Pod Webhook deployment & Doc (#857)

* update tutorials header text (#841) * update tutorials header text Signed-off-by: cosmicBboy <[email protected]> * add 1 * remove 1 Co-authored-by: SandraGH5 <[email protected]> Signed-off-by: Haytham Abuelfutuh <[email protected]> * Update run_on_flyte.rst (#846) * Update run_on_flyte.rst * Update run_on_flyte.rst Signed-off-by: Haytham Abuelfutuh <[email protected]> * Add webhook deployment Signed-off-by: Haytham Abuelfutuh <[email protected]> * update Signed-off-by: Haytham Abuelfutuh <[email protected]> * add webhook deployment Signed-off-by: Haytham Abuelfutuh <[email protected]> * Add webhook deployment Signed-off-by: Haytham Abuelfutuh <[email protected]> * update Signed-off-by: Haytham Abuelfutuh <[email protected]> * regen Signed-off-by: Haytham Abuelfutuh <[email protected]> * Deploy sample secret Signed-off-by: Haytham Abuelfutuh <[email protected]> * Add doc for secrets Signed-off-by: Haytham Abuelfutuh <[email protected]> * Update secrets.rst Signed-off-by: Haytham Abuelfutuh <[email protected]> * limit permissions Signed-off-by: Haytham Abuelfutuh <[email protected]> * plural Signed-off-by: Haytham Abuelfutuh <[email protected]> * Update docs Signed-off-by: Haytham Abuelfutuh <[email protected]> Co-authored-by: Niels Bantilan <[email protected]> Co-authored-by: SandraGH5 <[email protected]> Co-authored-by: SandraGH5 <[email protected]>
flyteorg · Mar 24, 2021 · a8c01e5 · a8c01e5
1 parent b6f3d16
commit a8c01e5
Show file tree

Hide file tree

Showing 18 changed files with 978 additions and 75 deletions.
diff --git a/deployment/eks/flyte_generated.yaml b/deployment/eks/flyte_generated.yaml
@@ -7610,6 +7610,12 @@ metadata:
 ---
 apiVersion: v1
 kind: ServiceAccount
+metadata:
+  name: flyte-pod-webhook
+  namespace: flyte
+---
+apiVersion: v1
+kind: ServiceAccount
 metadata:
   annotations:
     eks.amazonaws.com/role-arn: arn:aws:iam::111222333456:role/flyte-operator
@@ -7641,6 +7647,24 @@ metadata:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  name: flyte-pod-webhook
+  namespace: flyte
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - mutatingwebhookconfigurations
+  - secrets
+  - pods
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: flyteadmin
   namespace: flyte
@@ -7892,6 +7916,20 @@ rules:
   verbs:
   - '*'
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flyte-pod-webhook
+  namespace: flyte
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flyte-pod-webhook
+subjects:
+- kind: ServiceAccount
+  name: flyte-pod-webhook
+  namespace: flyte
+---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@@ -8391,6 +8429,22 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  annotations:
+    projectcontour.io/upstream-protocol.h2c: grpc
+  name: flyte-pod-webhook
+  namespace: flyte
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app: flyte-pod-webhook
+---
+apiVersion: v1
+kind: Service
 metadata:
   annotations:
     external-dns.alpha.kubernetes.io/hostname: flyteadmin.subdomain.mydomain.com
@@ -8577,6 +8631,63 @@ spec:
 ---
 apiVersion: apps/v1
 kind: Deployment
+metadata:
+  labels:
+    app: flyte-pod-webhook
+  name: flyte-pod-webhook
+  namespace: flyte
+spec:
+  selector:
+    matchLabels:
+      app: flyte-pod-webhook
+  template:
+    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "10254"
+        prometheus.io/scrape: "true"
+      labels:
+        app: flyte-pod-webhook
+        app.kubernetes.io/name: flyte-pod-webhook
+        app.kubernetes.io/version: 0.5.13
+    spec:
+      containers:
+      - args:
+        - webhook
+        - --config
+        - /etc/flyte/config/*.yaml
+        command:
+        - flytepropeller
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: ghcr.io/flyteorg/flytepropeller:v0.7.8
+        imagePullPolicy: IfNotPresent
+        name: webhook
+        volumeMounts:
+        - mountPath: /etc/flyte/config
+          name: config-volume
+          readOnly: true
+        - mountPath: /etc/webhook/certs
+          name: webhook-certs
+          readOnly: true
+      serviceAccountName: flyte-pod-webhook
+      volumes:
+      - configMap:
+          name: flyte-propeller-config-ct29cf4cch
+        name: config-volume
+      - name: webhook-certs
+        secret:
+          secretName: flyte-pod-webhook
+---
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   labels:
     app: flyteadmin
@@ -8604,7 +8715,7 @@ spec:
         - --config
         - /etc/flyte/config/*.yaml
         - serve
-        image: ghcr.io/flyteorg/flyteadmin:v0.3.38
+        image: ghcr.io/flyteorg/flyteadmin:v0.4.0
         imagePullPolicy: IfNotPresent
         name: flyteadmin
         ports:
@@ -8649,7 +8760,7 @@ spec:
         - /etc/flyte/config/*.yaml
         - migrate
         - run
-        image: ghcr.io/flyteorg/flyteadmin:v0.3.38
+        image: ghcr.io/flyteorg/flyteadmin:v0.4.0
         imagePullPolicy: IfNotPresent
         name: run-migrations
         volumeMounts:
@@ -8666,7 +8777,7 @@ spec:
         - flytesnacks
         - flytetester
         - flyteexamples
-        image: ghcr.io/flyteorg/flyteadmin:v0.3.38
+        image: ghcr.io/flyteorg/flyteadmin:v0.4.0
         imagePullPolicy: IfNotPresent
         name: seed-projects
         volumeMounts:
@@ -8680,7 +8791,7 @@ spec:
         - /etc/flyte/config/*.yaml
         - clusterresource
         - sync
-        image: ghcr.io/flyteorg/flyteadmin:v0.3.38
+        image: ghcr.io/flyteorg/flyteadmin:v0.4.0
         imagePullPolicy: IfNotPresent
         name: sync-cluster-resources
         volumeMounts:
@@ -8771,7 +8882,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/flyteorg/flytepropeller:v0.7.1
+        image: ghcr.io/flyteorg/flytepropeller:v0.7.8
         imagePullPolicy: IfNotPresent
         name: flytepropeller
         ports:
@@ -8958,7 +9069,7 @@ spec:
             - /etc/flyte/config/*.yaml
             - clusterresource
             - sync
-            image: ghcr.io/flyteorg/flyteadmin:v0.3.38
+            image: ghcr.io/flyteorg/flyteadmin:v0.4.0
             imagePullPolicy: IfNotPresent
             name: sync-cluster-resources
             volumeMounts:
@@ -8984,6 +9095,46 @@ spec:
 ---
 apiVersion: batch/v1
 kind: Job
+metadata:
+  name: flyte-pod-webhook-secret
+  namespace: flyte
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      containers:
+      - args:
+        - webhook
+        - init-certs
+        - --config
+        - /etc/flyte/config/*.yaml
+        command:
+        - flytepropeller
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: ghcr.io/flyteorg/flytepropeller:v0.7.8
+        imagePullPolicy: IfNotPresent
+        name: webhook
+        volumeMounts:
+        - mountPath: /etc/flyte/config
+          name: config-volume
+      restartPolicy: Never
+      serviceAccountName: flyte-pod-webhook
+      volumes:
+      - configMap:
+          name: flyte-propeller-config-ct29cf4cch
+        name: config-volume
+  ttlSecondsAfterFinished: 0
+---
+apiVersion: batch/v1
+kind: Job
 metadata:
   labels:
     app.kubernetes.io/name: sparkoperator