wip

SeldonIO · Jul 24, 2023 · 1c8aabc · 1c8aabc
1 parent b400ae3
commit 1c8aabc
Show file tree

Hide file tree

Showing 20 changed files with 136 additions and 140 deletions.
diff --git a/ansible/roles/opentelemetry/tasks/install.yaml b/ansible/roles/opentelemetry/tasks/install.yaml
@@ -22,5 +22,5 @@
 - name: "Wait for OpenTelemetry Deployment"
   shell: "kubectl rollout status -n {{ opentelemetry_namespace }} deploy/{{ item }}"
   with_items:
-    - opentelemetry-operator-controller-manager
+    - opentelemetry-operator-v2-controller-manager
   when: opentelemetry_wait_for_deployments | bool
diff --git a/k8s/Makefile b/k8s/Makefile
@@ -20,7 +20,7 @@ create-helm-charts:
 	sed 's/HACK_REMOVE_ME//' ${HELM_SERVERS_BASE}/seldon-v2-servers.yaml \
 		> ${HELM_SERVERS_BASE}/.seldon-v2-servers.yaml
 	sed -zi 's#\(apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole.*\- get\n\-\-\-\)#{{- if .Values.controller.clusterwide -}}\n\1\n{{- end }}#' ${HELM_COMPONENTS_BASE}/seldon-v2-components.yaml
-	sed -zi 's#\(apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding.*ServiceAccount\n  name: seldon-controller-manager\n  namespace:[^-]\{27\}\n\-\-\-\)#{{- if .Values.controller.clusterwide -}}\n\1\n{{- end }}#' ${HELM_COMPONENTS_BASE}/seldon-v2-components.yaml
+	sed -zi 's#\(apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding.*ServiceAccount\n  name: seldon-v2-controller-manager\n  namespace:[^-]\{27\}\n\-\-\-\)#{{- if .Values.controller.clusterwide -}}\n\1\n{{- end }}#' ${HELM_COMPONENTS_BASE}/seldon-v2-components.yaml
 	mv ${HELM_SERVERS_BASE}/.seldon-v2-servers.yaml ${HELM_SERVERS_BASE}/seldon-v2-servers.yaml
 
 .PHONY: create-yaml

diff --git a/k8s/helm-charts/seldon-core-v2-setup/templates/seldon-v2-components.yaml b/k8s/helm-charts/seldon-core-v2-setup/templates/seldon-v2-components.yaml
@@ -1,49 +1,11 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: seldon-controller-manager
+  name: seldon-v2-controller-manager
   namespace: '{{ .Release.Namespace }}'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
-metadata:
-  name: seldon-leader-election-role
-  namespace: '{{ .Release.Namespace }}'
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
   creationTimestamp: null
   name: seldon-manager-role
@@ -393,6 +355,44 @@ rules:
   - list
   - watch
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: seldon-v2-leader-election-role
+  namespace: '{{ .Release.Namespace }}'
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
 {{- if .Values.controller.clusterwide -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -732,43 +732,43 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: seldon-leader-election-rolebinding
+  name: seldon-manager-rolebinding
   namespace: '{{ .Release.Namespace }}'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: seldon-leader-election-role
+  name: seldon-manager-role
 subjects:
 - kind: ServiceAccount
-  name: seldon-controller-manager
+  name: seldon-v2-controller-manager
   namespace: '{{ .Release.Namespace }}'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: seldon-manager-rolebinding
+  name: seldon-manager-tls-rolebinding
   namespace: '{{ .Release.Namespace }}'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: seldon-manager-role
+  name: seldon-manager-tls-role
 subjects:
 - kind: ServiceAccount
-  name: seldon-controller-manager
+  name: seldon-v2-controller-manager
   namespace: '{{ .Release.Namespace }}'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: seldon-manager-tls-rolebinding
+  name: seldon-v2-leader-election-rolebinding
   namespace: '{{ .Release.Namespace }}'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: seldon-manager-tls-role
+  name: seldon-v2-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: seldon-controller-manager
+  name: seldon-v2-controller-manager
   namespace: '{{ .Release.Namespace }}'
 ---
 {{- if .Values.controller.clusterwide -}}
@@ -782,7 +782,7 @@ roleRef:
   name: seldon-manager-role
 subjects:
 - kind: ServiceAccount
-  name: seldon-controller-manager
+  name: seldon-v2-controller-manager
   namespace: '{{ .Release.Namespace }}'
 ---
 {{- end }}
@@ -809,20 +809,20 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    control-plane: controller-manager
-  name: seldon-controller-manager
+    control-plane: v2-controller-manager
+  name: seldon-v2-controller-manager
   namespace: '{{ .Release.Namespace }}'
 spec:
   replicas: 1
   selector:
     matchLabels:
-      control-plane: controller-manager
+      control-plane: v2-controller-manager
   template:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
       labels:
-        control-plane: controller-manager
+        control-plane: v2-controller-manager
     spec:
       containers:
       - args:
@@ -884,7 +884,7 @@ spec:
 {{- end }}
       securityContext: {{- toYaml .Values.controller.securityContext
         | nindent 8 }}
-      serviceAccountName: seldon-controller-manager
+      serviceAccountName: seldon-v2-controller-manager
       terminationGracePeriodSeconds: 10
 ---
 apiVersion: mlops.seldon.io/v1alpha1

diff --git a/k8s/kustomize/helm-components-sc/crd-schema.json b/k8s/kustomize/helm-components-sc/crd-schema.json
@@ -4588,7 +4588,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "signerName": {
-          "description": "signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n  Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n  Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n  Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.",
+          "description": "signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n  Requests for this signer are never auto-approved by kube-v2-controller-managergeranager, can be issued by the \"csrsigning\" controllerv2-controller-manageranagerller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n  Requests for this signer can be auto-approved by the \"csrapproving\" cv2-controller-managerr-managercontroller-manager, and can be issued by the \"csrsiv2-controller-managerller-managerbe-v2-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n  Requests for this sigv2-controller-managertroller-manager by kube-v2-controller-manager, and can be issv2-controller-managercontroller-managercontroller-managercontroller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.",
           "type": "string"
         },
         "uid": {

diff --git a/k8s/kustomize/helm-components-sc/kustomization.yaml b/k8s/kustomize/helm-components-sc/kustomization.yaml
@@ -33,7 +33,7 @@ patches:
   target:
     version: v1
     kind: Deployment
-    name: seldon-controller-manager
+    name: seldon-v2-controller-manager
 - path: patch_envoy_json6902.yaml
   target:
     version: v1alpha1

diff --git a/k8s/kustomize/helm-components-sc/patch_controller.yaml b/k8s/kustomize/helm-components-sc/patch_controller.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: seldon-controller-manager
+  name: seldon-v2-controller-manager
 spec:
   template:
     spec:
@@ -20,7 +20,7 @@ spec:
           - name: CLUSTERWIDE
             value: '{{ .Values.controller.clusterwide }}'
           - name: CONTROL_PLANE_SECURITY_PROTOCOL
-            value: '{{ .Values.security.controlplane.protocol }}'            
+            value: '{{ .Values.security.controlplane.protocol }}'
           - name: CONTROL_PLANE_CLIENT_TLS_SECRET_NAME
             value: '{{ .Values.security.controlplane.ssl.client.secret }}'
           - name: CONTROL_PLANE_SERVER_TLS_SECRET_NAME