVpRbUkyVkhsTmFUTlJhMWxFYmxBMFdUVmpUVVpDVlVwaVVVdENaMUZFUVN0UE5EbFVjMkV5WVdkV1VuSlliQzh4UkROeldIZDBVamRLU0dodVJVUmtYRzQxYVZrelFXMDVWREZYYWxWVk1UVlBhWEJOVEU1cGVrRnZlVkZZYVVwRldWb3lZMjVFZG1kc2QyUTBTeTh4WVV0dUszSnplSE5aUjBWbU9HaFpVRWh5WEc1Q2FEZHhibmx1T0VzeWJIa3lhR3BGTVdOTWFWUllPRFJGWjNkVlRIQlNZM2hxTjI1RE5HVmhTemhIU1hsSFN6WjJhMGR6YURRck5XNXlTMVJaWkdsTFhHNU1lVWhTTVVjMmNubDNTMEpuVVVSbkx6SnFTR0ZOYm1FeVN6UnNZVVV2VFdOWE5rMDVNbXRpUTNJelMzQkdaR05hZWtzclptazNWeTlSTW1oc05FdHFYRzVEY0RobFUwTldOREZJZFhkblNIYzJaR295ZHpGaFdFZzBRV0Y0ZUcxWmFVVlZXVkF2YTBSWE1sRTFVak14WkZjd2MyZHZOVWwwTmxKNVNtaFNkMlpUWEc1aFdqaHhhRTlqWTBONE16VjVhbWxsT1VsMVFUWXhZVEpVYTFoa2REZzJTamhVVFZGU1oyWXdOelEwVEVOV09VUnJhVk0xSzJsdVpuaFJTMEpuUlRGWFhHNU9iSGxhY1hGbVIyMDNWV1JQWm14U0wxUk5lVGhDTVRSSGQzSTFSRlZKYUVRMlYzbE5lREk1UWtwTk4ybHBjMlF2UlhCakwzUnBRbE5YUTNCSFkxWllYRzVCTkRoNWRqVTJZVTFNZG14cmVrSm9XVTE0WkRaV1ZHSmtOREZSUW1kUmVqUnpXVk16WTJWNlQydExUMUkyYW5wS2JsSTVja2xQZWt3cldWTjFUMFJ3WEc1cWNVbFpRemxPYzNZNVduRjNTelp2ZFhwa1F6WlJXSGxLVVRGUFFraE9NRFpwTDIwelEyVTNRVzlIUVZOTmNFVXJiSEE1Y1ZkbVZtRjVSbGRyWlZsUVhHNU9PRmhJZDJGTlVXTmtUMFprYkRaRmRsRjBaV3RRWTB4aVExRjZVelJTZEVoQlQwMU5URE41Y2k5RFFVazVTbVprYW5oV01IZGljVzFvTmxKM1dGQXpYRzRyT0dRNVVtazJPR3d3WlhjMVNFc3dNbFpFY1dGa1R5ODVNbUZvYzJzMlpqRlhWazR2UjB4d1dEaGlUMDFrUmtWMmNrNUxUM05SV1RSRmIwTlhRbE5yWEc1UmRXWmtRWFJXYm5oTlZHUnZjblV6Y1dORGVFUnRiejFjYmkwdExTMHRSVTVFSUZCU1NWWkJWRVVnUzBWWkxTMHRMUzFjYmlJc0NpQWdJbU5zYVdWdWRGOWxiV0ZwYkNJNklDSnJaaTFoWTJOdmRXNTBRR052Ym5OMFlXNTBMV04xWW1semRDMHhOek14TWpNdWFXRnRMbWR6WlhKMmFXTmxZV05qYjNWdWRDNWpiMjBpTEFvZ0lDSmpiR2xsYm5SZmFXUWlPaUFpTVRBNU1qZzNNamd3TVRNeE9UZzBOakV3TmpFMklpd0tJQ0FpWVhWMGFGOTFjbWtpT2lBaWFIUjBjSE02THk5aFkyTnZkVzUwY3k1bmIyOW5iR1V1WTI5dEwyOHZiMkYxZEdneUwyRjFkR2dpTEFvZ0lDSjBiMnRsYmw5MWNta2lPaUFpYUhSMGNITTZMeTl2WVhWMGFESXVaMjl2WjJ4bFlYQnBjeTVqYjIwdmRHOXJaVzRpTEFvZ0lDSmhkWFJvWDNCeWIzWnBaR1Z5WDNnMU1EbGZZMlZ5ZEY5MWNtd2lPaUFpYUhSMGNITTZMeTkzZDNjdVoyOXZaMnhsWVhCcGN5NWpiMjB2YjJGMWRHZ3lMM1l4TDJObGNuUnpJaXdLSUNBaVkyeHBaVzUwWDNnMU1EbGZZMlZ5ZEY5MWNtd2lPaUFpYUhSMGNITTZMeTkzZDNjdVoyOXZaMnhsWVhCcGN5NWpiMjB2Y205aWIzUXZkakV2YldWMFlXUmhkR0V2ZURVd09TOXJaaTFoWTJOdmRXNTBKVFF3WTI5dWMzUmhiblF0WTNWaWFYTjBMVEUzTXpFeU15NXBZVzB1WjNObGNuWnBZMlZoWTJOdmRXNTBMbU52YlNJS2ZRPT0ifX19 -kind: Secret -metadata: - name: docker-secret -type: kubernetes.io/dockerconfigjson ---- -apiVersion: v1 -data: - kaniko-secret.json: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiY29uc3RhbnQtY3ViaXN0LTE3MzEyMyIsCiAgInByaXZhdGVfa2V5X2lkIjogImFkYjM2NzNjYjk5Mzc5MjY2YmNjMWQ1NWJiMWU3YmQxZWMzOTRiNWMiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzZvMzdKOEtpMVFqd0VcbnhNT3ROUVZaK2xsWUxIdlNXV2tDeXp1a3JwbHdZRU9KRk5VR00yQ3NySHpjM0pDUDhGYWo1RVRHMjlvT1pLVkJcbkxKNTd5V0pISnJ6SEhvYnI4c2w3K2lyNGNhSi9LM2JLaXJuZlZhNkV5eTlrMUhrRExKVnhPWWxpcVNuR21GVnlcbkN5aWF5bTUyNVd1amp2SEJEWmVHbGM5am9USzBvckF2L1ArYWc4ZXlFL2NOQ0tBcE5JOGUxV2JpYTBTQnVhMG5cblVZbFB1RXRxdzJ3NDhJbkh6akVQY0VmdENzWjBOZGhkY3hTdVNuSVB5NW9ua2JuVXhZWnAzUjF3TmQ3eDdaQk5cbkRKYUJYQlMyVWRHUzR2K3N5YlVCVTVpcUFyRE1tU2ZZTDE3T1NTdnN0RlJ1UTJ2QlprQzdNT3pFZ3YxSUhmMFdcbm85TkswRWh2QWdNQkFBRUNnZ0VBQ1JtTG5GWksyTkRxa3VPZEZCd3ZyMGE3aGNjS3luaTlocVlEWkhETU03bklcbmU5aUkxN2ZpNWgyMWdNeVM1OUcwc21KTGV0UDJwUmtCemFtdjdjMGwwNGp2VDFpM3IxZ0pFWU1Oc1V0VHZFRG1cbjY5SitaRENONzcrUVhLbUNDa1krNEdSZWJ4eGNXR2g0L0xSNmt3RjlCL2hXUlMvbEF2Vk1zVmZWNHIrclNlU2Ncbm1NSjk0QVE0TjN4cldFUXN1aXdWSGZXTHRJTE1mRjdSaFd1c3YyYmdYL0QrNGo3SEh0aDg1a2JXMUs0dDJxZDdcbkIwaEJEcVlQTEtjYzJVNkNJR0NRZ1h3THNlYUUxRkptYWpsdnNVK0pXdmY2MmZTNk8wSlVMeVFLMzZkczZkRlJcbmpoODVNYmxlWUcxZ2loWk9Ncm1wQ29aSVRrN0VPTWVTalBnRVpYbmlVUUtCZ1FEM21QcmtmZUpVY1daak1md0JcbmJySTRNTUVpdkdSSVQ0eUc2cWR2aWRSK3dVN3YzMWxtTmtQN0trOCtYaEFrRjJNaUJEUmpBRlZvKzR0N2t6WkRcbk45Zk9NSlgwakZnUVpLajFuR1gxekZ2ZERqRTh3ZWRTN2ZMV3BOczJlZm5GWUpQRm5SRU16eG81VWpGNTZ4V1pcbllCYjZUeU1pM1FrWURuUDRZNWNNRkJVSmJRS0JnUURBK080OVRzYTJhZ1ZSclhsLzFEM3NYd3RSN0pIaG5FRGRcbjVpWTNBbTlUMVdqVVUxNU9pcE1MTml6QW95UVhpSkVZWjJjbkR2Z2x3ZDRLLzFhS24rcnN4c1lHRWY4aFlQSHJcbkJoN3FueW44SzJseTJoakUxY0xpVFg4NEVnd1VMcFJjeGo3bkM0ZWFLOEdJeUdLNnZrR3NoNCs1bnJLVFlkaUtcbkx5SFIxRzZyeXdLQmdRRGcvMmpIYU1uYTJLNGxhRS9NY1c2TTkya2JDcjNLcEZkY1p6SytmaTdXL1EyaGw0S2pcbkNwOGVTQ1Y0MUh1d2dIdzZkajJ3MWFYSDRBYXh4bVlpRVVZUC9rRFcyUTVSMzFkVzBzZ281SXQ2UnlKaFJ3ZlNcbmFaOHFoT2NjQ3gzNXlqaWU5SXVBNjFhMlRrWGR0ODZKOFRNUVJnZjA3NDRMQ1Y5RGtpUzUraW5meFFLQmdFMVdcbk5seVpxcWZHbTdVZE9mbFIvVE15OEIxNEd3cjVEVUloRDZXeU14MjlCSk03aWlzZC9FcGMvdGlCU1dDcEdjVlhcbkE0OHl2NTZhTUx2bGt6QmhZTXhkNlZUYmQ0MVFCZ1F6NHNZUzNjZXpPa0tPUjZqekpuUjlySU96TCtZU3VPRHBcbmpxSVlDOU5zdjlacXdLNm91emRDNlFYeUpRMU9CSE4wNmkvbTNDZTdBb0dBU01wRStscDlxV2ZWYXlGV2tlWVBcbk44WEh3YU1RY2RPRmRsNkV2UXRla1BjTGJDUXpTNFJ0SEFPTU1MM3lyL0NBSTlKZmRqeFYwd2JxbWg2UndYUDNcbis4ZDlSaTY4bDBldzVISzAyVkRxYWRPLzkyYWhzazZmMVdWTi9HTHBYOGJPTWRGRXZyTktPc1FZNEVvQ1dCU2tcblF1ZmRBdFZueE1UZG9ydTNxY0N4RG1vPVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogImtmLWFjY291bnRAY29uc3RhbnQtY3ViaXN0LTE3MzEyMy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiAgImNsaWVudF9pZCI6ICIxMDkyODcyODAxMzE5ODQ2MTA2MTYiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2tmLWFjY291bnQlNDBjb25zdGFudC1jdWJpc3QtMTczMTIzLmlhbS5nc2VydmljZWFjY291bnQuY29tIgp9Cg== -kind: Secret -metadata: - name: kaniko-secret -type: Opaque ---- -apiVersion: v1 -data: - key.json: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiY29uc3RhbnQtY3ViaXN0LTE3MzEyMyIsCiAgInByaXZhdGVfa2V5X2lkIjogImFkYjM2NzNjYjk5Mzc5MjY2YmNjMWQ1NWJiMWU3YmQxZWMzOTRiNWMiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzZvMzdKOEtpMVFqd0VcbnhNT3ROUVZaK2xsWUxIdlNXV2tDeXp1a3JwbHdZRU9KRk5VR00yQ3NySHpjM0pDUDhGYWo1RVRHMjlvT1pLVkJcbkxKNTd5V0pISnJ6SEhvYnI4c2w3K2lyNGNhSi9LM2JLaXJuZlZhNkV5eTlrMUhrRExKVnhPWWxpcVNuR21GVnlcbkN5aWF5bTUyNVd1amp2SEJEWmVHbGM5am9USzBvckF2L1ArYWc4ZXlFL2NOQ0tBcE5JOGUxV2JpYTBTQnVhMG5cblVZbFB1RXRxdzJ3NDhJbkh6akVQY0VmdENzWjBOZGhkY3hTdVNuSVB5NW9ua2JuVXhZWnAzUjF3TmQ3eDdaQk5cbkRKYUJYQlMyVWRHUzR2K3N5YlVCVTVpcUFyRE1tU2ZZTDE3T1NTdnN0RlJ1UTJ2QlprQzdNT3pFZ3YxSUhmMFdcbm85TkswRWh2QWdNQkFBRUNnZ0VBQ1JtTG5GWksyTkRxa3VPZEZCd3ZyMGE3aGNjS3luaTlocVlEWkhETU03bklcbmU5aUkxN2ZpNWgyMWdNeVM1OUcwc21KTGV0UDJwUmtCemFtdjdjMGwwNGp2VDFpM3IxZ0pFWU1Oc1V0VHZFRG1cbjY5SitaRENONzcrUVhLbUNDa1krNEdSZWJ4eGNXR2g0L0xSNmt3RjlCL2hXUlMvbEF2Vk1zVmZWNHIrclNlU2Ncbm1NSjk0QVE0TjN4cldFUXN1aXdWSGZXTHRJTE1mRjdSaFd1c3YyYmdYL0QrNGo3SEh0aDg1a2JXMUs0dDJxZDdcbkIwaEJEcVlQTEtjYzJVNkNJR0NRZ1h3THNlYUUxRkptYWpsdnNVK0pXdmY2MmZTNk8wSlVMeVFLMzZkczZkRlJcbmpoODVNYmxlWUcxZ2loWk9Ncm1wQ29aSVRrN0VPTWVTalBnRVpYbmlVUUtCZ1FEM21QcmtmZUpVY1daak1md0JcbmJySTRNTUVpdkdSSVQ0eUc2cWR2aWRSK3dVN3YzMWxtTmtQN0trOCtYaEFrRjJNaUJEUmpBRlZvKzR0N2t6WkRcbk45Zk9NSlgwakZnUVpLajFuR1gxekZ2ZERqRTh3ZWRTN2ZMV3BOczJlZm5GWUpQRm5SRU16eG81VWpGNTZ4V1pcbllCYjZUeU1pM1FrWURuUDRZNWNNRkJVSmJRS0JnUURBK080OVRzYTJhZ1ZSclhsLzFEM3NYd3RSN0pIaG5FRGRcbjVpWTNBbTlUMVdqVVUxNU9pcE1MTml6QW95UVhpSkVZWjJjbkR2Z2x3ZDRLLzFhS24rcnN4c1lHRWY4aFlQSHJcbkJoN3FueW44SzJseTJoakUxY0xpVFg4NEVnd1VMcFJjeGo3bkM0ZWFLOEdJeUdLNnZrR3NoNCs1bnJLVFlkaUtcbkx5SFIxRzZyeXdLQmdRRGcvMmpIYU1uYTJLNGxhRS9NY1c2TTkya2JDcjNLcEZkY1p6SytmaTdXL1EyaGw0S2pcbkNwOGVTQ1Y0MUh1d2dIdzZkajJ3MWFYSDRBYXh4bVlpRVVZUC9rRFcyUTVSMzFkVzBzZ281SXQ2UnlKaFJ3ZlNcbmFaOHFoT2NjQ3gzNXlqaWU5SXVBNjFhMlRrWGR0ODZKOFRNUVJnZjA3NDRMQ1Y5RGtpUzUraW5meFFLQmdFMVdcbk5seVpxcWZHbTdVZE9mbFIvVE15OEIxNEd3cjVEVUloRDZXeU14MjlCSk03aWlzZC9FcGMvdGlCU1dDcEdjVlhcbkE0OHl2NTZhTUx2bGt6QmhZTXhkNlZUYmQ0MVFCZ1F6NHNZUzNjZXpPa0tPUjZqekpuUjlySU96TCtZU3VPRHBcbmpxSVlDOU5zdjlacXdLNm91emRDNlFYeUpRMU9CSE4wNmkvbTNDZTdBb0dBU01wRStscDlxV2ZWYXlGV2tlWVBcbk44WEh3YU1RY2RPRmRsNkV2UXRla1BjTGJDUXpTNFJ0SEFPTU1MM3lyL0NBSTlKZmRqeFYwd2JxbWg2UndYUDNcbis4ZDlSaTY4bDBldzVISzAyVkRxYWRPLzkyYWhzazZmMVdWTi9HTHBYOGJPTWRGRXZyTktPc1FZNEVvQ1dCU2tcblF1ZmRBdFZueE1UZG9ydTNxY0N4RG1vPVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogImtmLWFjY291bnRAY29uc3RhbnQtY3ViaXN0LTE3MzEyMy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiAgImNsaWVudF9pZCI6ICIxMDkyODcyODAxMzE5ODQ2MTA2MTYiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2tmLWFjY291bnQlNDBjb25zdGFudC1jdWJpc3QtMTczMTIzLmlhbS5nc2VydmljZWFjY291bnQuY29tIgp9Cg== -kind: Secret -metadata: - name: gcp-credentials -type: Opaque ---- -apiVersion: v1 -data: - CLIENT_ID: MzM2MzM1NTQxOTkzLTJ0NXJsMWMydDQ1czZnb2MzbzQxNWdsNm9uYWpobWt0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIC1uCg== - CLIENT_SECRET: ZlFlQjhyOFNUMk5kdXlyOE9UMjVUTE5hIC1uCg== -kind: Secret -metadata: - name: kubeflow-oauth -type: Opaque ---- -apiVersion: v1 -kind: Secret -metadata: - name: github-ssh - annotations: - tekton.dev/git-0: github.com -type: kubernetes.io/ssh-auth -data: - known_hosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFCSXdBQUFRRUFxMkE3aFJHbWRubTl0VURiTzlJRFN3Qks2VGJRYStQWFlQQ1B5NnJiVHJUdHc3UEhrY2NLcnBwMHlWaHA1SGRFSWNLcjZwTGxWREJmT0xYOVFVc3lDT1Ywd3pmaklKTmxHRVlzZGxMSml6SGhibjJtVWp2U0FIUXFaRVRZUDgxZUZ6TFFOblBIdDRFVlZVaDdWZkRFU1U4NEtlem1ENVFsV3BYTG12VTMxL3lNZitTZTh4aEhUdktTQ1pJRkltV3dvRzZtYlVvV2Y5bnpwSW9hU2pCK3dlcXFVVW1wYWFhc1hWYWw3MkorVVgyQisyUlBXM1JjVDBlT3pRZ3FsSkwzUktyVEp2ZHNqRTNKRUF2R3EzbEdIU1pYeTI4RzNza3VhMlNtVmkvdzR5Q0U2Z2JPRHFuVFdsZzcrd0M2MDR5ZEdYQThWSmlTNWFwNDNKWGlVRkZBYVE9PQo= - ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb1FJQkFBS0NBUUVBMVRaNUFoWkNNU2hXUTg1V2dFOWo3d2ZYVzg0b0Y0TU1QUXpVQ1JyNTNSa1pZY2gwCjFaOUQ5bzUxT2FPcnQvMGRma3pSazdIek5sWFU2TmxwcUtESEczSm9RL0hlOUdkTzI0MnVaQ09Ebm5RWHRIOEsKOUFENExvSUF0WUxOcFk5dHEvdVQ0TEwzVDVobFE3VWNTWlR2eDNhUlBmZi9WNW9KL1J5VWpWSm8rcm1tTlZ1ago2dWF4ZlZzOGV4UXpPZnlMaFNlQ0dHN2NpYUtXNGk1MU1EWU1iMHgvc2MyeUZoTGFwLzBBVUJ2VUdZNElVdmNVCm5sYi9UNmNDUzZjVVpldGRwNHR2eXU2R1VSaGI5ZkQ4YUNEakNqL3Y1aFh1ZE8zN3BMbHlsSlhkZG1GeGUrVVoKb0xZS2NNWE9rcjF3Qm5wc29yeE1hU29senJGbTMxZVJoWHhsOFFJQkl3S0NBUUVBc0tsNk5PM2ZFc21tai9RYgp5V1phSGROTUNqMFo1NWgzMnRBZFpxRlNyK0dZc0JzZStpVGdpbllKVzZUZXZRVHNqVGhWNE1hazhvR2h5RDhkCkNCQXY4aXVZT0V3UWdWenBrVmdpeUFBck9pV3RQY2haaUZpVEh6aUVQcCtVY3p4VGpuLytMelV6VUpRMnBkQ1QKeC9CdTV4a1pRZmxlaW1td2dVT1JCMkdLTHRMUzZJTHFRS0p6S0Iwd282TERsbS8rajNvZzhLb09sdGVUbG9zQwpHRVUvOGluNUFZYStEa2hSS0EzODhGdnFjWlZ6RHpkUDEyUEYwODBHVmkyQnIwTFZNTFpSeU9YOGs4WjlFaWs0CjM0SFhaYzF1MXk1RnZkWlhuRjJWQWN2a3RmMzhKcWNod1F4T0VDNWZRUGtRRkNIMDJmeFdacnhDQjlQcE8rUE4KTVg4WlN3S0JnUUQxTGI4UENMVGQ3SUpkRXhuTGNZU0tBRzdKanZUckkvS2llNVg1S1U3TlV3K3J1QmhtblNEawo3eVA0dHJqYUwwZG5taEVOTnQ4SDNwbDZIYUxCWUNmNjhpVm1laEtid3lOTm1leVRjcmFRMXNXNlZRUGE1N1NKClFVQlBoQXRZOWNBYldmcm5pU2YrNUtnVVdUQmlTZFdsek5wakFQYlVxTTAzM1JFRC9BenNXUUtCZ1FEZW40dlMKY09DR1lHOEZ6cC9scVBtcSt0NjBGNUk0RUwxdWFrajk2WngvTE8rd1IxQjN2L3ZJdlhpekJJb2N3a3VqR1VyLwpVZHc5cG1XSlhCUUY5SEs1cjVMU3YzKzV1RXdmSXNuVTN0WnhqSGx5QUNEWjNSTnlsUm5aS05zUFhsMGx6L1JZCnpYWmQ0b1NvWGVUZjJVK29KeEo0VFZBYjhFNWNJK3ovMGh5eldRS0JnSDRYaHRTSUlvREN4ck9HS29YaW0rOHoKYkMwazh2eVdKUU1hL0t3R25ZNHF0NW9rS2M1ZmNBQzFnRGJFWHhFZm9SQzFvbDZSUDRCajJlY0g3VTJCNkt6eApqNVBKd0cxZEN0ZHp1MzhIeTVyeUhJdTJzWWFGeW8rN0tHTm9ldDFMTDVrSnREeVByaXRSQmZ2V0dPSVhWKzdlCllhOUNVdzVJTHdiSmRuY1Q2V09iQW9HQVRGUDFiTGo4aGRmcmpQWml0U1A5MURqQllsRTVjazdoM0xhNThLZmQKNG5YT2haVExJYjRxY0xYOWZ6VEJvM1hReWpTT3ZmQXVRUVhacTNBRzNYaGgyVU9DeStuaXBoTk5USUQwdmdOQwpOWTgvbE16WUVDNktVeXZPV1JWU2E2dFRJdWcyaE5pNjNseEt2V0lGVkEvK0RjUkEyTW9NMW1FRTdHUVd2aHduCkdPc0NnWUJrZVFGMFY0V1hLYXVqejM4QkI4NTA0WENsMUhYZjkxSjgvOUlKeW13M3NzdFA3aVVhVUNuZ1A4dEkKNDFJdnRMUmJGTUV6QU93WUVNTUVTSXh5QS9vOUhVSDN0djh6c0pVOTNBNlF1QmN5dU1reWsxNkxLT2lERkc2QgpQR0ZYQi9XaC9SVlhFTFpyNWRqb1lxQWg4ZUw5aW05WUVaOENXaTlVd1JXN2pvdW92Zz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== - ssh-publickey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBMVRaNUFoWkNNU2hXUTg1V2dFOWo3d2ZYVzg0b0Y0TU1QUXpVQ1JyNTNSa1pZY2gwMVo5RDlvNTFPYU9ydC8wZGZrelJrN0h6TmxYVTZObHBxS0RIRzNKb1EvSGU5R2RPMjQydVpDT0RublFYdEg4SzlBRDRMb0lBdFlMTnBZOXRxL3VUNExMM1Q1aGxRN1VjU1pUdngzYVJQZmYvVjVvSi9SeVVqVkpvK3JtbU5WdWo2dWF4ZlZzOGV4UXpPZnlMaFNlQ0dHN2NpYUtXNGk1MU1EWU1iMHgvc2MyeUZoTGFwLzBBVUJ2VUdZNElVdmNVbmxiL1Q2Y0NTNmNVWmV0ZHA0dHZ5dTZHVVJoYjlmRDhhQ0RqQ2ovdjVoWHVkTzM3cExseWxKWGRkbUZ4ZStVWm9MWUtjTVhPa3Ixd0JucHNvcnhNYVNvbHpyRm0zMWVSaFh4bDhRPT0ga2thc3JhdmlAMTkyLjE2OC4xLjIK ---- -apiVersion: v1 -kind: Secret -metadata: - name: github-token -type: Opaque -data: - token: MDg5N2ZhMmI0N2Y3Y2NiNzJkMjdiMTBkMjAzODUxMDBhMjQ4YWM2Yw== diff --git a/components/base/service-account.yaml b/components/base/service-account.yaml index c6c866591cc..66146de0771 100644 --- a/components/base/service-account.yaml +++ b/components/base/service-account.yaml @@ -1,8 +1,12 @@ +# TODO(jlewi): When we switch to workload identity should we continue to use this service account +# or use the default Kubeflow service account which is already bound to a GCP SA. apiVersion: v1 kind: ServiceAccount metadata: name: ci-pipeline-run-service-account -imagePullSecrets: -- name: docker-secret secrets: -- name: github-ssh +# This is the name of the secret containing the ssh secret for the kubeflow-bot +# This is used to create pull requests updating the manifests +# For more info see the Tekton authentication docs +# https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#ssh-authentication-git +- name: kubeflow-bot-github-ssh diff --git a/components/base/task.yaml b/components/base/task.yaml index d13be91534a..ef881148314 100644 --- a/components/base/task.yaml +++ b/components/base/task.yaml @@ -2,6 +2,9 @@ apiVersion: tekton.dev/v1alpha1 kind: Task metadata: name: build-push + annotations: + # This gets passed down to the individual pods + sidecar.istio.io/inject: "false" spec: inputs: params: @@ -17,83 +20,60 @@ spec: - description: The path to the dockerfile to build name: path_to_docker_file type: string + - description: pod container image + name: container_image + type: string + - description: Where the components manifest dir is + name: path_to_manifests_dir + type: string resources: - name: kubeflow type: git + - name: manifests + type: git outputs: resources: - name: $(image_name) type: image - outputImageDir: /kubeflow steps: - name: build-push image: gcr.io/kaniko-project/executor:v0.11.0 command: - /kaniko/executor - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /secret/kaniko/kaniko-secret.json - args: - --dockerfile=/workspace/$(inputs.resources.kubeflow.name)/$(inputs.params.path_to_docker_file) - --target=$(inputs.params.docker_target) - --destination=$(outputs.resources.$(inputs.params.image_name).url) - --context=/workspace/$(inputs.resources.kubeflow.name)/$(inputs.params.path_to_context) - - --digest-file=/kubeflow/$(inputs.params.image_name)-digest + - --digest-file=/workspace/$(inputs.params.image_name)-digest + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /secret/user-gcp-sa.json volumeMounts: - - name: kaniko-secret - mountPath: /secret/kaniko - - name: kubeflow - mountPath: /kubeflow - volumes: - - name: kaniko-secret - secret: - secretName: kaniko-secret - - name: kubeflow - persistentVolumeClaim: - claimName: ci-pipeline-run-persistent-volume-claim ---- -apiVersion: tekton.dev/v1alpha1 -kind: Task -metadata: - name: update-manifests -spec: - inputs: - params: - - description: pod container image - name: container_image - type: string - - description: Where the components manifest dir is - name: path_to_manifests_dir - type: string - resources: - - name: kubeflow - type: git - - name: manifests - type: git - - name: $(image_name) - type: image - steps: + - mountPath: /secret + name: gcp-credentials - name: update-manifests workingDir: /workspace/$(inputs.resources.manifests.name)/$(inputs.params.path_to_manifests_dir) image: $(inputs.params.container_image) - command: ["/bin/sleep", "infinity"] - #command: - #- /workspace/$(inputs.resources.kubeflow.name)/py/kubeflow/kubeflow/ci/rebuild-manifests.sh + command: + - /workspace/$(inputs.resources.kubeflow.name)/py/kubeflow/kubeflow/ci/rebuild-manifests.sh env: - name: GOOGLE_APPLICATION_CREDENTIALS - value: /secret/gcp-credentials/key.json + value: /secret/gcp-credentials/user-gcp-sa.json + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: github-token + key: github_token envFrom: - configMapRef: name: ci-pipeline-run-parameters volumeMounts: - mountPath: /secret name: gcp-credentials - - mountPath: /kubeflow - name: kubeflow volumes: - name: gcp-credentials secret: - secretName: gcp-credentials - - name: kubeflow - persistentVolumeClaim: - claimName: ci-pipeline-run-persistent-volume-claim + secretName: user-gcp-sa + - name: github-token + secret: + secretName: github-token \ No newline at end of file diff --git a/components/profile-controller/ci/params.env b/components/profile-controller/ci/params.env index 4b88c933edb..4a24f5259d1 100644 --- a/components/profile-controller/ci/params.env +++ b/components/profile-controller/ci/params.env @@ -3,3 +3,6 @@ image_name=profile-controller path_to_context=components/profile-controller path_to_docker_file=components/profile-controller/Dockerfile path_to_manifests_dir=profiles/base +do_not_submit=deletelinesbelow +kubeflow_repo_revision=tekton_cicd +kubeflow_repo_url=git@github.com:jlewi/kubeflow.git \ No newline at end of file diff --git a/components/profile-controller/ci/pipeline-run.yaml b/components/profile-controller/ci/pipeline-run.yaml index c86d73bb2f8..1f73e333bd1 100644 --- a/components/profile-controller/ci/pipeline-run.yaml +++ b/components/profile-controller/ci/pipeline-run.yaml @@ -15,4 +15,4 @@ spec: - name: $(image_name) resourceRef: name: $(image_name) - serviceAccount: ci-pipeline-run-service-account + serviceAccountName: ci-pipeline-run-service-account diff --git a/py/kubeflow/kubeflow/ci/rebuild-manifests.sh b/py/kubeflow/kubeflow/ci/rebuild-manifests.sh index 4cfc85a3017..908d436b2b2 100755 --- a/py/kubeflow/kubeflow/ci/rebuild-manifests.sh +++ b/py/kubeflow/kubeflow/ci/rebuild-manifests.sh @@ -26,36 +26,74 @@ # how to set env vars from configmap if debugging # for i in $(kubectl get cm ci-pipeline-run-parameters -ojson | jq -r '.data | keys[] as $k | "\($k)=\(.[$k])"'); do echo export $i; export $i; done # +set -ex + +# This is for debug echo '--env--' -env +env | sort echo '--env--' -new_branch_name='update_'$image_name'_'$kubeflow_repo_revision -export GITHUB_TOKEN=$(kubectl get secrets github-token -ojson | jq '. | .data.token' | xargs | base64 -d) -kubectl get secret github-ssh -ojson | jq ' . | .data["ssh-publickey"]' | xargs | base64 -d > ~/.ssh/id_rsa.pub -cp ~/.ssh/id_github-ssh ~/.ssh/id_rsa -chmod 0600 ~/.ssh/id_rsa -chmod 0600 ~/.ssh/id_rsa.pub -ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts -if [[ ! -d /root/.ssh ]]; then - mkdir /root/.ssh -fi + +# GitHub user to store the fork +fork_user=kubeflow-bot + +# Get the commit for the kubeflow repository +cd /workspace/kubeflow +kubeflow_commit=$(git rev-parse HEAD) +kubeflow_commit=${digest:0:8} + +# We use a unique branch name based on the digest of the image +digest=$(cat /workspace/${image_name}-digest) +# Shorten the digest. The digest will start with sha256: +short_digest=${digest:7:8} +new_branch_name='update_'$image_name'_'${short_digest} + +# TODO(jlewi): We should mount the GITHUB_TOKEN as a secret +#export GITHUB_TOKEN=$(kubectl get secrets github-token -ojson | jq '. | .data.token' | xargs | base64 -d) + +# Tekton will automatically mount the ssh private key and known hosts stored in the git secret +# in /tekton/home/.ssh +# however since this scriptt runs in our test worker image it ends up using /root/.sssh +ln -sf /tekton/home/.ssh /root/.ssh ssh-keyscan -t rsa github.com > /root/.ssh/known_hosts -GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa" git fetch origin master -GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa" git checkout -b $new_branch_name origin/master -kustomize edit set image gcr.io/kubeflow-images-public/${image_name}=gcr.io/kubeflow-images-public/${image_name}@$(cat /kubeflow/${image_name}-digest) +cd /workspace/manifests + +# Do a full fetch to unshallow the clone +# it looks like Tekton might do a shallow checkout +git fetch --unshallow + +# Create a new branch for the pull request +git checkout -b $new_branch_name origin/${manifests_repo_revision} + +# Add the kubeflow-bot repo +git remote add ${fork_user} git@github.com:${fork_user}/manifests.git + +cd /workspace/manifests/${path_to_manifests_dir} +kustomize edit set image gcr.io/kubeflow-images-public/${image_name}=gcr.io/kubeflow-images-public/${image_name}@$(cat /workspace/${image_name}-digest) cd /workspace/manifests/tests -make generate && make test + +# TODO(jlewi): Changed to make generate-changed-only once https://github.com/kubeflow/manifests/pull/665 +# is submitted +# make generate-changed-only +make generate +make test if (( $? == 0 )); then git config --global user.email "kubeflow-bot@kubflow.org" git config --global user.name "kubeflow-bot" - GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa" git commit -a -m "image updated as part of kubeflow repo:$kubeflow_repo_url commit:$kubeflow_repo_revision" - GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa" git push origin $new_branch_name -f + tmpfile=$(mktemp) - echo "[auto PR] Update the $image_name image to $(cat /kubeflow/${image_name}-digest)" > $tmpfile + + echo "[auto PR] Update the ${image_name} image to commit ${kubeflow_commit}" > $tmpfile + echo "" >> $tmpfile + echo "* Use image digest $(cat /workspace/${image_name}-digest)" >> $tmpfile + echo "" >> $tmpfile echo "" >> $tmpfile - echo "Image built from repo:$manifests_repo_url branch:$new_branch_name commit:$(git rev-parse HEAD)" >> $tmpfile - GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa" hub pull-request -f -b 'kubeflow:master' -F $tmpfile + echo "* Image built from repo:$manifests_repo_url branch:$new_branch_name commit:$(kubeflow_commit)" >> $tmpfile + + git commit -a -F ${tmpfile} + + git push ${fork_user} $new_branch_name -f + hub pull-request -f -b 'kubeflow:master' -F $tmpfile else echo 'make generate && make test' failed fi