Overhaul the way we upgrade dev.kubeflow.org

* Don't delete and recreate the ksonnet app. * Use the new upgrade script in kubeflow/kubeflow#1100 * Move creation of secrets into a separate script; there's no reason to recreate them just to update the app. * Add a bunch of fixes in redeploy_app.sh to deal with various issues in the way ks apply works; see comments in code for links to the issues. * Update the docs.
jlewi · Jul 9, 2018 · 26c4c9d · 26c4c9d
1 parent ebc5406
commit 26c4c9d
Show file tree

Hide file tree

Showing 34 changed files with 590 additions and 455 deletions.
diff --git a/dev-kubeflow-org/README.md b/dev-kubeflow-org/README.md
@@ -9,7 +9,7 @@ To upgrade the deployment.
 1. modify `recreate_app.sh` and set the VERSION to the kubeflow RC
    to deploy.
 
-1. Run `recreate_app.sh`
+1. Run `upgrade_app.sh`
 
 1. Run `redeploy_app.sh`
 

diff --git a/dev-kubeflow-org/create_secrets.sh b/dev-kubeflow-org/create_secrets.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# A helper script to create the secrets in the cluster.
+set -ex
+
+NAMESPACE=kubeflow-oauth
+
+if [ ! -d ~/secrets ]; then
+	echo "~/secrets doesn't exist creating it to store client secrents"
+	mkdir -p ~/secrets
+fi
+
+# We store the secret in a bucket to make it easy to share among the team.
+# We rely on IAM to make this secure.
+SECRET_FILE=client_secret_235037502967-9cpmvs4ljbiqb3ojtnhnhlkkd8d562rl.apps.googleusercontent.com.json
+SECRET_BUCKET=kubeflow-dev-secrets
+
+if [ ! -f ~/secrets/${SECRET_FILE} ]; then
+	gsutil cp gs://${SECRET_BUCKET}/${SECRET_FILE} ~/secrets/${SECRET_FILE}
+fi
+
+LOCAL_FILE=~/secrets/${SECRET_FILE}
+CLIENT_ID=`jq -r .web.client_id ${LOCAL_FILE}`
+CLIENT_SECRET=`jq -r .web.client_secret ${LOCAL_FILE}`
+
+SECRET_NAME="kubeflow-oauth"
+
+set +e
+kubectl get secret ${SECRET_NAME}
+exists=$?
+set -e
+
+if [ "${exists}" -eq 0 ]; then
+	kubectl -n ${NAMESPACE} delete secret ${SECRET_NAME}		
+fi
+kubectl -n ${NAMESPACE} create secret generic ${SECRET_NAME} \
+	--from-literal=CLIENT_ID=${CLIENT_ID} --from-literal=CLIENT_SECRET=${CLIENT_SECRET}
diff --git a/dev-kubeflow-org/ks-app/app.yaml b/dev-kubeflow-org/ks-app/app.yaml
@@ -10,32 +10,26 @@ kind: ksonnet.io/app
 libraries:
   core:
     gitVersion:
-      commitSha: 867e74ebcc2002f1f64250e24813db7047fb526f
-      refSpec: 867e74ebcc2002f1f64250e24813db7047fb526f
+      commitSha: 5a11c84deeba9ba57a28182e71437e4426e9f5f0
+      refSpec: master
     name: core
     registry: kubeflow
   katib:
     gitVersion:
-      commitSha: 867e74ebcc2002f1f64250e24813db7047fb526f
-      refSpec: 867e74ebcc2002f1f64250e24813db7047fb526f
+      commitSha: 5a11c84deeba9ba57a28182e71437e4426e9f5f0
+      refSpec: master
     name: katib
     registry: kubeflow
   seldon:
     gitVersion:
-      commitSha: 867e74ebcc2002f1f64250e24813db7047fb526f
-      refSpec: 867e74ebcc2002f1f64250e24813db7047fb526f
+      commitSha: 5a11c84deeba9ba57a28182e71437e4426e9f5f0
+      refSpec: master
     name: seldon
     registry: kubeflow
-  tf-job:
-    gitVersion:
-      commitSha: 867e74ebcc2002f1f64250e24813db7047fb526f
-      refSpec: 867e74ebcc2002f1f64250e24813db7047fb526f
-    name: tf-job
-    registry: kubeflow
   tf-serving:
     gitVersion:
-      commitSha: 867e74ebcc2002f1f64250e24813db7047fb526f
-      refSpec: 867e74ebcc2002f1f64250e24813db7047fb526f
+      commitSha: 5a11c84deeba9ba57a28182e71437e4426e9f5f0
+      refSpec: master
     name: tf-serving
     registry: kubeflow
 name: ks-app
@@ -48,8 +42,8 @@ registries:
     uri: github.com/ksonnet/parts/tree/master/incubator
   kubeflow:
     gitVersion:
-      commitSha: 867e74ebcc2002f1f64250e24813db7047fb526f
-      refSpec: 867e74ebcc2002f1f64250e24813db7047fb526f
+      commitSha: 3b5c7861bdfb8a4f73d583f08d7ca8c9066d9190
+      refSpec: v0.2-branch
     protocol: github
-    uri: github.com/kubeflow/kubeflow/tree/867e74ebcc2002f1f64250e24813db7047fb526f/kubeflow
+    uri: github.com/kubeflow/kubeflow/tree/v0.2-branch/kubeflow
 version: 0.0.1
diff --git a/dev-kubeflow-org/ks-app/components/cert-manager.jsonnet b/dev-kubeflow-org/ks-app/components/cert-manager.jsonnet
@@ -1,5 +1,6 @@
 local env = std.extVar("__ksonnet/environments");
 local params = std.extVar("__ksonnet/params").components["cert-manager"];
+
 local k = import "k.libsonnet";
 local certManager = import "kubeflow/core/cert-manager.libsonnet";
 

diff --git a/dev-kubeflow-org/ks-app/components/iap-ingress.jsonnet b/dev-kubeflow-org/ks-app/components/iap-ingress.jsonnet
@@ -1,5 +1,6 @@
 local env = std.extVar("__ksonnet/environments");
 local params = std.extVar("__ksonnet/params").components["iap-ingress"];
+
 local k = import "k.libsonnet";
 local iap = import "kubeflow/core/iap.libsonnet";
 local util = import "kubeflow/core/util.libsonnet";

diff --git a/dev-kubeflow-org/ks-app/components/katib.jsonnet b/dev-kubeflow-org/ks-app/components/katib.jsonnet
@@ -1,5 +1,6 @@
 local env = std.extVar("__ksonnet/environments");
 local params = std.extVar("__ksonnet/params").components.katib;
+
 local k = import "k.libsonnet";
 
 local vizier = import "kubeflow/katib/vizier.libsonnet";

diff --git a/dev-kubeflow-org/ks-app/components/kubeflow-core.jsonnet b/dev-kubeflow-org/ks-app/components/kubeflow-core.jsonnet
@@ -1,5 +1,6 @@
 local env = std.extVar("__ksonnet/environments");
 local params = std.extVar("__ksonnet/params").components["kubeflow-core"];
+
 local k = import "k.libsonnet";
 local all = import "kubeflow/core/all.libsonnet";
 

diff --git a/dev-kubeflow-org/ks-app/components/params.libsonnet b/dev-kubeflow-org/ks-app/components/params.libsonnet
@@ -1,49 +1,8 @@
 {
-  global: {
-    // User-defined global parameters; accessible to all component and environments, Ex:
-    // replicas: 4,
-  },
+  global: {},
   components: {
     // Component-level parameters, defined initially from 'ks prototype use ...'
     // Each object below should correspond to a component in the components/ directory
-    "kubeflow-core": {
-      cloud: "null",
-      disks: "null",
-      jupyterHubAuthenticator: "iap",
-      jupyterHubImage: "gcr.io/kubeflow/jupyterhub-k8s:1.0.1",
-      jupyterHubServiceType: "ClusterIP",
-      jupyterNotebookPVCMount: "/home/jovyan",
-      jupyterNotebookRegistry: "gcr.io",
-      jupyterNotebookRepoName: "kubeflow-images-public",
-      name: "kubeflow-core",
-      namespace: "null",
-      reportUsage: "true",
-      tfAmbassadorServiceType: "ClusterIP",
-      tfAmbassadorImage: "quay.io/datawire/ambassador:0.30.1",
-      tfDefaultImage: "null",
-      tfJobImage: "gcr.io/kubeflow-images-public/tf_operator:v20180329-a7511ff",
-      tfJobUiServiceType: "ClusterIP",
-      tfJobVersion: "v1alpha1",
-      tfStatsdImage: "quay.io/datawire/statsd:0.30.1",
-      usageId: "f85740a3-5f60-4146-91b6-2ab7089cf01c",
-    },
-    "cert-manager": {
-      acmeEmail: "[email protected]",
-      acmeUrl: "https://acme-v01.api.letsencrypt.org/directory",
-      name: "cert-manager",
-      namespace: "null",
-    },
-    "iap-ingress": {
-      disableJwtChecking: "false",
-      envoyImage: "gcr.io/kubeflow-images-public/envoy:v20180309-0fb4886b463698702b6a08955045731903a18738",
-      hostname: "dev.kubeflow.org",
-      ipName: "kubeflow-tf-hub",
-      issuer: "letsencrypt-prod",
-      name: "iap-ingress",
-      namespace: "kubeflow",
-      oauthSecretName: "kubeflow-oauth",
-      secretName: "envoy-ingress-tls",
-    },
     seldon: {
       apifeImage: "seldonio/apife:0.1.5",
       apifeServiceType: "NodePort",
@@ -74,14 +33,53 @@
       // Need node port to expose it via ingress.
       type: "NodePort",
     },
+    "kubeflow-core": {
+      AmbassadorImage: "quay.io/datawire/ambassador:0.30.1",
+      AmbassadorServiceType: "ClusterIP",
+      StatsdImage: "quay.io/datawire/statsd:0.30.1",
+      centralUiImage: "gcr.io/kubeflow-images-public/centraldashboard:v20180618-v0.2.0-rc.0-5-g715aafc8-e3b0c4",
+      cloud: "null",
+      disks: "null",
+      jupyterHubAuthenticator: "iap",
+      jupyterHubImage: "gcr.io/kubeflow/jupyterhub-k8s:v20180531-3bb991b1",
+      jupyterHubServiceType: "ClusterIP",
+      jupyterNotebookPVCMount: "null",
+      jupyterNotebookRegistry: "gcr.io",
+      jupyterNotebookRepoName: "kubeflow-images-public",
+      name: "kubeflow-core",
+      namespace: "null",
+      reportUsage: true,
+      tfDefaultImage: "null",
+      tfJobImage: "gcr.io/kubeflow-images-public/tf_operator:v0.2.0",
+      tfJobUiServiceType: "ClusterIP",
+      tfJobVersion: "v1alpha2",
+      usageId: "f85740a3-5f60-4146-91b6-2ab7089cf01c",
+    },
+    "cert-manager": {
+      acmeEmail: "[email protected]",
+      acmeUrl: "https://acme-v01.api.letsencrypt.org/directory",
+      name: "cert-manager",
+      namespace: "null",
+    },
+    "iap-ingress": {
+      disableJwtChecking: "false",
+      envoyImage: "gcr.io/kubeflow-images-public/envoy:v20180309-0fb4886b463698702b6a08955045731903a18738",
+      hostname: "dev.kubeflow.org",
+      ipName: "kubeflow-tf-hub",
+      issuer: "letsencrypt-prod",
+      name: "iap-ingress",
+      namespace: "kubeflow",
+      oauthSecretName: "kubeflow-oauth",
+      secretName: "envoy-ingress-tls",
+    },
     katib: {
       modeldbDatabaseImage: "mongo:3.4",
-      modeldbFrontendImage: "katib/katib-frontend",
-      modeldbImage: "mitdbg/modeldb-backend:latest",
+      modeldbFrontendImage: "gcr.io/kubeflow-images-public/katib-frontend:v0.2.0",
+      modeldbImage: "gcr.io/kubeflow-images-public/modeldb-backend:v0.2.0",
       name: "katib",
-      suggestionGridImage: "katib/suggestion-grid",
-      suggestionRandomImage: "katib/suggestion-random",
-      vizierCoreImage: "katib/vizier-core",
+      suggestionGridImage: "gcr.io/kubeflow-images-public/katib-suggestion-grid:v0.2.0",
+      suggestionRandomImage: "gcr.io/kubeflow-images-public/katib-suggestion-random:v0.2.0",
+      vizierCoreImage: "gcr.io/kubeflow-images-public/katib-vizier-core:v0.2.0",
       vizierDbImage: "mysql:8.0.3",
     },
   },

diff --git a/dev-kubeflow-org/ks-app/vendor/kubeflow/core/ambassador.libsonnet b/dev-kubeflow-org/ks-app/vendor/kubeflow/core/ambassador.libsonnet
@@ -1,12 +1,12 @@
 {
   all(params):: [
-    $.parts(params.namespace, params.tfAmbassadorImage).service(params.tfAmbassadorServiceType),
-    $.parts(params.namespace, params.tfAmbassadorImage).adminService,
-    $.parts(params.namespace, params.tfAmbassadorImage).role,
-    $.parts(params.namespace, params.tfAmbassadorImage).serviceAccount,
-    $.parts(params.namespace, params.tfAmbassadorImage).roleBinding,
-    $.parts(params.namespace, params.tfAmbassadorImage).deploy(params.tfStatsdImage),
-    $.parts(params.namespace, params.tfAmbassadorImage).k8sDashboard(params.cloud),
+    $.parts(params.namespace, params.AmbassadorImage).service(params.AmbassadorServiceType),
+    $.parts(params.namespace, params.AmbassadorImage).adminService,
+    $.parts(params.namespace, params.AmbassadorImage).role,
+    $.parts(params.namespace, params.AmbassadorImage).serviceAccount,
+    $.parts(params.namespace, params.AmbassadorImage).roleBinding,
+    $.parts(params.namespace, params.AmbassadorImage).deploy(params.StatsdImage),
+    $.parts(params.namespace, params.AmbassadorImage).k8sDashboard(params.cloud),
   ],
 
   parts(namespace, ambassadorImage):: {

diff --git a/dev-kubeflow-org/ks-app/vendor/kubeflow/core/centraldashboard.libsonnet b/dev-kubeflow-org/ks-app/vendor/kubeflow/core/centraldashboard.libsonnet
@@ -6,7 +6,7 @@
   // We need to build and publish central UI docker image as part of our release process.
 
   all(params):: [
-    $.parts(params.namespace).deployUi,
+    $.parts(params.namespace).deployUi(params.centralUiImage),
     $.parts(params.namespace).uiService,
     $.parts(params.namespace).uiServiceAccount,
     $.parts(params.namespace).uiRole,
@@ -15,7 +15,7 @@
 
   parts(namespace):: {
 
-    deployUi:: {
+    deployUi(centralUiImage):: {
       apiVersion: "extensions/v1beta1",
       kind: "Deployment",
       metadata: {
@@ -35,7 +35,7 @@
           spec: {
             containers: [
               {
-                image: "gcr.io/kubeflow-images-public/centraldashboard:latest",
+                image: centralUiImage,
                 name: "centraldashboard",
                 ports: [
                   {

diff --git a/dev-kubeflow-org/ks-app/vendor/kubeflow/core/echo-server.libsonnet b/dev-kubeflow-org/ks-app/vendor/kubeflow/core/echo-server.libsonnet
@@ -0,0 +1,79 @@
+{
+  service(namespace, name):: {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      labels: {
+        app: name,
+      },
+      name: name,
+      namespace: namespace,
+      annotations: {
+        "getambassador.io/config":
+          std.join("\n", [
+            "---",
+            "apiVersion: ambassador/v0",
+            "kind:  Mapping",
+            "name: " + name + "-mapping",
+            "prefix: /" + name,
+            "rewrite: /",
+            "service: " + name + "." + namespace,
+          ]),
+      },  //annotations
+    },
+    spec: {
+      ports: [
+        {
+          port: 80,
+          targetPort: 8080,
+        },
+      ],
+      selector: {
+        app: name,
+      },
+      type: "ClusterIP",
+    },
+  },
+
+  deploy(namespace, name, image):: {
+    apiVersion: "extensions/v1beta1",
+    kind: "Deployment",
+    metadata: {
+      name: name,
+      namespace: namespace,
+
+    },
+    spec: {
+      replicas: 1,
+      template: {
+        metadata: {
+          labels: {
+            app: name,
+          },
+        },
+        spec: {
+          containers: [
+            {
+              image: image,
+              name: "app",
+              ports: [
+                {
+                  containerPort: 8080,
+                },
+              ],
+
+              readinessProbe: {
+                httpGet: {
+                  path: "/headers",
+                  port: 8080,
+                },
+                initialDelaySeconds: 5,
+                periodSeconds: 30,
+              },
+            },
+          ],
+        },
+      },
+    },
+  },
+}