Enable multi-tenancy by via IBM AppID

OpenShift/README.md

@@ -29,3 +29,7 @@ This guide describes how to deploy Kubeflow on OpenShift clusters. There are two
 ## Deploy Kubeflow with Knative and KFServing
 
   For users who want to run KFserving service along with Kubeflow on OpenShift clusters, follow the [KfServing on OpenShift](manifests/README-kfserving.md) guide to deploy.
+
+## Multi-tenant Kubeflow on OpenShift with IBM Cloud AppID
+
+  For users who want to run KFserving service along with Multi-tenant Kubeflow on OpenShift clusters, follow the [Multi-tenant Kubeflow on OpenShift with IBM Cloud AppID](manifests/README-appid.md) guide to deploy.

OpenShift/manifests/README-appid.md

@@ -0,0 +1,67 @@
+## Multi-tenant Kubeflow on OpenShift with IBM Cloud AppID
+
+This guide is based on [KfServing on OpenShift](./README-kfserving.md) with multi-tenancy feature enabled by IBM Cloud AppID.
+
+### Prerequisites
+
+1. Follow the [Prepare OpenShift cluster environment](./README.md#prepare-openshift-cluster-environment) to set up the cluster environment.
+2. FQDN of OpenShift Route of istio ingress gateway.
+3. Provisioning an AppID instance from IBM Cloud. It can start with the Lite plan, but will need the Graduated tier once you need more than 1000 authentication events per month.
+4. Create an application with type reguarwebapp under the provioned AppID instance. Make sure the caope contains email and retrieve the following configuration parameters from your AppID. They will be used to configure the OIDC auth service:
+    * clientId
+    * secret
+    * oAuthServerUrl
+
+### Configuration
+
+1. Create the namespace `istio-system` if not exist:
+```SHELL
+kubectl create namespace istio-system
+```
+2. Create a secret prior to kubeflow deployment by filling parameters accordingly:
+```SHELL
+kubectl create secret generic appid-application-configuration -n istio-system \
+  --from-literal=clientId=<clientId> \
+  --from-literal=secret=<secret> \
+  --from-literal=oAuthServerUrl=<oAuthServerUrl> \
+  --from-literal=oidcRedirectUrl=https://istio-ingressgateway-istio-system.<ingressSubdomain>/login/oidc
+```
+* `<oAuthServerUrl>` - fill in the value of `oAuthServerUrl`
+* `<clientId>` - fill in the value of `clientId`
+* `<secret>` - fill in the value of `secret`
+* `<ingressSubdomain>` - fill in the value of _Ingress Subdomain_ out of cluster
+details by running command `ibmcloud ks cluster get -c <your-cluster-name>` where replace `<your-cluster-name>` with your OpenShift cluster name.
+
+### Deploy Kubeflow with KfServing
+
+Choose [kfctl_openshift_tekton_kfserving_appid.v1.1.0.yaml](./kfctl_openshift_tekton_kfserving_appid.v1.1.0.yaml) to deploy the required components for multi-tenant Kubeflow with Tekton backend.
+
+```shell
+export KFDEF_DIR=<path_to_kfdef>
+mkdir -p ${KFDEF_DIR}
+cd ${KFDEF_DIR}
+wget https://raw.githubusercontent.com/IBM/KubeflowDojo/master/OpenShift/manifests/kfctl_openshift_tekton_kfserving_appid.v1.1.0.yaml
+```
+
+If you choose to leverage the pre-installed OpenShift Pipelines as the Tekton backend, please comment out these lines from the above configuration file.
+
+```yaml
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/tektoncd
+    name: kubeflow-apps
+```
+
+Run following command to deploy Kubeflow:
+
+```shell
+kfctl apply -V -f kfctl_openshift_tekton_kfserving_appid.v1.1.0.yaml
+```
+
+### Secure istio ingress gateway with HTTPS
+
+Notice that it uses HTTPS for the value of `oidcRedirectUrl` during configuration, which
+requires additional steps after deploying Kubeflow:
+1. enable [TLS passthrough](https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/routes.html#passthrough-termination) mode for the route.
+2. expose kubeflow dashboard over HTTPS by following steps of [this section](https://www.kubeflow.org/docs/ibm/deploy/authentication/#exposing-the-kubeflow-dashboard-with-dns-and-tls-termination).

OpenShift/manifests/kfctl_openshift_tekton_kfserving_appid.v1.1.0.yaml

@@ -0,0 +1,134 @@
+apiVersion: kfdef.apps.kubeflow.org/v1
+kind: KfDef
+metadata:
+  namespace: kubeflow
+spec:
+  applications:
+  # openshift specific
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: openshift/openshift-scc/base
+    name: openshift-scc
+  # istio related components
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/istio-stack
+    name: istio-stack
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/cluster-local-gateway
+    name: cluster-local-gateway
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/istio
+    name: istio
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/oidc-authservice-for-appid
+    name: oidc-authservice
+  # application
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: application/v3
+    name: application
+  # cert-manager
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/cert-manager-crds
+    name: cert-manager-crds
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/cert-manager-kube-system-resources
+    name: cert-manager-kube-system-resources
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/cert-manager
+    name: cert-manager
+  # bootstrap
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/openshift/application/bootstrap
+  #   name: bootstrap
+  # kubeflow apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/base
+    name: kubeflow-apps
+  # - kustomizeConfig:
+  #     repoRef:
+  #       name: manifests
+  #       path: stacks/openshift/components/admission-webhook
+  #   name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/profile-control-plane
+    name: kubeflow-apps
+  # install Tekton Pipelines, if you choose to use OpenShift Pipelines
+  # pre-installed on your OCP cluster, comment out this component
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/tektoncd
+    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/kfp-tekton
+    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/metadata
+    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/notebooks
+    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/pytorch-job
+    name: kubeflow-apps
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/components/tf-job
+    name: kubeflow-apps
+  # others:
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: metacontroller/base
+    name: metacontroller
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: stacks/openshift/application/spark-operator
+    name: spark-operator
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: knative/installs/generic
+    name: knative
+  - kustomizeConfig:
+      repoRef:
+        name: manifests
+        path: kfserving/installs/generic
+    name: kfserving
+  repos:
+  - name: manifests
+    uri: https://github.com/IBM/manifests/archive/master.tar.gz
+  version: master