Kubeflow 1.9 follow up: Upstream our authorizationpolicy and oauth2-proxy changes to kubeflow/pipelines and kubeflow/kubeflow

kubeflow / manifests

A repository for Kustomize manifests

Apache License 2.0

802 stars 866 forks source link

Kubeflow 1.9 follow up: Upstream our authorizationpolicy and oauth2-proxy changes to kubeflow/pipelines and kubeflow/kubeflow #2804

Open juliusvonkohout opened 1 month ago

juliusvonkohout commented 1 month ago

Validation Checklist

[X] Is this a Kubeflow issue?
[X] Are you posting in the right repository ?
[X] Did you follow the installation guide https://github.com/kubeflow/manifests?tab=readme-ov-file ?
[X] Is the issue report properly structured and detailed with version numbers?
[X] Is this for Kubeflow development ?
[X] Would you like to work on this issue?
[X] You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

master

Describe your issue

Follow up of https://github.com/kubeflow/manifests/pull/2795 And https://github.com/kubeflow/manifests/pull/2753

And https://github.com/kubeflow/manifests/pull/2734#issuecomment-2145839700

@kimwnasptd @rimolive

Steps to reproduce the issue

Stuff will break on the next manifest synchronization for Kubeflow/pipelines and kubeflow/kubeflow

Put here any screenshots or videos (optional)

No response

juliusvonkohout commented 1 month ago

We also need to decide on the jupyterlab example image tags

"One thing i noticed is that since https://github.com/kubeflow/manifests/pull/2781 the example Jupyterlab and vscode images are still on the latest tags. I do not think that this is a blocker since they are example images and it is what is upstream in kubeflow/kubeflow (maybe by mistake). Nevertheless I will create a follow up issue."

kimwnasptd commented 1 month ago

@juliusvonkohout I'm not sure I understand the problem the issue tries to expose.

Is it about the tag used by the example notebook images?

And then what is the problem you expose about the authorization policies?

juliusvonkohout commented 1 month ago

@kimwnasptd we have additional stuff in the upsteam folders from kubeflow/kubeflow and kubeflow/pipelines. This will break on the next synchronization step. See also the comments in https://github.com/kubeflow/manifests/pull/2815. Just try yourself to synchronize with the https://github.com/kubeflow/manifests/blob/master/hack/synchronize-pipelines-manifests.sh and https://github.com/kubeflow/manifests/blob/master/hack/synchronize-kubeflow-manifests.sh and verify that essential stuff is being deleted. For example the requestprincipal in the pipeline autorizationpolicy or the oauth2-proxy overlay for the central dashboard. And all tags for Kubeflow/kubeflow will switch from 1.9.0 to latest.

kimwnasptd commented 1 month ago

Ah I see, so it's about manifest syncing from other repos and not overriding the overlays that are defined then in the manifests repo (?)

I can see 2 ways but let me know which you think is more feasible:

Manifests repo doesn't have overlays and those should be handled in the source manifest repos
Update the sync scripts to somehow know which folders to not overwrite when copying the manifests from source manifests repos

juliusvonkohout commented 1 month ago

let me merge first https://github.com/kubeflow/manifests/pull/2815 and we should upstream at least the kubeflow/pipelines authorization policy with the requestprincipals as soon as we can.