Kubeflow 1.9 follow up: Upstream our authorizationpolicy and oauth2-proxy changes to kubeflow/pipelines and kubeflow/kubeflow

[juliusvonkohout]

Validation Checklist

• Is this a Kubeflow issue?
• Are you posting in the right repository ?
• Did you follow the installation guide https://github.com/kubeflow/manifests?tab=readme-ov-file ?
• Is the issue report properly structured and detailed with version numbers?
• Is this for Kubeflow development ?
• Would you like to work on this issue?
• You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

master

Describe your issue

Follow up of
#2795
And
#2753

And
#2734 (comment)

@kimwnasptd @rimolive

Steps to reproduce the issue

Stuff will break on the next manifest synchronization for Kubeflow/pipelines and kubeflow/kubeflow

Put here any screenshots or videos (optional)

No response

[juliusvonkohout]

We also need to decide on the jupyterlab example image tags

"One thing i noticed is that since #2781 the example Jupyterlab and vscode images are still on the latest tags. I do not think that this is a blocker since they are example images and it is what is upstream in kubeflow/kubeflow (maybe by mistake). Nevertheless I will create a follow up issue."

[kimwnasptd]

@juliusvonkohout I'm not sure I understand the problem the issue tries to expose.

Is it about the tag used by the example notebook images?

And then what is the problem you expose about the authorization policies?

[juliusvonkohout]

@kimwnasptd we have additional stuff in the upsteam folders from kubeflow/kubeflow and kubeflow/pipelines. This will break on the next synchronization step. See also the comments in #2815. Just try yourself to synchronize with the https://github.com/kubeflow/manifests/blob/master/hack/synchronize-pipelines-manifests.sh and https://github.com/kubeflow/manifests/blob/master/hack/synchronize-kubeflow-manifests.sh and verify that essential stuff is being deleted. For example the requestprincipal in the pipeline autorizationpolicy or the oauth2-proxy overlay for the central dashboard. And all tags for Kubeflow/kubeflow will switch from 1.9.0 to latest.

[kimwnasptd]

Ah I see, so it's about manifest syncing from other repos and not overriding the overlays that are defined then in the manifests repo (?)

I can see 2 ways but let me know which you think is more feasible:

1. Manifests repo doesn't have overlays and those should be handled in the source manifest repos
2. Update the sync scripts to somehow know which folders to not overwrite when copying the manifests from source manifests repos

[juliusvonkohout]

let me merge first #2815 and we should upstream at least the kubeflow/pipelines authorization policy with the requestprincipals as soon as we can.