apiVersion: v1 kind: Namespace metadata: labels: control-plane: di-operator name: di-system --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: dijobs.diengine.opendilab.org spec: additionalPrinterColumns: - JSONPath: .status.phase name: Phase type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: diengine.opendilab.org names: kind: DIJob listKind: DIJobList plural: dijobs shortNames: - dijob singular: dijob scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: group: description: Group is a collection of DIJobs type: string cleanPodPolicy: description: CleanPodPolicy defines the policy to clean pods after DIJob completed type: string priorityClassName: description: Priority labels the priority of DIJob type: string volumes: description: Volumes defines the shared volumes for DI-engine components type: array coordinator: description: CoordinatorSpec defines the desired state of coordinators type: object collector: description: CollectorSpec defines the desired state of CollectorSpec type: object learner: description: CollectorSpec defines the desired state of CollectorSpec type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: aggregatorconfigs.diengine.opendilab.org spec: additionalPrinterColumns: - JSONPath: .metadata.creationTimestamp name: Age type: date group: diengine.opendilab.org names: kind: AggregatorConfig listKind: AggregatorConfigList plural: aggregatorconfigs shortNames: - agconfig singular: aggregatorconfig scope: Namespaced validation: openAPIV3Schema: properties: spec: properties: aggregator: description: AggregatorSpec defines the desired state of aggregator type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: di-leader-election-role namespace: di-system rules: - apiGroups: - "" - coordination.k8s.io resources: - configmaps - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: di-metrics-reader rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: di-operator-cluster-role rules: - apiGroups: - "" resources: - events - pods - services verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - namespaces - nodes verbs: - get - list - apiGroups: - diengine.opendilab.org resources: - aggregatorconfigs - dijobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - diengine.opendilab.org resources: - aggregatorconfigs/finalizers - dijobs/finalizers verbs: - update - apiGroups: - diengine.opendilab.org resources: - aggregatorconfigs/status - dijobs/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: di-proxy-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: di-leader-election-rolebinding namespace: di-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: di-leader-election-role subjects: - kind: ServiceAccount name: default namespace: di-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: di-operator-cluster-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: di-operator-cluster-role subjects: - kind: ServiceAccount name: default namespace: di-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: di-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: di-proxy-role subjects: - kind: ServiceAccount name: default namespace: di-system --- apiVersion: v1 kind: Service metadata: labels: control-plane: di-operator name: di-operator-metrics-service namespace: di-system spec: ports: - name: https port: 8443 targetPort: 8080 selector: control-plane: di-operator --- apiVersion: v1 kind: Service metadata: name: di-server namespace: di-system spec: ports: - port: 8080 protocol: TCP targetPort: 8080 selector: control-plane: di-server --- apiVersion: v1 kind: Service metadata: name: di-server-nodeport namespace: di-system spec: ports: - nodePort: 32270 port: 8080 protocol: TCP targetPort: 8080 selector: control-plane: di-server type: NodePort --- apiVersion: v1 kind: Service metadata: name: di-webhook-service namespace: di-system spec: ports: - port: 443 targetPort: 9443 selector: control-plane: di-webhook --- apiVersion: apps/v1 kind: Deployment metadata: labels: control-plane: di-operator name: di-operator namespace: di-system spec: replicas: 1 selector: matchLabels: control-plane: di-operator template: metadata: labels: control-plane: di-operator spec: containers: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8080 - --leader-elect command: - /di-operator image: registry.sensetime.com/cloudnative4ai/di-operator:v0.2.0-alpha.0 imagePullPolicy: Always livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: manager readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 100m memory: 500Mi requests: cpu: 100m memory: 500Mi securityContext: allowPrivilegeEscalation: false terminationGracePeriodSeconds: 10 --- apiVersion: apps/v1 kind: Deployment metadata: labels: control-plane: di-server name: di-server namespace: di-system spec: replicas: 1 selector: matchLabels: control-plane: di-server template: metadata: labels: control-plane: di-server spec: containers: - args: - --server-bind-address=:8080 - --leader-elect - --lease-lock-namespace=di-system - --lease-lock-name=di-server command: - /di-server image: registry.sensetime.com/cloudnative4ai/di-server:v0.2.0-alpha.0 imagePullPolicy: Always livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 15 periodSeconds: 20 name: server resources: limits: cpu: 100m memory: 500Mi requests: cpu: 100m memory: 500Mi securityContext: allowPrivilegeEscalation: false terminationGracePeriodSeconds: 10 --- apiVersion: apps/v1 kind: Deployment metadata: labels: control-plane: di-webhook name: di-webhook namespace: di-system spec: replicas: 1 selector: matchLabels: control-plane: di-webhook template: metadata: labels: control-plane: di-webhook spec: containers: - command: - /di-webhook image: registry.sensetime.com/cloudnative4ai/di-webhook:v0.2.0-alpha.0 imagePullPolicy: Always livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: webhook ports: - containerPort: 9443 name: webhook-server protocol: TCP readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 30m memory: 100Mi requests: cpu: 30m memory: 100Mi securityContext: allowPrivilegeEscalation: false volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true terminationGracePeriodSeconds: 10 volumes: - name: cert secret: defaultMode: 420 secretName: di-webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: di-serving-cert namespace: di-system spec: dnsNames: - di-webhook-service.di-system.svc - di-webhook-service.di-system.svc.cluster.local issuerRef: kind: Issuer name: di-selfsigned-issuer secretName: di-webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: di-selfsigned-issuer namespace: di-system spec: selfSigned: {} --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: di-system/di-serving-cert name: di-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: di-webhook-service namespace: di-system path: /mutate-diengine-opendilab-org-v1alpha1-dijob failurePolicy: Fail name: mdijob.kb.io rules: - apiGroups: - diengine.opendilab.org apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - dijobs sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: di-system/di-serving-cert name: di-validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: di-webhook-service namespace: di-system path: /validate-diengine-opendilab-org-v1alpha1-dijob failurePolicy: Fail name: vdijob.kb.io rules: - apiGroups: - diengine.opendilab.org apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - dijobs sideEffects: None