kubeflow · k8s-ci-robot · Jul 10, 2020 · Jun 11, 2020 · Jun 11, 2020 · Jun 11, 2020
diff --git a/pipeline/installs/multi-user/istio-authorization-config.yaml b/pipeline/installs/multi-user/istio-authorization-config.yaml
@@ -0,0 +1,120 @@
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+  name: ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  rules:
+  - services:
+    - ml-pipeline-ui.kubeflow.svc.cluster.local
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+  name: ml-pipeline-services
+  namespace: kubeflow
+spec:
+  rules:
+  - services:
+    - ml-pipeline.kubeflow.svc.cluster.local
+    - ml-pipeline-ui.kubeflow.svc.cluster.local
+    - ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
+    - mysql.kubeflow.svc.cluster.local
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+  name: bind-gateway-ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  subjects:
+  - properties:
+      source.namespace: istio-system # gateway
+  roleRef:
+    kind: ServiceRole
+    name: ml-pipeline-ui
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+  name: bind-ml-pipeline-internal
+  namespace: kubeflow
+spec:
+  subjects:
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-ui
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-persistenceagent
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
+  - properties:
+      source.principal: cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
+  roleRef:
+    kind: ServiceRole
+    name: ml-pipeline-services
+---
+apiVersion: "networking.istio.io/v1alpha3"
+kind: DestinationRule
+metadata:
+  name: ml-pipeline-ui
+spec:
+  host: ml-pipeline-ui.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+---
+apiVersion: "networking.istio.io/v1alpha3"
+kind: DestinationRule
+metadata:
+  name: ml-pipeline
+spec:
+  host: ml-pipeline.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+---
+apiVersion: "networking.istio.io/v1alpha3"
+kind: DestinationRule
+metadata:
+  name: ml-pipeline-visualizationserver
+spec:
+  host: ml-pipeline-visualizationserver.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+---
+apiVersion: "networking.istio.io/v1alpha3"
+kind: DestinationRule
+metadata:
+  name: ml-pipeline-mysql
+spec:
+  host: mysql.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+  name: cache-server
+  namespace: kubeflow
+spec:
+  rules:
+  - services:
+    - cache-server.kubeflow.svc.cluster.local
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+  name: bind-cache-server-admission-webhook
+  namespace: kubeflow
+spec:
+  subjects:
+  - user: "*"
+  roleRef:
+    kind: ServiceRole
+    name: cache-server
diff --git a/pipeline/installs/multi-user/kustomization.yaml b/pipeline/installs/multi-user/kustomization.yaml
@@ -11,6 +11,7 @@ resources:
 - persistence-agent
 - cache
 - metadata-writer
+- istio-authorization-config.yaml
 patchesStrategicMerge:
 - api-service/deployment-patch.yaml
 - pipelines-ui/deployment-patch.yaml

diff --git a/pipeline/installs/multi-user/pipelines-profile-controller/params.env b/pipeline/installs/multi-user/pipelines-profile-controller/params.env
@@ -1,3 +1,2 @@
 KFP_VERSION=1.0.0-rc.3
-# TODO: make visualization server work with sidecar
-DISABLE_ISTIO_SIDECAR=true
+DISABLE_ISTIO_SIDECAR=false
diff --git a/pipeline/minio/installs/gcp-pd/kustomization.yaml b/pipeline/minio/installs/gcp-pd/kustomization.yaml
@@ -4,9 +4,8 @@ commonLabels:
   app.kubernetes.io/component: minio
   app.kubernetes.io/name: minio
 resources:
-- ../../../upstream/env/platform-agnostic/minio/
+- ../generic
 - persistent-volume.yaml
-- ../../overlays/application/application.yaml
 patchesStrategicMerge:
 - persistent-volume-claim.yaml
 configMapGenerator:

diff --git a/pipeline/minio/installs/generic/deployment-patch.yaml b/pipeline/minio/installs/generic/deployment-patch.yaml
@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minio
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
diff --git a/pipeline/minio/installs/generic/kustomization.yaml b/pipeline/minio/installs/generic/kustomization.yaml
@@ -6,3 +6,5 @@ commonLabels:
 resources:
 - ../../../upstream/env/platform-agnostic/minio/
 - ../../overlays/application/application.yaml
+patchesStrategicMerge:
+- deployment-patch.yaml
diff --git a/pipeline/minio/installs/ibm/kustomization.yaml b/pipeline/minio/installs/ibm/kustomization.yaml
@@ -4,8 +4,7 @@ commonLabels:
   app.kubernetes.io/component: minio
   app.kubernetes.io/name: minio
 resources:
-- ../../../upstream/env/platform-agnostic/minio/
-- ../../overlays/application/application.yaml
+- ../generic
 - persistent-volume-claim.yaml
 patchesStrategicMerge:
 - deployment-patch.yaml

diff --git a/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_minio.yaml b/tests/stacks/examples/alice/test_data/expected/apps_v1_deployment_minio.yaml
@@ -17,6 +17,8 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
       labels:
         app: minio
         app.kubernetes.io/component: minio

diff --git a/tests/stacks/gcp/test_data/expected/apps_v1_deployment_minio.yaml b/tests/stacks/gcp/test_data/expected/apps_v1_deployment_minio.yaml
@@ -17,6 +17,8 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
       labels:
         app: minio
         app.kubernetes.io/component: minio

diff --git a/tests/stacks/generic/test_data/expected/apps_v1_deployment_minio.yaml b/tests/stacks/generic/test_data/expected/apps_v1_deployment_minio.yaml
@@ -17,6 +17,8 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
       labels:
         app: minio
         app.kubernetes.io/component: minio

diff --git a/tests/stacks/ibm/test_data/expected/apps_v1_deployment_minio.yaml b/tests/stacks/ibm/test_data/expected/apps_v1_deployment_minio.yaml
@@ -17,6 +17,8 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
       labels:
         app: minio
         app.kubernetes.io/component: minio