diff --git a/charts/kueue/templates/webhook/service.yaml b/charts/kueue/templates/webhook/service.yaml index 771958ab67..f4997d068b 100644 --- a/charts/kueue/templates/webhook/service.yaml +++ b/charts/kueue/templates/webhook/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "kueue.fullname" . }}-webhook-service + name: '{{ include "kueue.fullname" . }}-webhook-service' namespace: '{{ .Release.Namespace }}' spec: type: {{ .Values.webhookService.type }} diff --git a/charts/kueue/templates/webhook/webhook.yaml b/charts/kueue/templates/webhook/webhook.yaml index 45d1a10439..d674f9ff5b 100644 --- a/charts/kueue/templates/webhook/webhook.yaml +++ b/charts/kueue/templates/webhook/webhook.yaml @@ -2,616 +2,639 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ include "kueue.fullname" . }}-mutating-webhook-configuration + name: '{{ include "kueue.fullname" . }}-mutating-webhook-configuration' + {{- if .Values.enableCertManager }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kueue.fullname" . }}-serving-cert + {{- end }} namespace: '{{ .Release.Namespace }}' webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kueue-x-k8s-io-v1beta1-clusterqueue - failurePolicy: Fail - name: mclusterqueue.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - resources: - - clusterqueues - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kueue-x-k8s-io-v1beta1-resourceflavor - failurePolicy: Fail - name: mresourceflavor.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - resources: - - resourceflavors - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kueue-x-k8s-io-v1beta1-workload - failurePolicy: Fail - name: mworkload.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - workloads - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-batch-v1-job - failurePolicy: Fail - name: mjob.kb.io - rules: - - apiGroups: - - batch - apiVersions: - - v1 - operations: - - CREATE - resources: - - jobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-jobset-x-k8s-io-v1alpha2-jobset - failurePolicy: Fail - name: mjobset.kb.io - rules: - - apiGroups: - - jobset.x-k8s.io - apiVersions: - - v1alpha2 - operations: - - CREATE - resources: - - jobsets - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kubeflow-org-v1-mxjob - failurePolicy: Fail - name: mmxjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - resources: - - mxjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kubeflow-org-v1-paddlejob - failurePolicy: Fail - name: mpaddlejob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - resources: - - paddlejobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kubeflow-org-v1-pytorchjob - failurePolicy: Fail - name: mpytorchjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - resources: - - pytorchjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kubeflow-org-v1-tfjob - failurePolicy: Fail - name: mtfjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - resources: - - tfjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kubeflow-org-v1-xgboostjob - failurePolicy: Fail - name: mxgboostjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - resources: - - xgboostjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-kubeflow-org-v2beta1-mpijob - failurePolicy: Fail - name: mmpijob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v2beta1 - operations: - - CREATE - resources: - - mpijobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate-ray-io-v1alpha1-rayjob - failurePolicy: Fail - name: mrayjob.kb.io - rules: - - apiGroups: - - ray.io - apiVersions: - - v1alpha1 - operations: - - CREATE - resources: - - rayjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /mutate--v1-pod - {{- if has "pod" $integrationsConfig.frameworks }} - failurePolicy: Fail - {{- else }} - failurePolicy: Ignore - {{- end }} - name: mpod.kb.io - namespaceSelector: - {{- if and (hasKey $integrationsConfig "podOptions") (hasKey ($integrationsConfig.podOptions) "namespaceSelector") }} - {{- toYaml $integrationsConfig.podOptions.namespaceSelector | nindent 4 -}} + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-batch-v1-job + failurePolicy: Fail + name: mjob.kb.io + rules: + - apiGroups: + - batch + apiVersions: + - v1 + operations: + - CREATE + resources: + - jobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-jobset-x-k8s-io-v1alpha2-jobset + failurePolicy: Fail + name: mjobset.kb.io + rules: + - apiGroups: + - jobset.x-k8s.io + apiVersions: + - v1alpha2 + operations: + - CREATE + resources: + - jobsets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kubeflow-org-v1-mxjob + failurePolicy: Fail + name: mmxjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + resources: + - mxjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kubeflow-org-v1-paddlejob + failurePolicy: Fail + name: mpaddlejob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + resources: + - paddlejobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kubeflow-org-v1-pytorchjob + failurePolicy: Fail + name: mpytorchjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + resources: + - pytorchjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kubeflow-org-v1-tfjob + failurePolicy: Fail + name: mtfjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + resources: + - tfjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kubeflow-org-v1-xgboostjob + failurePolicy: Fail + name: mxgboostjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + resources: + - xgboostjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kubeflow-org-v2beta1-mpijob + failurePolicy: Fail + name: mmpijob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v2beta1 + operations: + - CREATE + resources: + - mpijobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate--v1-pod + {{- if has "pod" $integrationsConfig.frameworks }} + failurePolicy: Fail {{- else }} - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - '{{ .Release.Namespace }}' + failurePolicy: Ignore {{- end }} - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None + name: mpod.kb.io + namespaceSelector: + {{- if and (hasKey $integrationsConfig "podOptions") (hasKey ($integrationsConfig.podOptions) "namespaceSelector") }} + {{- toYaml $integrationsConfig.podOptions.namespaceSelector | nindent 4 -}} + {{- else }} + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - '{{ .Release.Namespace }}' + {{- end }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-ray-io-v1-raycluster + failurePolicy: Fail + name: mraycluster.kb.io + rules: + - apiGroups: + - ray.io + apiVersions: + - v1 + operations: + - CREATE + resources: + - rayclusters + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-ray-io-v1alpha1-rayjob + failurePolicy: Fail + name: mrayjob.kb.io + rules: + - apiGroups: + - ray.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - rayjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kueue-x-k8s-io-v1beta1-clusterqueue + failurePolicy: Fail + name: mclusterqueue.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - clusterqueues + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kueue-x-k8s-io-v1beta1-resourceflavor + failurePolicy: Fail + name: mresourceflavor.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - resourceflavors + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-kueue-x-k8s-io-v1beta1-workload + failurePolicy: Fail + name: mworkload.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - workloads + sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: {{ include "kueue.fullname" . }}-validating-webhook-configuration + name: '{{ include "kueue.fullname" . }}-validating-webhook-configuration' + {{- if .Values.enableCertManager }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kueue.fullname" . }}-serving-cert + {{- end }} namespace: '{{ .Release.Namespace }}' webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kueue-x-k8s-io-v1beta1-admissioncheck - failurePolicy: Fail - name: vadmissioncheck.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - admissionchecks - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kueue-x-k8s-io-v1beta1-clusterqueue - failurePolicy: Fail - name: vclusterqueue.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - clusterqueues - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kueue-x-k8s-io-v1beta1-localqueue - failurePolicy: Fail - name: vlocalqueue.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - localqueues - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kueue-x-k8s-io-v1beta1-resourceflavor - failurePolicy: Fail - name: vresourceflavor.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - resourceflavors - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kueue-x-k8s-io-v1beta1-workload - failurePolicy: Fail - name: vworkload.kb.io - rules: - - apiGroups: - - kueue.x-k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - workloads - - workloads/status - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-batch-v1-job - failurePolicy: Fail - name: vjob.kb.io - rules: - - apiGroups: - - batch - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - jobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-jobset-x-k8s-io-v1alpha2-jobset - failurePolicy: Fail - name: vjobset.kb.io - rules: - - apiGroups: - - jobset.x-k8s.io - apiVersions: - - v1alpha2 - operations: - - CREATE - - UPDATE - resources: - - jobsets - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kubeflow-org-v1-mxjob - failurePolicy: Fail - name: vmxjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - mxjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kubeflow-org-v1-paddlejob - failurePolicy: Fail - name: vpaddlejob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - paddlejobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kubeflow-org-v1-pytorchjob - failurePolicy: Fail - name: vpytorchjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pytorchjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kubeflow-org-v1-tfjob - failurePolicy: Fail - name: vtfjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - tfjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kubeflow-org-v1-xgboostjob - failurePolicy: Fail - name: vxgboostjob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - xgboostjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-kubeflow-org-v2beta1-mpijob - failurePolicy: Fail - name: vmpijob.kb.io - rules: - - apiGroups: - - kubeflow.org - apiVersions: - - v2beta1 - operations: - - CREATE - - UPDATE - resources: - - mpijobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-ray-io-v1alpha1-rayjob - failurePolicy: Fail - name: vrayjob.kb.io - rules: - - apiGroups: - - ray.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - rayjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate--v1-pod - {{- if has "pod" $integrationsConfig.frameworks }} - failurePolicy: Fail - {{- else }} - failurePolicy: Ignore - {{- end }} - name: vpod.kb.io - namespaceSelector: - {{- if and (hasKey $integrationsConfig "podOptions") (hasKey ($integrationsConfig.podOptions) "namespaceSelector") }} - {{- toYaml $integrationsConfig.podOptions.namespaceSelector | nindent 4 -}} + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-batch-v1-job + failurePolicy: Fail + name: vjob.kb.io + rules: + - apiGroups: + - batch + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - jobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-jobset-x-k8s-io-v1alpha2-jobset + failurePolicy: Fail + name: vjobset.kb.io + rules: + - apiGroups: + - jobset.x-k8s.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - jobsets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kubeflow-org-v1-mxjob + failurePolicy: Fail + name: vmxjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - mxjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kubeflow-org-v1-paddlejob + failurePolicy: Fail + name: vpaddlejob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - paddlejobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kubeflow-org-v1-pytorchjob + failurePolicy: Fail + name: vpytorchjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pytorchjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kubeflow-org-v1-tfjob + failurePolicy: Fail + name: vtfjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - tfjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kubeflow-org-v1-xgboostjob + failurePolicy: Fail + name: vxgboostjob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - xgboostjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kubeflow-org-v2beta1-mpijob + failurePolicy: Fail + name: vmpijob.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - mpijobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate--v1-pod + {{- if has "pod" $integrationsConfig.frameworks }} + failurePolicy: Fail {{- else }} - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - '{{ .Release.Namespace }}' + failurePolicy: Ignore {{- end }} - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: '{{ include "kueue.fullname" . }}-webhook-service' - namespace: '{{ .Release.Namespace }}' - path: /validate-ray-io-v1-raycluster - failurePolicy: Fail - name: vraycluster.kb.io - rules: - - apiGroups: - - ray.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rayclusters - sideEffects: None \ No newline at end of file + name: vpod.kb.io + namespaceSelector: + {{- if and (hasKey $integrationsConfig "podOptions") (hasKey ($integrationsConfig.podOptions) "namespaceSelector") }} + {{- toYaml $integrationsConfig.podOptions.namespaceSelector | nindent 4 -}} + {{- else }} + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - '{{ .Release.Namespace }}' + {{- end }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-ray-io-v1-raycluster + failurePolicy: Fail + name: vraycluster.kb.io + rules: + - apiGroups: + - ray.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - rayclusters + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-ray-io-v1alpha1-rayjob + failurePolicy: Fail + name: vrayjob.kb.io + rules: + - apiGroups: + - ray.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - rayjobs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kueue-x-k8s-io-v1beta1-admissioncheck + failurePolicy: Fail + name: vadmissioncheck.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - admissionchecks + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kueue-x-k8s-io-v1beta1-clusterqueue + failurePolicy: Fail + name: vclusterqueue.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - clusterqueues + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kueue-x-k8s-io-v1beta1-localqueue + failurePolicy: Fail + name: vlocalqueue.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - localqueues + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kueue-x-k8s-io-v1beta1-resourceflavor + failurePolicy: Fail + name: vresourceflavor.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - resourceflavors + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "kueue.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-kueue-x-k8s-io-v1beta1-workload + failurePolicy: Fail + name: vworkload.kb.io + rules: + - apiGroups: + - kueue.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - workloads + - workloads/status + sideEffects: None diff --git a/hack/update-helm.sh b/hack/update-helm.sh index 8f34b747a6..b726593c2f 100755 --- a/hack/update-helm.sh +++ b/hack/update-helm.sh @@ -17,24 +17,33 @@ # Set the source and destination directories SRC_CRD_DIR=config/components/crd/bases SRC_RBAC_DIR=config/components/rbac +SRC_WEBHOOK_DIR=config/components/webhook SRC_VISIBILITY_DIR=config/components/visibility DEST_CRD_DIR=charts/kueue/templates/crd DEST_RBAC_DIR=charts/kueue/templates/rbac +DEST_WEBHOOK_DIR=charts/kueue/templates/webhook DEST_VISIBILITY_DIR=charts/kueue/templates/visibility YQ=./bin/yq # Create the destination directory if it doesn't exist -mkdir -p ${DEST_CRD_DIR} ${DEST_RBAC_DIR} ${DEST_VISIBILITY_DIR} +mkdir -p ${DEST_CRD_DIR} ${DEST_RBAC_DIR} ${DEST_WEBHOOK_DIR} ${DEST_VISIBILITY_DIR} # Add more excluded files separated by spaces -EXCLUDE_FILES='kustomization.yaml' +EXCLUDE_FILES='kustomization.yaml kustomizeconfig.yaml' # Copy all YAML files from the source directory to the destination directory cp ${SRC_CRD_DIR}/*.yaml ${DEST_CRD_DIR} -find $SRC_VISIBILITY_DIR -name "*.yaml" $(printf "! -name %s " $EXCLUDE_FILES) -exec cp "{}" $DEST_VISIBILITY_DIR \; find $SRC_RBAC_DIR -name "*.yaml" $(printf "! -name %s " $EXCLUDE_FILES) -exec cp "{}" $DEST_RBAC_DIR \; +find $SRC_WEBHOOK_DIR -name "*.yaml" $(printf "! -name %s " $EXCLUDE_FILES) -exec cp "{}" $DEST_WEBHOOK_DIR \; +find $SRC_VISIBILITY_DIR -name "*.yaml" $(printf "! -name %s " $EXCLUDE_FILES) -exec cp "{}" $DEST_VISIBILITY_DIR \; +$YQ -N -s '.kind' ${DEST_WEBHOOK_DIR}/manifests.yaml +rm ${DEST_WEBHOOK_DIR}/manifests.yaml +files=("MutatingWebhookConfiguration.yml" "ValidatingWebhookConfiguration.yml") +for f in "${files[@]}"; do + mv "$f" ${DEST_WEBHOOK_DIR}/ +done search_cert_line=" annotations:" replace_cert_line=$( @@ -61,6 +70,79 @@ replace_webhook_line=$( EOF ) +search_service_line="spec:" +replace_service_line=$( + cat <<'EOF' + type: {{ .Values.webhookService.type }} + selector: + control-plane: controller-manager + {{- include "kueue.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.webhookService.ports | toYaml | nindent 2 -}} +EOF +) + +search_webhook_pod_mutate=" path: /mutate--v1-pod" +search_webhook_pod_validate=" path: /validate--v1-pod" +search_mutate_webhook_annotations=' name: '\''{{ include "kueue.fullname" . }}-mutating-webhook-configuration'\''' +search_validate_webhook_annotations=' name: '\''{{ include "kueue.fullname" . }}-validating-webhook-configuration'\''' +add_webhook_line=$( + cat <<'EOF' +{{- $integrationsConfig := (fromYaml .Values.managerConfig.controllerManagerConfigYaml).integrations }} +EOF +) +add_annotations_line=$( + cat <<'EOF' + {{- if .Values.enableCertManager }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kueue.fullname" . }}-serving-cert + {{- end }} + namespace: '{{ .Release.Namespace }}' +EOF +) +add_webhook_pod_mutate=$( + cat <<'EOF' + {{- if has "pod" $integrationsConfig.frameworks }} + failurePolicy: Fail + {{- else }} + failurePolicy: Ignore + {{- end }} + name: mpod.kb.io + namespaceSelector: + {{- if and (hasKey $integrationsConfig "podOptions") (hasKey ($integrationsConfig.podOptions) "namespaceSelector") }} + {{- toYaml $integrationsConfig.podOptions.namespaceSelector | nindent 4 -}} + {{- else }} + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - '{{ .Release.Namespace }}' + {{- end }} +EOF +) +add_webhook_pod_validate=$( + cat <<'EOF' + {{- if has "pod" $integrationsConfig.frameworks }} + failurePolicy: Fail + {{- else }} + failurePolicy: Ignore + {{- end }} + name: vpod.kb.io + namespaceSelector: + {{- if and (hasKey $integrationsConfig "podOptions") (hasKey ($integrationsConfig.podOptions) "namespaceSelector") }} + {{- toYaml $integrationsConfig.podOptions.namespaceSelector | nindent 4 -}} + {{- else }} + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - '{{ .Release.Namespace }}' + {{- end }} +EOF +) + # Add certmanager and webhook values in the YAML files for output_file in ${DEST_CRD_DIR}/*.yaml; do input_file="${output_file%.yaml}.yaml.test" @@ -96,6 +178,76 @@ for output_file in ${DEST_RBAC_DIR}/*.yaml; do fi done +# Add webhook files, replace names, namespaces in helm format +webhook_files=( +"${DEST_WEBHOOK_DIR}/MutatingWebhookConfiguration.yml" +"${DEST_WEBHOOK_DIR}/ValidatingWebhookConfiguration.yml" +"${DEST_WEBHOOK_DIR}/service.yaml" +) +for output_file in "${webhook_files[@]}"; do + if [ "$(cat $output_file | $YQ '.metadata | has("name")')" = "true" ]; then + $YQ -N -i '.metadata.name |= "{{ include \"kueue.fullname\" . }}-" + .' $output_file + fi + if [ "$(cat $output_file | $YQ '.metadata | has("namespace")')" = "true" ]; then + $YQ -N -i '.metadata.namespace = "{{ .Release.Namespace }}"' $output_file + fi + $YQ -N -i '.webhooks.[].clientConfig.service.name |= "{{ include \"kueue.fullname\" . }}-" + .' $output_file + $YQ -N -i '.webhooks.[].clientConfig.service.namespace = "{{ .Release.Namespace }}"' $output_file +done + +# Add service values in the YAML files +for output_file in ${DEST_WEBHOOK_DIR}/service.yaml; do + input_file="${output_file%.yaml}.yaml.test" + mv "$output_file" "$input_file" + : >$output_file + while IFS= read -r line; do + echo "$line" >>"$output_file" + if [[ $line == "$search_service_line" ]]; then + echo "$replace_service_line" >>"$output_file" + break + fi + done <"$input_file" + rm $input_file +done + +# Add webhook values in the YAML files +new_files=("${DEST_WEBHOOK_DIR}/MutatingWebhookConfiguration.yml" "${DEST_WEBHOOK_DIR}/ValidatingWebhookConfiguration.yml") +for output_file in "${new_files[@]}"; do + input_file="${output_file%.yaml}.yml.test" + mv "$output_file" "$input_file" + : >$output_file + count=0 + while IFS= read -r line; do + if [[ $count -gt 0 ]]; then + ((count--)) + continue + fi + echo "$line" >>"$output_file" + if [[ $line == "$search_mutate_webhook_annotations" ]]; then + echo "$add_annotations_line" >> "$output_file" + fi + if [[ $line == "$search_validate_webhook_annotations" ]]; then + echo "$add_annotations_line" >> "$output_file" + fi + if [[ $line == "$search_webhook_pod_mutate" ]]; then + count=$((count+2)) + echo "$add_webhook_pod_mutate" >>"$output_file" + fi + if [[ $line == "$search_webhook_pod_validate" ]]; then + count=$((count+2)) + echo "$add_webhook_pod_validate" >>"$output_file" + fi + done <"$input_file" + rm $input_file +done +echo "$add_webhook_line" > ${DEST_WEBHOOK_DIR}/webhook.yaml +{ + cat ${DEST_WEBHOOK_DIR}/MutatingWebhookConfiguration.yml + echo "---" + cat ${DEST_WEBHOOK_DIR}/ValidatingWebhookConfiguration.yml +} >> ${DEST_WEBHOOK_DIR}/webhook.yaml +rm ${DEST_WEBHOOK_DIR}/MutatingWebhookConfiguration.yml ${DEST_WEBHOOK_DIR}/ValidatingWebhookConfiguration.yml + # Add visibility files, replace names, namespaces in helm format for output_file in ${DEST_VISIBILITY_DIR}/*.yaml; do # The name of the v1alpha1.visibility.kueue.x-k8s.io APIService needs to remain unchanged.