deployKF - 0.1.4
Helpful Links
Upgrade Notes
- There will be some downtime for Kubeflow Pipelines and users will be forced to re-authenticate.
- You MUST sync with pruning enabled, as we have changed a number of resources.
- If you are using our automated ArgoCD Sync Script:
- Update to the latest script version, found in the
main
branch. - Ensure you respond "yes" to all "Do you want to sync with PRUNING enabled?" prompts.
- To prevent the need to sync twice, please manually delete this
ClusterPolicy
using the following command BEFORE syncing:kubectl delete clusterpolicy "kubeflow-pipelines--generate-profile-resources"
- (otherwise, the first sync will time-out waiting for
kf-tools--pipelines
to be healthy)
- Update to the latest script version, found in the
Important Notes
- We no longer use Kyverno to generate resources in each profile for Kubeflow Pipelines, we now include these resources directly based on your profile values, this is due to Kyverno not scaling well for large numbers of profiles. However, we still use Kyverno for cloning Secrets across namespaces, triggering restarts of Deployments, and a few other things.
- We have resolved the compatibility issues with Azure AKS. To enable the Azure-specific fixes, please set the
kubernetes.azure.admissionsEnforcerFix
value totrue
. - There have been significant changes to how authentication is implemented. These changes should allow you to bring your own Istio Gateway Deployment (Pods) without having other services end up behind deployKF's authentication system. However, please note that deployKF still manages its own Gateway Resource (CRD).
- For those experiencing "route not found" issues when using an external proxy to terminate TLS, you can now disable "SNI Matching" on the Istio Gateway by setting the
deploykf_core.deploykf_istio_gateway.gateway.tls.matchSNI
value tofalse
.
What's Changed
Significant Changes
- feat: allow other istio gateways on ingress deployment by @thesuperzapper in #66
- feat: allow disabling SNI matching on gateway by @thesuperzapper in #83
- fix: issues preventing deployment on Azure AKS by @thesuperzapper in #85
- improve: stop using kyverno to provision kfp profile resources by @thesuperzapper in #102
New Features
- feat: disable default plugins and resource-quotas in specific profiles by @thesuperzapper in #67
- feat: allow custom external service ports by @thesuperzapper in #82
- feat: allow disabling HTTPS redirect by @thesuperzapper in #86
- feat: add pod-labels value for cert-manager controller by @thesuperzapper in #88
- feat: optional sign-in page to stop background request CSRF accumulation by @thesuperzapper in #100
Improvements
- improve: use
__Secure-
cookie prefix and remove domains config by @thesuperzapper in #87 - improve: increase kyverno resource limits and add values by @thesuperzapper in #93
- improve: use CRD-level "replace" for kyverno ArgoCD app by @thesuperzapper in #94
- improve: argocd sync script should only wait for app health once by @thesuperzapper in #104
Bug Fixes
- fix: prevent kyverno log spam on missing generate context by @thesuperzapper in #54
- fix: rstudio logo format for non-chrome browsers by @thesuperzapper in #56
- fix: using AWS IRSA with Kubeflow Pipelines by @thesuperzapper in #79
- fix: use 307 status for HTTP redirects by @thesuperzapper in #81
- fix: proxy protocol envoyfilter for istio gateway by @thesuperzapper in #80
- fix: disallow out-of-band KFP audience when disabled by @thesuperzapper in #89
- fix: support kyverno chart changes (but keep kyverno version) by @thesuperzapper in #92
- fix: annotate cloned imagePullSecrets to be ignored by ArgoCD by @dkhachyan in #90
- fix: add background filter to restart trigger policies by @thesuperzapper in #95
- fix: prevent CSRF cookie accumulation on auth expiry by @thesuperzapper in #99
Documentation
- docs: update example ArgoCD to 2.9.6 by @thesuperzapper in #91
New Contributors
- @dkhachyan made their first contribution in #90
Full Changelog: v0.1.3...v0.1.4