feat(ws): add manifests for backend (#455)

* feat(ws): Define k8s workload manifest for backend component #324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

* feat(ws): Define k8s workload manifest for backend component #324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

* feat(ws): add Istio AuthorizationPolicy for nb-backend #324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

* feat(ws): Define k8s workload manifest for backend component + istio - kubeflow#324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

---------

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>
Co-authored-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

workspaces/backend/Makefile

@@ -1,5 +1,5 @@
 # Image URL to use all building/pushing image targets
-IMG ?= nbv2-backend:latest
+IMG ?= nb-backend:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.31.0
 
@@ -124,11 +124,13 @@ $(LOCALBIN):
 
 ## Tool Binaries
 KUBECTL ?= kubectl
+KUSTOMIZE := $(LOCALBIN)/kustomize
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 SWAGGER = $(LOCALBIN)/swag
 
 ## Tool Versions
+KUSTOMIZE_VERSION ?= v5.5.0
 ENVTEST_VERSION ?= release-0.19
 GOLANGCI_LINT_VERSION ?= v1.61.0
 SWAGGER_VERSION ?= v1.16.6
@@ -148,6 +150,26 @@ golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
 	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION))
 
+
+##@ deployment
+
+.PHONY: deploy
+deploy: kustomize ## Deploy backend to the K8s cluster specified in ~/.kube/config.
+	cd manifests/kustomize/overlays/istio && $(KUSTOMIZE) edit set image workspaces-backend=${IMG}
+	$(KUBECTL) apply -k manifests/kustomize/overlays/istio
+
+.PHONY: undeploy
+undeploy: kustomize ## Undeploy backend from the K8s cluster specified in ~/.kube/config.
+	$(KUBECTL) delete -k manifests/kustomize/overlays/istio --ignore-not-found=true
+
+
+##@ Dependencies
+
+.PHONY: kustomize
+kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
+$(KUSTOMIZE): $(LOCALBIN)
+	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION))
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
 # $2 - package url which can be installed

workspaces/backend/manifests/kustomize/base/deployment.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workspaces-backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1
+  template:
+    metadata:
+      labels: {}
+    spec:
+      serviceAccountName: workspaces-backend
+      securityContext:
+        runAsNonRoot: true
+      terminationGracePeriodSeconds: 30
+      containers:
+      - name: workspaces-backend
+        image: workspaces-backend
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+        ports:
+        - name: http-api
+          containerPort: 4000
+        env:
+        - name: PORT
+          value: "4000"
+        resources:
+          limits:
+            cpu: 1
+            memory: 1Gi
+          requests:
+            cpu: 100m
+            memory: 512Mi
+        livenessProbe:
+          httpGet:
+            path: /api/v1/healthcheck
+            port: http-api
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 20
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        readinessProbe:
+          httpGet:
+            path: /api/v1/healthcheck
+            port: http-api
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1

workspaces/backend/manifests/kustomize/base/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kubeflow-workspaces
+
+resources:
+- namespace.yaml
+- service_account.yaml
+- rbac.yaml
+- service.yaml
+- deployment.yaml
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/component: api

workspaces/backend/manifests/kustomize/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow-workspaces

workspaces/backend/manifests/kustomize/base/rbac.yaml

@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: workspaces-backend
+rules:
+- apiGroups:
+  - kubeflow.org
+  resources:
+  - workspaces
+  - workspacekinds
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: workspaces-backend
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: workspaces-backend
+subjects:
+- kind: ServiceAccount
+  name: workspaces-backend
+  namespace: kubeflow-workspaces

workspaces/backend/manifests/kustomize/base/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: workspaces-backend
+spec:
+  selector: {}
+  ports:
+  - name: http-api
+    port: 4000
+    targetPort: http-api
+  type: ClusterIP

workspaces/backend/manifests/kustomize/base/service_account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: workspaces-backend

workspaces/backend/manifests/kustomize/components/common/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: workspaces-backend
+    app.kubernetes.io/part-of: kubeflow-workspaces

workspaces/backend/manifests/kustomize/components/istio/authorization-policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: workspaces-backend
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: api
+      app.kubernetes.io/managed-by: kustomize
+      app.kubernetes.io/name: workspaces-backend
+      app.kubernetes.io/part-of: kubeflow-workspaces
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account

workspaces/backend/manifests/kustomize/components/istio/destination-rule.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: workspaces-backend
+spec:
+  host: workspaces-backend.kubeflow-workspaces.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

workspaces/backend/manifests/kustomize/components/istio/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- destination-rule.yaml
+- virtual-service.yaml
+- authorization-policy.yaml
+
+labels:
+- pairs:
+    app.kubernetes.io/component: api

workspaces/backend/manifests/kustomize/components/istio/virtual-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: workspaces-backend
+spec:
+  gateways:
+  - kubeflow/kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - match:
+    - uri:
+        prefix: /workspaces/api/
+    rewrite:
+      uri: /api/
+    route:
+    - destination:
+        host: workspaces-backend.kubeflow-workspaces.svc.cluster.local
+        port:
+          number: 4000

workspaces/backend/manifests/kustomize/overlays/istio/kustomization.yaml

@@ -0,0 +1,104 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kubeflow-workspaces
+
+resources:
+- ../../base
+
+components:
+- ../../components/istio
+- ../../components/common
+
+patches:
+- patch: |-
+    - op: remove
+      path: /metadata/labels/app.kubernetes.io~1component
+    - op: remove
+      path: /metadata/labels/app.kubernetes.io~1name
+    - op: add
+      path: /metadata/labels/istio-injection
+      value: enabled
+  target:
+    kind: Namespace
+    name: kubeflow-workspaces
+
+replacements:
+- source:
+    fieldPath: metadata.namespace
+    kind: ServiceAccount
+    name: workspaces-backend
+  targets:
+  - fieldPaths:
+    - metadata.name
+    select:
+      kind: Namespace
+      name: kubeflow-workspaces
+  - fieldPaths:
+    - subjects.[kind=ServiceAccount].namespace
+    select:
+      kind: ClusterRoleBinding
+      name: workspaces-backend
+- source:
+    fieldPath: metadata.name
+    kind: Service
+    name: workspaces-backend
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.http.0.route.0.destination.host
+    options:
+      delimiter: .
+    select:
+      group: networking.istio.io
+      kind: VirtualService
+      name: workspaces-backend
+      version: v1beta1
+  - fieldPaths:
+    - spec.host
+    options:
+      delimiter: .
+    select:
+      group: networking.istio.io
+      kind: DestinationRule
+      name: workspaces-backend
+      version: v1beta1
+- source:
+    fieldPath: metadata.namespace
+    kind: Service
+    name: workspaces-backend
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.http.0.route.0.destination.host
+    options:
+      delimiter: .
+      index: 1
+    select:
+      group: networking.istio.io
+      kind: VirtualService
+      name: workspaces-backend
+      version: v1beta1
+  - fieldPaths:
+    - spec.host
+    options:
+      delimiter: .
+      index: 1
+    select:
+      group: networking.istio.io
+      kind: DestinationRule
+      name: workspaces-backend
+      version: v1beta1
+- source:
+    fieldPath: spec.ports.[name=http-api].port
+    kind: Service
+    name: workspaces-backend
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.http.0.route.0.destination.port.number
+    select:
+      group: networking.istio.io
+      kind: VirtualService
+      name: workspaces-backend
+      version: v1beta1