diff --git a/Makefile b/Makefile index ba8736a1..87a7312d 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,7 @@ TMP_DIR=$$(mktemp -d) ;\ cd $$TMP_DIR ;\ go mod init tmp ;\ echo "Downloading $(2)" ;\ -GOBIN=$(PROJECT_DIR)/bin go get $(2) ;\ +GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\ rm -rf $$TMP_DIR ;\ } endef diff --git a/controllers/kubeflow.org/profile_controller.go b/controllers/kubeflow.org/profile_controller.go index b2bd5e04..968ebd39 100755 --- a/controllers/kubeflow.org/profile_controller.go +++ b/controllers/kubeflow.org/profile_controller.go @@ -36,7 +36,6 @@ import ( "github.com/goccy/go-yaml" _struct "github.com/golang/protobuf/ptypes/struct" kfPodDefault "github.com/kubeflow/kubeflow/components/admission-webhook/pkg/apis/settings/v1alpha1" - reconcilehelper "github.com/pluralsh/controller-reconcile-helper" profilev2alpha1 "github.com/pluralsh/kubeflow-profile-controller/apis/kubeflow.org/v2alpha1" platformv1alpha1 "github.com/pluralsh/kubeflow-profile-controller/apis/platform/v1alpha1" istioNetworkingv1alpha3 "istio.io/api/networking/v1alpha3" @@ -219,38 +218,38 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) } } - // Update Istio RequestAuthentication - // Create Istio RequestAuthentication in target namespace, which configures Istio with the OIDC provider. - if err = r.updateIstioRequestAuthentication(instance, kubeflowConfig.Spec.Security.OIDC.Issuer, kubeflowConfig.Spec.Security.OIDC.JwksURI); err != nil { - logger.Error(err, "error Updating Istio RequestAuthentication permission", "namespace", instance.Name) - IncRequestErrorCounter("error updating Istio RequestAuthentication permission", SEVERITY_MAJOR) - return reconcile.Result{}, err - } + // // Update Istio RequestAuthentication + // // Create Istio RequestAuthentication in target namespace, which configures Istio with the OIDC provider. + // if err = r.updateIstioRequestAuthentication(instance, kubeflowConfig.Spec.Security.OIDC.Issuer, kubeflowConfig.Spec.Security.OIDC.JwksURI); err != nil { + // logger.Error(err, "error Updating Istio RequestAuthentication permission", "namespace", instance.Name) + // IncRequestErrorCounter("error updating Istio RequestAuthentication permission", SEVERITY_MAJOR) + // return reconcile.Result{}, err + // } - // Update Istio AuthorizationPolicy - // Create Istio AuthorizationPolicy in target namespace, which will give ns owner permission to access services in ns. - if err = r.updateIstioAuthorizationPolicy(instance, kubeflowConfig.Spec.Identity.UserIDPrefix, kubeflowConfig.Spec.Security.OIDC.Issuer); err != nil { - logger.Error(err, "error Updating Istio AuthorizationPolicy permission", "namespace", instance.Name) - IncRequestErrorCounter("error updating Istio AuthorizationPolicy permission", SEVERITY_MAJOR) - return reconcile.Result{}, err - } + // // Update Istio AuthorizationPolicy + // // Create Istio AuthorizationPolicy in target namespace, which will give ns owner permission to access services in ns. + // if err = r.updateIstioAuthorizationPolicy(instance, kubeflowConfig.Spec.Identity.UserIDPrefix, kubeflowConfig.Spec.Security.OIDC.Issuer); err != nil { + // logger.Error(err, "error Updating Istio AuthorizationPolicy permission", "namespace", instance.Name) + // IncRequestErrorCounter("error updating Istio AuthorizationPolicy permission", SEVERITY_MAJOR) + // return reconcile.Result{}, err + // } - // Update service accounts - // Create service account "default-editor" in target namespace. - // "default-editor" would have kubeflowEdit permission: edit all resources in target namespace except rbac. - serviceAccounts := r.generateServiceAccounts(instance, kubeflowConfig.Spec.Infrastructure.ProviderConfig.AccountID, kubeflowConfig.Spec.Infrastructure.ClusterName) - for _, serviceAccount := range serviceAccounts.Items { - sa := &serviceAccount - if err := ctrl.SetControllerReference(instance, sa, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for Service Account") - return ctrl.Result{}, err - } - if err := reconcilehelper.ServiceAccount(ctx, r.Client, sa, logger); err != nil { - logger.Error(err, "Error reconciling Service Account", "namespace", sa.Namespace, "name", sa.Name) - IncRequestErrorCounter("error updating ServiceAccount", SEVERITY_MAJOR) - return ctrl.Result{}, err - } - } + // // Update service accounts + // // Create service account "default-editor" in target namespace. + // // "default-editor" would have kubeflowEdit permission: edit all resources in target namespace except rbac. + // serviceAccounts := r.generateServiceAccounts(instance, kubeflowConfig.Spec.Infrastructure.ProviderConfig.AccountID, kubeflowConfig.Spec.Infrastructure.ClusterName) + // for _, serviceAccount := range serviceAccounts.Items { + // sa := &serviceAccount + // if err := ctrl.SetControllerReference(instance, sa, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for Service Account") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.ServiceAccount(ctx, r.Client, sa, logger); err != nil { + // logger.Error(err, "Error reconciling Service Account", "namespace", sa.Namespace, "name", sa.Name) + // IncRequestErrorCounter("error updating ServiceAccount", SEVERITY_MAJOR) + // return ctrl.Result{}, err + // } + // } // // Update service accounts // // Create service account "default-editor" in target namespace. @@ -272,117 +271,117 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) // TODO: add role for impersonate permission - clusterRole := kubeflowAdmin - if instance.Spec.ClusterRole != "" { - clusterRole = instance.Spec.ClusterRole - } + // clusterRole := kubeflowAdmin + // if instance.Spec.ClusterRole != "" { + // clusterRole = instance.Spec.ClusterRole + // } - // Update owner rbac permission - // When ClusterRole was referred by namespaced roleBinding, the result permission will be namespaced as well. - roleBindings := &rbacv1.RoleBindingList{ - Items: []rbacv1.RoleBinding{ - { - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{USER: instance.Spec.Owner.Name, ROLE: ADMIN}, - Name: "namespaceAdmin", - Namespace: instance.Name, - }, - // Use default ClusterRole 'admin' for profile/namespace owner - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: clusterRole, - }, - Subjects: []rbacv1.Subject{ - instance.Spec.Owner, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{ - Name: DEFAULT_EDITOR, - Namespace: instance.Name, - }, - // Use default ClusterRole 'admin' for profile/namespace owner - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: kubeflowEdit, - }, - Subjects: []rbacv1.Subject{ - { - Kind: rbacv1.ServiceAccountKind, - Name: DEFAULT_EDITOR, - Namespace: instance.Name, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{ - Name: DEFAULT_VIEWER, - Namespace: instance.Name, - }, - // Use default ClusterRole 'admin' for profile/namespace owner - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: kubeflowView, - }, - Subjects: []rbacv1.Subject{ - { - Kind: rbacv1.ServiceAccountKind, - Name: DEFAULT_VIEWER, - Namespace: instance.Name, - }, - }, - }, - }, - } + // // Update owner rbac permission + // // When ClusterRole was referred by namespaced roleBinding, the result permission will be namespaced as well. + // roleBindings := &rbacv1.RoleBindingList{ + // Items: []rbacv1.RoleBinding{ + // { + // ObjectMeta: metav1.ObjectMeta{ + // Annotations: map[string]string{USER: instance.Spec.Owner.Name, ROLE: ADMIN}, + // Name: "namespaceAdmin", + // Namespace: instance.Name, + // }, + // // Use default ClusterRole 'admin' for profile/namespace owner + // RoleRef: rbacv1.RoleRef{ + // APIGroup: "rbac.authorization.k8s.io", + // Kind: "ClusterRole", + // Name: clusterRole, + // }, + // Subjects: []rbacv1.Subject{ + // instance.Spec.Owner, + // }, + // }, + // { + // ObjectMeta: metav1.ObjectMeta{ + // Name: DEFAULT_EDITOR, + // Namespace: instance.Name, + // }, + // // Use default ClusterRole 'admin' for profile/namespace owner + // RoleRef: rbacv1.RoleRef{ + // APIGroup: "rbac.authorization.k8s.io", + // Kind: "ClusterRole", + // Name: kubeflowEdit, + // }, + // Subjects: []rbacv1.Subject{ + // { + // Kind: rbacv1.ServiceAccountKind, + // Name: DEFAULT_EDITOR, + // Namespace: instance.Name, + // }, + // }, + // }, + // { + // ObjectMeta: metav1.ObjectMeta{ + // Name: DEFAULT_VIEWER, + // Namespace: instance.Name, + // }, + // // Use default ClusterRole 'admin' for profile/namespace owner + // RoleRef: rbacv1.RoleRef{ + // APIGroup: "rbac.authorization.k8s.io", + // Kind: "ClusterRole", + // Name: kubeflowView, + // }, + // Subjects: []rbacv1.Subject{ + // { + // Kind: rbacv1.ServiceAccountKind, + // Name: DEFAULT_VIEWER, + // Namespace: instance.Name, + // }, + // }, + // }, + // }, + // } - for _, roleBinding := range roleBindings.Items { - if err = r.updateRoleBinding(instance, &roleBinding); err != nil { - logger.Error(err, "error Updating Owner Rolebinding", "namespace", instance.Name, "name", - instance.Spec.Owner.Name, "role", roleBinding.RoleRef.Name) - IncRequestErrorCounter("error updating Owner Rolebinding", SEVERITY_MAJOR) - return reconcile.Result{}, err - } - } - // Create resource quota for target namespace if resources are specified in profile. - if len(instance.Spec.ResourceQuotaSpec.Hard) > 0 { - resourceQuota := &corev1.ResourceQuota{ - ObjectMeta: metav1.ObjectMeta{ - Name: KFQUOTA, - Namespace: instance.Name, - }, - Spec: instance.Spec.ResourceQuotaSpec, - } - if err = r.updateResourceQuota(ctx, instance, resourceQuota); err != nil { - logger.Error(err, "error Updating resource quota", "namespace", instance.Name) - IncRequestErrorCounter("error updating resource quota", SEVERITY_MAJOR) - return reconcile.Result{}, err - } - } else { - logger.Info("No update on resource quota", "spec", instance.Spec.ResourceQuotaSpec.String()) - } - if err := r.PatchDefaultPluginSpec(ctx, instance); err != nil { - IncRequestErrorCounter("error patching DefaultPluginSpec", SEVERITY_MAJOR) - logger.Error(err, "Failed patching DefaultPluginSpec", "namespace", instance.Name) - return reconcile.Result{}, err - } - if plugins, err := r.GetPluginSpec(instance); err == nil { - for _, plugin := range plugins { - if err2 := plugin.ApplyPlugin(r, instance); err2 != nil { - logger.Error(err2, "Failed applying plugin", "namespace", instance.Name) - IncRequestErrorCounter("error applying plugin", SEVERITY_MAJOR) - return reconcile.Result{}, err2 - } - } - } + // for _, roleBinding := range roleBindings.Items { + // if err = r.updateRoleBinding(instance, &roleBinding); err != nil { + // logger.Error(err, "error Updating Owner Rolebinding", "namespace", instance.Name, "name", + // instance.Spec.Owner.Name, "role", roleBinding.RoleRef.Name) + // IncRequestErrorCounter("error updating Owner Rolebinding", SEVERITY_MAJOR) + // return reconcile.Result{}, err + // } + // } + // // Create resource quota for target namespace if resources are specified in profile. + // if len(instance.Spec.ResourceQuotaSpec.Hard) > 0 { + // resourceQuota := &corev1.ResourceQuota{ + // ObjectMeta: metav1.ObjectMeta{ + // Name: KFQUOTA, + // Namespace: instance.Name, + // }, + // Spec: instance.Spec.ResourceQuotaSpec, + // } + // if err = r.updateResourceQuota(ctx, instance, resourceQuota); err != nil { + // logger.Error(err, "error Updating resource quota", "namespace", instance.Name) + // IncRequestErrorCounter("error updating resource quota", SEVERITY_MAJOR) + // return reconcile.Result{}, err + // } + // } else { + // logger.Info("No update on resource quota", "spec", instance.Spec.ResourceQuotaSpec.String()) + // } + // if err := r.PatchDefaultPluginSpec(ctx, instance); err != nil { + // IncRequestErrorCounter("error patching DefaultPluginSpec", SEVERITY_MAJOR) + // logger.Error(err, "Failed patching DefaultPluginSpec", "namespace", instance.Name) + // return reconcile.Result{}, err + // } + // if plugins, err := r.GetPluginSpec(instance); err == nil { + // for _, plugin := range plugins { + // if err2 := plugin.ApplyPlugin(r, instance); err2 != nil { + // logger.Error(err2, "Failed applying plugin", "namespace", instance.Name) + // IncRequestErrorCounter("error applying plugin", SEVERITY_MAJOR) + // return reconcile.Result{}, err2 + // } + // } + // } - if err := r.reconcileExtraResources(ctx, instance); err != nil { - IncRequestErrorCounter("error patching extra resources", SEVERITY_MAJOR) - logger.Error(err, "Failed upserted extraResources", "namespace", instance.Name) - return reconcile.Result{}, err - } + // if err := r.reconcileExtraResources(ctx, instance); err != nil { + // IncRequestErrorCounter("error patching extra resources", SEVERITY_MAJOR) + // logger.Error(err, "Failed upserted extraResources", "namespace", instance.Name) + // return reconcile.Result{}, err + // } // examine DeletionTimestamp to determine if object is under deletion if instance.ObjectMeta.DeletionTimestamp.IsZero() { @@ -401,15 +400,15 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) // The object is being deleted if containsString(instance.ObjectMeta.Finalizers, PROFILEFINALIZER) { // our finalizer is present, so lets revoke all Plugins to clean up any external dependencies - if plugins, err := r.GetPluginSpec(instance); err == nil { - for _, plugin := range plugins { - if err := plugin.RevokePlugin(r, instance); err != nil { - logger.Error(err, "error revoking plugin", "namespace", instance.Name) - IncRequestErrorCounter("error revoking plugin", SEVERITY_MAJOR) - return reconcile.Result{}, err - } - } - } + // if plugins, err := r.GetPluginSpec(instance); err == nil { + // for _, plugin := range plugins { + // if err := plugin.RevokePlugin(r, instance); err != nil { + // logger.Error(err, "error revoking plugin", "namespace", instance.Name) + // IncRequestErrorCounter("error revoking plugin", SEVERITY_MAJOR) + // return reconcile.Result{}, err + // } + // } + // } // remove our finalizer from the list and update it. instance.ObjectMeta.Finalizers = removeString(instance.ObjectMeta.Finalizers, PROFILEFINALIZER) @@ -421,126 +420,126 @@ func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) } } - // Create the KFP configmap in the user namespace - kfpConfigmaps := r.generateKFPConfigmap(instance, kubeflowConfig.Spec.Infrastructure.Storage.BucketName, kubeflowConfig.Spec.Infrastructure.ProviderConfig.Region) - for _, kfpConfigmap := range kfpConfigmaps.Items { - configmap := &kfpConfigmap - if err := ctrl.SetControllerReference(instance, configmap, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP configmap") - return ctrl.Result{}, err - } - if err := reconcilehelper.ConfigMap(ctx, r.Client, configmap, logger); err != nil { - logger.Error(err, "Error reconciling KFP Configmap", "namespace", kfpConfigmap.Namespace) - return ctrl.Result{}, err - } - } - - // Create the KFP configmap in the user namespace - kfpDeployments := r.generateKFPDeployments(instance) - for _, kfpDeployment := range kfpDeployments.Items { - deployment := &kfpDeployment - if err := ctrl.SetControllerReference(instance, deployment, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP Deployment") - return ctrl.Result{}, err - } - if err := reconcilehelper.Deployment(ctx, r.Client, deployment, logger); err != nil { - logger.Error(err, "Error reconciling KFP Deployment", "namespace", kfpDeployment.Namespace) - return ctrl.Result{}, err - } - } + // // Create the KFP configmap in the user namespace + // kfpConfigmaps := r.generateKFPConfigmap(instance, kubeflowConfig.Spec.Infrastructure.Storage.BucketName, kubeflowConfig.Spec.Infrastructure.ProviderConfig.Region) + // for _, kfpConfigmap := range kfpConfigmaps.Items { + // configmap := &kfpConfigmap + // if err := ctrl.SetControllerReference(instance, configmap, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP configmap") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.ConfigMap(ctx, r.Client, configmap, logger); err != nil { + // logger.Error(err, "Error reconciling KFP Configmap", "namespace", kfpConfigmap.Namespace) + // return ctrl.Result{}, err + // } + // } - // Create the KFP destination rules in the user namespace - kfpDestinationRule := r.generateKFPDestinationRule(instance) - if err := ctrl.SetControllerReference(instance, kfpDestinationRule, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP DestinationRule") - return ctrl.Result{}, err - } - if err := reconcilehelper.DestinationRule(ctx, r.Client, kfpDestinationRule, logger); err != nil { - logger.Error(err, "Error reconciling KFP destination rule", "namespace", kfpDestinationRule.Namespace) - return ctrl.Result{}, err - } + // // Create the KFP configmap in the user namespace + // kfpDeployments := r.generateKFPDeployments(instance) + // for _, kfpDeployment := range kfpDeployments.Items { + // deployment := &kfpDeployment + // if err := ctrl.SetControllerReference(instance, deployment, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP Deployment") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.Deployment(ctx, r.Client, deployment, logger); err != nil { + // logger.Error(err, "Error reconciling KFP Deployment", "namespace", kfpDeployment.Namespace) + // return ctrl.Result{}, err + // } + // } - // Create the KFP AuthorizationPolicies in the user namespace - kfpAuthorizationPolicy := r.generateKFPAuthorizationPolicy(instance) - if err := ctrl.SetControllerReference(instance, kfpAuthorizationPolicy, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP AuthorizationPolicy") - return ctrl.Result{}, err - } - if err := reconcilehelper.AuthorizationPolicy(ctx, r.Client, kfpAuthorizationPolicy, logger); err != nil { - logger.Error(err, "Error reconciling KFP AuthorizationPolicy", "namespace", kfpAuthorizationPolicy.Namespace) - return ctrl.Result{}, err - } + // // Create the KFP destination rules in the user namespace + // kfpDestinationRule := r.generateKFPDestinationRule(instance) + // if err := ctrl.SetControllerReference(instance, kfpDestinationRule, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP DestinationRule") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.DestinationRule(ctx, r.Client, kfpDestinationRule, logger); err != nil { + // logger.Error(err, "Error reconciling KFP destination rule", "namespace", kfpDestinationRule.Namespace) + // return ctrl.Result{}, err + // } - // Create the KFP Services in the user namespace - kfpServices := r.generateKFPServices(instance) - for _, kfpService := range kfpServices.Items { - service := &kfpService - if err := ctrl.SetControllerReference(instance, service, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP Service") - return ctrl.Result{}, err - } - if err := reconcilehelper.Service(ctx, r.Client, service, logger); err != nil { - logger.Error(err, "Error reconciling KFP Service", "namespace", kfpService.Namespace) - return ctrl.Result{}, err - } - } + // // Create the KFP AuthorizationPolicies in the user namespace + // kfpAuthorizationPolicy := r.generateKFPAuthorizationPolicy(instance) + // if err := ctrl.SetControllerReference(instance, kfpAuthorizationPolicy, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP AuthorizationPolicy") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.AuthorizationPolicy(ctx, r.Client, kfpAuthorizationPolicy, logger); err != nil { + // logger.Error(err, "Error reconciling KFP AuthorizationPolicy", "namespace", kfpAuthorizationPolicy.Namespace) + // return ctrl.Result{}, err + // } - // Create Istio PeerAuthentication resources in the user namespace - peerAutehntication := r.generatePeerAuthentication(instance) - if err := ctrl.SetControllerReference(instance, peerAutehntication, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for Istio PeerAuthentication") - return ctrl.Result{}, err - } - if err := reconcilehelper.PeerAuthentication(ctx, r.Client, peerAutehntication, logger); err != nil { - logger.Error(err, "Error reconciling Istio PeerAuthentication", "namespace", peerAutehntication.Namespace) - return ctrl.Result{}, err - } + // // Create the KFP Services in the user namespace + // kfpServices := r.generateKFPServices(instance) + // for _, kfpService := range kfpServices.Items { + // service := &kfpService + // if err := ctrl.SetControllerReference(instance, service, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP Service") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.Service(ctx, r.Client, service, logger); err != nil { + // logger.Error(err, "Error reconciling KFP Service", "namespace", kfpService.Namespace) + // return ctrl.Result{}, err + // } + // } - // Create Istio EnvoyFilter resources in the user namespace - envoyFilter := r.generateEnvoyFilter(instance) - if err := ctrl.SetControllerReference(instance, envoyFilter, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for Istio EnvoyFilter") - return ctrl.Result{}, err - } - if err := reconcilehelper.EnvoyFilter(ctx, r.Client, envoyFilter, logger); err != nil { - logger.Error(err, "Error reconciling Istio EnvoyFilter", "namespace", envoyFilter.Namespace) - return ctrl.Result{}, err - } + // // Create Istio PeerAuthentication resources in the user namespace + // peerAutehntication := r.generatePeerAuthentication(instance) + // if err := ctrl.SetControllerReference(instance, peerAutehntication, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for Istio PeerAuthentication") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.PeerAuthentication(ctx, r.Client, peerAutehntication, logger); err != nil { + // logger.Error(err, "Error reconciling Istio PeerAuthentication", "namespace", peerAutehntication.Namespace) + // return ctrl.Result{}, err + // } - // Create PodDefault for KFP access - podDefault := r.generatePodDefault(instance) - if err := ctrl.SetControllerReference(instance, podDefault, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP PodDefault") - return ctrl.Result{}, err - } - if err := reconcilehelper.PodDefault(ctx, r.Client, podDefault, logger); err != nil { - logger.Error(err, "Error reconciling KFP PodDefault", "namespace", podDefault.Namespace) - return ctrl.Result{}, err - } + // // Create Istio EnvoyFilter resources in the user namespace + // envoyFilter := r.generateEnvoyFilter(instance) + // if err := ctrl.SetControllerReference(instance, envoyFilter, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for Istio EnvoyFilter") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.EnvoyFilter(ctx, r.Client, envoyFilter, logger); err != nil { + // logger.Error(err, "Error reconciling Istio EnvoyFilter", "namespace", envoyFilter.Namespace) + // return ctrl.Result{}, err + // } - // Create the KFP IAM Policy for the user namespace - if kubeflowConfig.Spec.Infrastructure.Provider == "AWS" { - kfpIAMPolicy := r.generateKFPIAMPolicyACK(instance, kubeflowConfig.Spec.Infrastructure.ProviderConfig.AccountID, kubeflowConfig.Spec.Infrastructure.ClusterName, kubeflowConfig.Spec.Infrastructure.Storage.BucketName) - if err := ctrl.SetControllerReference(instance, kfpIAMPolicy, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP IAM Policy") - return ctrl.Result{}, err - } - if err := reconcilehelper.ACKIAMPolicy(ctx, r.Client, kfpIAMPolicy, logger); err != nil { - logger.Error(err, "Error reconciling KFP IAM Policy", "namespace", kfpIAMPolicy.Namespace) - return ctrl.Result{}, err - } + // // Create PodDefault for KFP access + // podDefault := r.generatePodDefault(instance) + // if err := ctrl.SetControllerReference(instance, podDefault, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP PodDefault") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.PodDefault(ctx, r.Client, podDefault, logger); err != nil { + // logger.Error(err, "Error reconciling KFP PodDefault", "namespace", podDefault.Namespace) + // return ctrl.Result{}, err + // } - // Create the KFP IAM Role for the user namespace service account - kfpIAMRole := r.generateKFPIAMRoleACK(instance, kubeflowConfig.Spec.Infrastructure.ProviderConfig.AccountID, strings.Replace(kubeflowConfig.Spec.Infrastructure.ProviderConfig.ClusterOIDCIssuer, "https://", "", -1), kubeflowConfig.Spec.Infrastructure.ClusterName) - if err := ctrl.SetControllerReference(instance, kfpIAMRole, r.Scheme); err != nil { - logger.Error(err, "Error setting ControllerReference for KFP IAM Role") - return ctrl.Result{}, err - } - if err := reconcilehelper.ACKIAMRole(ctx, r.Client, kfpIAMRole, logger); err != nil { - logger.Error(err, "Error reconciling KFP IAM Role", "namespace", kfpIAMRole.Namespace) - return ctrl.Result{}, err - } - } + // // Create the KFP IAM Policy for the user namespace + // if kubeflowConfig.Spec.Infrastructure.Provider == "AWS" { + // kfpIAMPolicy := r.generateKFPIAMPolicyACK(instance, kubeflowConfig.Spec.Infrastructure.ProviderConfig.AccountID, kubeflowConfig.Spec.Infrastructure.ClusterName, kubeflowConfig.Spec.Infrastructure.Storage.BucketName) + // if err := ctrl.SetControllerReference(instance, kfpIAMPolicy, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP IAM Policy") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.ACKIAMPolicy(ctx, r.Client, kfpIAMPolicy, logger); err != nil { + // logger.Error(err, "Error reconciling KFP IAM Policy", "namespace", kfpIAMPolicy.Namespace) + // return ctrl.Result{}, err + // } + + // // Create the KFP IAM Role for the user namespace service account + // kfpIAMRole := r.generateKFPIAMRoleACK(instance, kubeflowConfig.Spec.Infrastructure.ProviderConfig.AccountID, strings.Replace(kubeflowConfig.Spec.Infrastructure.ProviderConfig.ClusterOIDCIssuer, "https://", "", -1), kubeflowConfig.Spec.Infrastructure.ClusterName) + // if err := ctrl.SetControllerReference(instance, kfpIAMRole, r.Scheme); err != nil { + // logger.Error(err, "Error setting ControllerReference for KFP IAM Role") + // return ctrl.Result{}, err + // } + // if err := reconcilehelper.ACKIAMRole(ctx, r.Client, kfpIAMRole, logger); err != nil { + // logger.Error(err, "Error reconciling KFP IAM Role", "namespace", kfpIAMRole.Namespace) + // return ctrl.Result{}, err + // } + // } IncRequestCounter("reconcile") return ctrl.Result{}, nil