From 92bdb7fc23fafaf21e2767a0f1f09d32d852874b Mon Sep 17 00:00:00 2001 From: Noa Date: Thu, 17 Jul 2025 09:48:13 +0000 Subject: [PATCH 1/2] feat(ws): Define k8s workload manifest for frontend component #404 Signed-off-by: Noa --- .../manifests/kustomize/base/deployment.yaml | 56 ++++++++ .../kustomize/base/kustomization.yaml | 14 ++ .../manifests/kustomize/base/namespace.yaml | 4 + .../manifests/kustomize/base/service.yaml | 10 ++ .../components/common/kustomization.yaml | 9 ++ .../istio/authorization-policy.yaml | 17 +++ .../components/istio/destination-rule.yaml | 9 ++ .../components/istio/kustomization.yaml | 11 ++ .../components/istio/virtual-service.yaml | 32 +++++ .../overlays/istio/kustomization.yaml | 125 ++++++++++++++++++ 10 files changed, 287 insertions(+) create mode 100644 workspaces/frontend/manifests/kustomize/base/deployment.yaml create mode 100644 workspaces/frontend/manifests/kustomize/base/kustomization.yaml create mode 100644 workspaces/frontend/manifests/kustomize/base/namespace.yaml create mode 100644 workspaces/frontend/manifests/kustomize/base/service.yaml create mode 100644 workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml create mode 100644 workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml create mode 100644 workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml create mode 100644 workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml create mode 100644 workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml create mode 100644 workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml diff --git a/workspaces/frontend/manifests/kustomize/base/deployment.yaml b/workspaces/frontend/manifests/kustomize/base/deployment.yaml new file mode 100644 index 000000000..0af139109 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/base/deployment.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workspaces-frontend +spec: + selector: + matchLabels: {} + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + template: + spec: + terminationGracePeriodSeconds: 30 + containers: + - name: workspaces-frontend + image: workspaces-frontend + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + ports: + - name: http-ui + containerPort: 8080 + env: + - name: PORT + value: "8080" + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + livenessProbe: + httpGet: + path: / + port: http-ui + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: http-ui + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/base/kustomization.yaml b/workspaces/frontend/manifests/kustomize/base/kustomization.yaml new file mode 100644 index 000000000..8ff7a35ff --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/base/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kubeflow-workspaces + +resources: +- namespace.yaml +- deployment.yaml +- service.yaml + +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/component: ui \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/base/namespace.yaml b/workspaces/frontend/manifests/kustomize/base/namespace.yaml new file mode 100644 index 000000000..0076fabf9 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow-workspaces \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/base/service.yaml b/workspaces/frontend/manifests/kustomize/base/service.yaml new file mode 100644 index 000000000..34ba13dc6 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/base/service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: workspaces-frontend +spec: + ports: + - name: http-ui + port: 8080 + targetPort: http-ui + type: ClusterIP \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml b/workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml new file mode 100644 index 000000000..a80030c5d --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/components/common/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: workspaces-frontend + app.kubernetes.io/part-of: kubeflow-workspaces \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml b/workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml new file mode 100644 index 000000000..29ced65b1 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/components/istio/authorization-policy.yaml @@ -0,0 +1,17 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: workspaces-frontend +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: ui + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: workspaces-frontend + app.kubernetes.io/part-of: kubeflow-workspaces + rules: + - from: + - source: + principals: + - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml b/workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml new file mode 100644 index 000000000..d1ef05f11 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/components/istio/destination-rule.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: workspaces-frontend +spec: + host: workspaces-frontend.kubeflow-workspaces.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml b/workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml new file mode 100644 index 000000000..7ac2400f1 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/components/istio/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: +- destination-rule.yaml +- virtual-service.yaml +- authorization-policy.yaml + +labels: +- pairs: + app.kubernetes.io/component: ui \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml b/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml new file mode 100644 index 000000000..9c67f8ba0 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: workspaces-frontend +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - '*' + http: + # Case 1: Exact match for /workspaces → rewrite to / + - match: + - uri: + exact: /workspaces + rewrite: + uri: / + route: + - destination: + host: workspaces-frontend.kubeflow-workspaces.svc.cluster.local + port: + number: 8080 + # Case 2: Prefix match for /workspaces/ → strip prefix by rewriting to / + - match: + - uri: + prefix: /workspaces/ + rewrite: + uri: / + route: + - destination: + host: workspaces-frontend.kubeflow-workspaces.svc.cluster.local + port: + number: 8080 \ No newline at end of file diff --git a/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml b/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml new file mode 100644 index 000000000..ef21d3393 --- /dev/null +++ b/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml @@ -0,0 +1,125 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kubeflow-workspaces + +resources: +- ../../base + +components: +- ../../components/istio +- ../../components/common + +patches: +- patch: |- + - op: remove + path: /metadata/labels/app.kubernetes.io~1component + - op: remove + path: /metadata/labels/app.kubernetes.io~1name + - op: add + path: /metadata/labels/istio-injection + value: enabled + target: + kind: Namespace + name: kubeflow-workspaces + +replacements: +- source: + fieldPath: metadata.namespace + kind: Deployment + name: workspaces-frontend + targets: + - fieldPaths: + - metadata.name + select: + kind: Namespace + name: kubeflow-workspaces +- source: + fieldPath: metadata.name + kind: Service + name: workspaces-frontend + version: v1 + targets: + - fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: . + select: + group: networking.istio.io + kind: VirtualService + name: workspaces-frontend + version: v1beta1 + - fieldPaths: + - spec.http.1.route.0.destination.host + options: + delimiter: . + select: + group: networking.istio.io + kind: VirtualService + name: workspaces-frontend + version: v1beta1 + - fieldPaths: + - spec.host + options: + delimiter: . + select: + group: networking.istio.io + kind: DestinationRule + name: workspaces-frontend + version: v1beta1 +- source: + fieldPath: metadata.namespace + kind: Service + name: workspaces-frontend + version: v1 + targets: + - fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: . + index: 1 + select: + group: networking.istio.io + kind: VirtualService + name: workspaces-frontend + version: v1beta1 + - fieldPaths: + - spec.http.1.route.0.destination.host + options: + delimiter: . + index: 1 + select: + group: networking.istio.io + kind: VirtualService + name: workspaces-frontend + version: v1beta1 + - fieldPaths: + - spec.host + options: + delimiter: . + index: 1 + select: + group: networking.istio.io + kind: DestinationRule + name: workspaces-frontend + version: v1beta1 +- source: + fieldPath: spec.ports.[name=http-ui].port + kind: Service + name: workspaces-frontend + version: v1 + targets: + - fieldPaths: + - spec.http.0.route.0.destination.port.number + select: + group: networking.istio.io + kind: VirtualService + name: workspaces-frontend + version: v1beta1 + - fieldPaths: + - spec.http.1.route.0.destination.port.number + select: + group: networking.istio.io + kind: VirtualService + name: workspaces-frontend + version: v1beta1 \ No newline at end of file From d77c93a8433be84b49426ad341ec4d83230867d8 Mon Sep 17 00:00:00 2001 From: Andy Stoneberg Date: Thu, 21 Aug 2025 13:24:46 -0400 Subject: [PATCH 2/2] fix: virtual-service tweaks from review Signed-off-by: Andy Stoneberg --- .../manifests/kustomize/base/deployment.yaml | 2 ++ .../components/istio/virtual-service.yaml | 14 ++-------- .../overlays/istio/kustomization.yaml | 26 ------------------- 3 files changed, 4 insertions(+), 38 deletions(-) diff --git a/workspaces/frontend/manifests/kustomize/base/deployment.yaml b/workspaces/frontend/manifests/kustomize/base/deployment.yaml index 0af139109..c57639858 100644 --- a/workspaces/frontend/manifests/kustomize/base/deployment.yaml +++ b/workspaces/frontend/manifests/kustomize/base/deployment.yaml @@ -12,6 +12,8 @@ spec: maxUnavailable: 0 maxSurge: 1 template: + metadata: + labels: {} spec: terminationGracePeriodSeconds: 30 containers: diff --git a/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml b/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml index 9c67f8ba0..edf17a55b 100644 --- a/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml +++ b/workspaces/frontend/manifests/kustomize/components/istio/virtual-service.yaml @@ -8,21 +8,11 @@ spec: hosts: - '*' http: - # Case 1: Exact match for /workspaces → rewrite to / - - match: - - uri: - exact: /workspaces - rewrite: - uri: / - route: - - destination: - host: workspaces-frontend.kubeflow-workspaces.svc.cluster.local - port: - number: 8080 - # Case 2: Prefix match for /workspaces/ → strip prefix by rewriting to / - match: - uri: prefix: /workspaces/ + - uri: + exact: /workspaces rewrite: uri: / route: diff --git a/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml b/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml index ef21d3393..84f7c9594 100644 --- a/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml +++ b/workspaces/frontend/manifests/kustomize/overlays/istio/kustomization.yaml @@ -49,15 +49,6 @@ replacements: kind: VirtualService name: workspaces-frontend version: v1beta1 - - fieldPaths: - - spec.http.1.route.0.destination.host - options: - delimiter: . - select: - group: networking.istio.io - kind: VirtualService - name: workspaces-frontend - version: v1beta1 - fieldPaths: - spec.host options: @@ -83,16 +74,6 @@ replacements: kind: VirtualService name: workspaces-frontend version: v1beta1 - - fieldPaths: - - spec.http.1.route.0.destination.host - options: - delimiter: . - index: 1 - select: - group: networking.istio.io - kind: VirtualService - name: workspaces-frontend - version: v1beta1 - fieldPaths: - spec.host options: @@ -111,13 +92,6 @@ replacements: targets: - fieldPaths: - spec.http.0.route.0.destination.port.number - select: - group: networking.istio.io - kind: VirtualService - name: workspaces-frontend - version: v1beta1 - - fieldPaths: - - spec.http.1.route.0.destination.port.number select: group: networking.istio.io kind: VirtualService