[pipelines-v2] Support configurable minio and existing db secret (#1119)

Author: liranbg

stable/pipelines-v2/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 appVersion: ">=2.5.0"
-version: 0.12.0
+version: 0.12.1
 name: pipelines-v2
 description: Kubeflow pipelines framework for machine learning
 home: https://www.kubeflow.org/

stable/pipelines-v2/templates/_helpers.tpl

@@ -19,4 +19,48 @@ app: {{ include "pipelines.name" . }}
 chart: {{ include "pipelines.chart" . }}
 release: {{ .Release.Name }}
 heritage: {{ .Release.Service }}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Define mino storage secret name
+*/}}
+{{- define "pipelines.minioStorageSecretName" -}}
+{{- if .Values.storageMode.minio.existingSecretName -}}
+{{- .Values.storageMode.minio.existingSecretName -}}
+{{- else -}}
+{{- "mlpipeline-minio-artifact" -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Define access key name for the minio secret
+*/}}
+{{- define "pipelines.minioAccessKeyName" -}}
+{{- if .Values.storageMode.minio.accessKeyName -}}
+{{- .Values.storageMode.minio.accessKeyName -}}
+{{- else -}}
+{{- "accesskey" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define secret key name for the minio secret
+*/}}
+{{- define "pipelines.minioSecretKeyName" -}}
+{{- if .Values.storageMode.minio.secretKeyName -}}
+{{- .Values.storageMode.minio.secretKeyName -}}
+{{- else -}}
+{{- "secretkey" -}}
+{{- end -}}
+{{- end -}}
+
+
+# define mysql secret name or use existing secret
+{{- define "pipelines.dbSecretName" -}}
+{{- if .Values.db.existingSecretName -}}
+{{- .Values.db.existingSecretName -}}
+{{- else -}}
+{{- "mysql-kf-secret" -}}
+{{- end -}}
+{{- end -}}

stable/pipelines-v2/templates/argo/workflow-controller-configmap.yaml

@@ -21,11 +21,11 @@ data:                      # "config: |" key is optional in 2.7+!
       bucket: {{ .Values.storageMode.minio.defaultBucket }}
       insecure: true
       accessKeySecret:
-        name: mlpipeline-minio-artifact
-        key: accesskey
+        name: {{ include "pipelines.minioStorageSecretName" . }}
+        key: {{ include "pipelines.minioAccessKeyName" . }}
       secretKeySecret:
-        name: mlpipeline-minio-artifact
-        key: secretkey
+        name: {{ include "pipelines.minioStorageSecretName" . }}
+        key: {{ include "pipelines.minioSecretKeyName" . }}
 
 {{- else if eq .Values.storageMode.kind "v3io" }}
 data:

stable/pipelines-v2/templates/metadata/grpc-deployment.yaml

@@ -16,17 +16,17 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/mysql-kf-secret: {{ (lookup "v1" "Secret" .Release.Namespace "mysql-kf-secret").data | default dict | toJson | sha256sum }}
+        checksum/{{ include "pipelines.dbSecretName" . }}: {{ (lookup "v1" "Secret" .Release.Namespace (include "pipelines.dbSecretName" .)).data | default dict | toJson | sha256sum }}
       labels:
         component: metadata-grpc-server
 {{ include "pipelines.commonLabels" . | indent 8 }}
     spec:
       volumes:
         - name: mysql-cnf
           emptyDir: {}
-        - name: mysql-kf-secret
+        - name: {{ include "pipelines.dbSecretName" . }}
           secret:
-            secretName: mysql-kf-secret
+            secretName: {{ include "pipelines.dbSecretName" . }}
       initContainers:
         - name: init-mysql-cnf
           image: {{ .Values.images.busybox.repository }}:{{ .Values.images.busybox.tag }}
@@ -35,21 +35,21 @@ spec:
             - -c
             - |
               echo "[client]" > /config/mysql.cnf
-              echo "user=$(cat /mysql-kf-secret/username)" >> /config/mysql.cnf
-              echo "password=$(cat /mysql-kf-secret/password)" >> /config/mysql.cnf
+              echo "user=$(cat /mysql-secret/username)" >> /config/mysql.cnf
+              echo "password=$(cat /mysql-secret/password)" >> /config/mysql.cnf
               echo "host=mysql-kf" >> /config/mysql.cnf
           volumeMounts:
             - name: mysql-cnf
               mountPath: /config
-            - name: mysql-kf-secret
-              mountPath: /mysql-kf-secret
+            - name: {{ include "pipelines.dbSecretName" . }}
+              mountPath: /mysql-secret
               readOnly: true
         - name: metadata-init
           env:
             - name: DBCONFIG_USER
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: username
             - name: MYSQL_DATABASE
               valueFrom:
@@ -110,12 +110,12 @@ spec:
             - name: DBCONFIG_USER
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: username
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: password
 
           command: [ "/bin/metadata_store_server" ]

stable/pipelines-v2/templates/ml-pipeline/apiserver/deployment.yaml

@@ -19,7 +19,7 @@ spec:
 {{ include "pipelines.commonLabels" . | indent 8 }}
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
-        checksum/mysql-kf-secret: {{ (lookup "v1" "Secret" .Release.Namespace "mysql-kf-secret").data | default dict | toJson | sha256sum }}
+        checksum/{{ include "pipelines.dbSecretName" . }}: {{ (lookup "v1" "Secret" .Release.Namespace (include "pipelines.dbSecretName" .)).data | default dict | toJson | sha256sum }}
     spec:
       containers:
         - name: ml-pipeline-api-server
@@ -33,28 +33,28 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             - name: OBJECTSTORECONFIG_SECURE
-              value: "false"
+              value: {{ .Values.storageMode.useTLS | default false | quote }}
 
             # -------- DB config (shared for v3io / minio) --------
             - name: DBCONFIG_USER
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: username
             - name: DBCONFIG_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: password
             - name: DBCONFIG_MYSQLCONFIG_USER
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: username
             - name: DBCONFIG_MYSQLCONFIG_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: password
             - name: DBCONFIG_MYSQLCONFIG_HOST
               value: mysql-kf
@@ -65,13 +65,13 @@ spec:
             - name: OBJECTSTORECONFIG_ACCESSKEY
               valueFrom:
                 secretKeyRef:
-                  name: mlpipeline-minio-artifact
-                  key: accesskey
+                  name: {{ include "pipelines.minioStorageSecretName" . }}
+                  key: {{ include "pipelines.minioAccessKeyName" . }}
             - name: OBJECTSTORECONFIG_SECRETACCESSKEY
               valueFrom:
                 secretKeyRef:
-                  name: mlpipeline-minio-artifact
-                  key: secretkey
+                  name: {{ include "pipelines.minioStorageSecretName" . }}
+                  key: {{ include "pipelines.minioSecretKeyName" . }}
             - name: OBJECTSTORECONFIG_BUCKETNAME
               valueFrom:
                 configMapKeyRef:

stable/pipelines-v2/templates/ml-pipeline/minio/mlpipeline-minio-artifact.yaml

@@ -1,13 +1,13 @@
-{{- if eq .Values.storageMode.kind "minio" }}
+{{- if and (not .Values.storageMode.minio.existingSecretName) (eq .Values.storageMode.kind "minio") }}
 apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
   labels:
     app: pipelines
-  name: mlpipeline-minio-artifact
+  name: {{ include "pipelines.minioStorageSecretName" . }}
   namespace: {{ .Release.Namespace }}
 data:
-  accesskey: {{ .Values.storageMode.minio.accessKey | b64enc }}
-  secretkey: {{ .Values.storageMode.minio.secretKey | b64enc }}
+  {{ include "pipelines.minioAccessKeyName" . }}: {{ .Values.storageMode.minio.accessKey | b64enc }}
+  {{ include "pipelines.minioSecretKeyName" . }}: {{ .Values.storageMode.minio.secretKey | b64enc }}
 {{- end -}}

stable/pipelines-v2/templates/ml-pipeline/ui/deployment.yaml

@@ -75,13 +75,13 @@ spec:
             - name: AWS_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
-                  name: mlpipeline-minio-artifact
-                  key: accesskey
+                  name: {{ include "pipelines.minioStorageSecretName" . }}
+                  key: {{ include "pipelines.minioAccessKeyName" . }}
             - name: AWS_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
-                  name: mlpipeline-minio-artifact
-                  key: secretkey
+                  name: {{ include "pipelines.minioStorageSecretName" . }}
+                  key: {{ include "pipelines.minioSecretKeyName" . }}
             {{- end }}
 
             - name: DISABLE_GKE_METADATA

stable/pipelines-v2/templates/mysql/deployment.yaml

@@ -17,7 +17,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/mysql-kf-secret: {{ (lookup "v1" "Secret" .Release.Namespace "mysql-kf-secret").data | default dict | toJson | sha256sum }}
+        checksum/{{ include "pipelines.dbSecretName" . }}: {{ (lookup "v1" "Secret" .Release.Namespace (include "pipelines.dbSecretName" .)).data | default dict | toJson | sha256sum }}
       labels:
         component: mysql-kf
 {{ include "pipelines.commonLabels" . | indent 8 }}
@@ -29,9 +29,9 @@ spec:
         - name: mysql-init-scripts
           configMap:
             name: mysql-kf
-        - name: mysql-kf-secret
+        - name: {{ include "pipelines.dbSecretName" . }}
           secret:
-            secretName: mysql-kf-secret
+            secretName: {{ include "pipelines.dbSecretName" . }}
             items:
               - key: mysql.cnf
                 path: mysql.cnf
@@ -87,7 +87,7 @@ spec:
               mountPath: /etc/config/mysql/init-scripts
             - name: dump-volume
               mountPath: /dump
-            - name: mysql-kf-secret
+            - name: {{ include "pipelines.dbSecretName" . }}
               mountPath: /run/secrets/mysql
               readOnly: true
 
@@ -101,12 +101,12 @@ spec:
             - name: DB_USER
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: username
             - name: MYSQL_PWD
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: password
           volumeMounts:
             - name: mysql-fuse
@@ -115,7 +115,7 @@ spec:
               mountPath: /etc/config/mysql/init-scripts
             - name: dump-volume
               mountPath: /dump
-            - name: mysql-kf-secret
+            - name: {{ include "pipelines.dbSecretName" . }}
               mountPath: /run/secrets/mysql
               readOnly: true
       {{- end }}
@@ -149,19 +149,19 @@ spec:
             - name: DB_USER
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: username
             - name: MYSQL_PWD
               valueFrom:
                 secretKeyRef:
-                  name: mysql-kf-secret
+                  name: {{ include "pipelines.dbSecretName" . }}
                   key: password
           volumeMounts:
             - name: mysql-fuse
               mountPath: "/var/lib/mysql"
             - name: mysql-init-scripts
               mountPath: /etc/config/mysql/init-scripts
-            - name: mysql-kf-secret
+            - name: {{ include "pipelines.dbSecretName" . }}
               mountPath: /run/secrets/mysql
               readOnly: true
           resources:

stable/pipelines-v2/templates/mysql/secret.yaml

@@ -1,8 +1,12 @@
+{{- if .Values.deployment.create }}
+{{/* Only create if db existing name was not provided */}}
+{{- if not .Values.db.existingSecretName }}
+
 {{- $password := randAlphaNum 16 }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: mysql-kf-secret
+  name: {{ include "pipelines.dbSecretName" . }}
 type: Opaque
 stringData:
   username: "kubeflow"
@@ -11,3 +15,5 @@ stringData:
     [client]
     user=kubeflow
     password={{ $password }}
+{{- end }}
+{{- end }}

stable/pipelines-v2/values.yaml

@@ -169,19 +169,39 @@ priorityClassName: ""
 #   kind: v3io | minio
 # -------------------------------------------------------------------
 storageMode:
-  kind: v3io        # default; set to "minio" to switch
-
+  # default; set to "minio" to switch
+  kind: v3io
+  useTLS: false
   minio:
     serviceHost: minio.{{ .Release.Namespace }}.svc
     servicePort: 9000
     defaultBucket: mlrun
     accessKey: console
     secretKey: console123
 
+
+    # uncomment to use an existing secret
+    # existingSecretName: ""
+
+    # field names for the secret
+    accessKeyName: accesskey
+    secretKeyName: secretkey
+
 # -------------------------------------------------------------------
-# MySQL pod security
+# MySQL pod
 # -------------------------------------------------------------------
 db:
+
+  # contains the secret name for the mysql credentials in a format of
+  # stringData:
+  #    username: "kubeflow"
+  #    password: "{{ $password }}"
+  #    mysql.cnf: |
+  #      [client]
+  #      user=kubeflow
+  #      password={{ $password }}
+  existingSecretName: ""
+
   podSecurityContext:
     runAsUser: 1001