From 9406ca9b0af197687bb5025b8d2d241b4f194964 Mon Sep 17 00:00:00 2001
From: Griffin-Sullivan <gsulliva@redhat.com>
Date: Tue, 26 Nov 2024 10:39:58 -0500
Subject: [PATCH] Add Istio overlay for UI integration with Central Dashboard

Signed-off-by: Griffin-Sullivan <gsulliva@redhat.com>
---
 clients/ui/manifests/base/README.md           | 81 -------------------
 .../{ => bff}/base/kustomization.yaml         |  9 +--
 .../base/model-registry-bff-deployment.yaml   |  1 +
 .../base/model-registry-bff-role.yaml         |  0
 .../base/model-registry-bff-service.yaml      |  3 +-
 .../base/model-registry-service-account.yaml  |  5 ++
 .../bff/overlays/istio/auth-pol-bff.yaml      | 16 ++++
 .../bff/overlays/istio/dest-rule-bff.yaml     | 11 +++
 .../bff/overlays/istio/kustomization.yaml     | 10 +++
 .../frontend/base/kustomization.yaml          | 12 +++
 .../base/model-registry-service-account.yaml  |  3 +-
 .../base/model-registry-ui-deployment.yaml    | 11 ++-
 .../base/model-registry-ui-service.yaml       |  2 +-
 .../overlays/istio/authorization-policy.yaml  | 16 ++++
 .../overlays/istio/destination-rule.yaml      | 11 +++
 .../overlays/istio/kustomization.yaml         | 11 +++
 .../overlays/istio/virtual-service.yaml       | 25 ++++++
 .../user-rbac/kubeflow-dashboard-rbac.yaml    | 22 +++++
 .../ui/manifests/user-rbac/kustomization.yaml |  3 +-
 19 files changed, 159 insertions(+), 93 deletions(-)
 delete mode 100644 clients/ui/manifests/base/README.md
 rename clients/ui/manifests/{ => bff}/base/kustomization.yaml (54%)
 rename clients/ui/manifests/{ => bff}/base/model-registry-bff-deployment.yaml (95%)
 rename clients/ui/manifests/{ => bff}/base/model-registry-bff-role.yaml (100%)
 rename clients/ui/manifests/{ => bff}/base/model-registry-bff-service.yaml (80%)
 create mode 100644 clients/ui/manifests/bff/base/model-registry-service-account.yaml
 create mode 100644 clients/ui/manifests/bff/overlays/istio/auth-pol-bff.yaml
 create mode 100644 clients/ui/manifests/bff/overlays/istio/dest-rule-bff.yaml
 create mode 100644 clients/ui/manifests/bff/overlays/istio/kustomization.yaml
 create mode 100644 clients/ui/manifests/frontend/base/kustomization.yaml
 rename clients/ui/manifests/{ => frontend}/base/model-registry-service-account.yaml (61%)
 rename clients/ui/manifests/{ => frontend}/base/model-registry-ui-deployment.yaml (59%)
 rename clients/ui/manifests/{ => frontend}/base/model-registry-ui-service.yaml (91%)
 create mode 100644 clients/ui/manifests/frontend/overlays/istio/authorization-policy.yaml
 create mode 100644 clients/ui/manifests/frontend/overlays/istio/destination-rule.yaml
 create mode 100644 clients/ui/manifests/frontend/overlays/istio/kustomization.yaml
 create mode 100644 clients/ui/manifests/frontend/overlays/istio/virtual-service.yaml
 create mode 100644 clients/ui/manifests/user-rbac/kubeflow-dashboard-rbac.yaml

diff --git a/clients/ui/manifests/base/README.md b/clients/ui/manifests/base/README.md
deleted file mode 100644
index 33b8e414..00000000
--- a/clients/ui/manifests/base/README.md
+++ /dev/null
@@ -1,81 +0,0 @@
-[Model registry server set up]: ../../bff/docs/dev-guide.md
-
-## Deploying the Model Registry UI in a local cluster
-
-For this guide, we will be using kind for locally deploying our cluster. See
-the [Model registry server set up] guide for prerequisites on setting up kind 
-and deploying the model registry server.
-
-### Setup
-#### 1. Create a kind cluster
-Create a local cluster for running the MR UI using the following command:
-```shell
-kind create cluster
-```
-
-#### 2. Create kubeflow namespace
-Create a namespace for model registry to run in, by default this is kubeflow, run:
-```shell
-kubectl create namespace kubeflow
-```
-
-#### 3. Deploy Model Registry UI to cluster
-You can now deploy the UI and BFF to your newly created cluster using the kustomize configs in this directory:
-```shell
-cd clients/ui
-
-kubectl apply -k manifests/base/ -n kubeflow
-```
-
-After a few seconds you should see 2 pods running (1 for BFF and 1 for UI):
-```shell
-kubectl get pods -n kubeflow
-```
-```
-NAME                                  READY   STATUS    RESTARTS   AGE
-model-registry-bff-746f674b99-bfvgs   1/1     Running   0          11s
-model-registry-ui-58755c4754-zdrnr    1/1     Running   0          11s
-```
-
-#### 4. Access the Model Registry UI running in the cluster
-Now that the pods are up and running you can access the UI.
-
-First you will need to port-forward the UI service by running the following in it's own terminal:
-```shell
-kubectl port-forward service/model-registry-ui-service 8080:8080 -n kubeflow
-```
-
-You can then access the UI running in your cluster locally at http://localhost:8080/
-
-To test the BFF separately you can also port-forward that service by running:
-```shell
-kubectl port-forward service/model-registry-bff-service 4000:4000 -n kubeflow
-```
-
-You can now make API requests to the BFF endpoints like:
-```shell
-curl http://localhost:4000/api/v1/model-registry
-```
-```
-{
-    "model_registry": null
-}
-```
-
-### Troubleshooting
-
-#### Running on macOS
-When running locally on macOS you may find the pods fail to deploy, with one or more stuck in the `pending` state. This is usually due to insufficient memory allocated to your docker / podman virtual machine. You can verify this by running:
-```shell
-kubectl describe pods -n kubeflow
-```
-If you're experiencing this issue you'll see an output containing something similar to the following:
-```
-Events:
-  Type     Reason            Age   From               Message
-  ----     ------            ----  ----               -------
-  Warning  FailedScheduling  29s   default-scheduler  0/1 nodes are available: 1 Insufficient memory. preemption: 0/1 nodes are available: 1 No preemption victims found for incoming pod.
-```
-
-To fix this, you'll need to increase the amount of memory available to the VM. This can be done through either the Podman Desktop or Docker Desktop GUI. 6-8GB of memory is generally a sufficient amount to use.
-
diff --git a/clients/ui/manifests/base/kustomization.yaml b/clients/ui/manifests/bff/base/kustomization.yaml
similarity index 54%
rename from clients/ui/manifests/base/kustomization.yaml
rename to clients/ui/manifests/bff/base/kustomization.yaml
index 6ad60984..81349547 100644
--- a/clients/ui/manifests/base/kustomization.yaml
+++ b/clients/ui/manifests/bff/base/kustomization.yaml
@@ -5,14 +5,9 @@ resources:
 - model-registry-bff-role.yaml
 - model-registry-bff-service.yaml
 - model-registry-bff-deployment.yaml
-- model-registry-ui-service.yaml
-- model-registry-ui-deployment.yaml
 - model-registry-service-account.yaml
 
 images:
 - name: model-registry-bff-image
-  newName: kubeflow/model-registry-bff
-  newTag: latest
-- name: model-registry-ui-image
-  newName: kubeflow/model-registry-ui
-  newTag: latest
+  newName: docker.io/kubeflow/model-registry-bff
+  newTag: main-648c8fe
diff --git a/clients/ui/manifests/base/model-registry-bff-deployment.yaml b/clients/ui/manifests/bff/base/model-registry-bff-deployment.yaml
similarity index 95%
rename from clients/ui/manifests/base/model-registry-bff-deployment.yaml
rename to clients/ui/manifests/bff/base/model-registry-bff-deployment.yaml
index 27a2b599..68395a7f 100644
--- a/clients/ui/manifests/base/model-registry-bff-deployment.yaml
+++ b/clients/ui/manifests/bff/base/model-registry-bff-deployment.yaml
@@ -18,6 +18,7 @@ spec:
       containers:
       - name: model-registry-bff
         image: model-registry-bff-image
+        imagePullPolicy: Never
         resources:
           limits:
             cpu: 500m
diff --git a/clients/ui/manifests/base/model-registry-bff-role.yaml b/clients/ui/manifests/bff/base/model-registry-bff-role.yaml
similarity index 100%
rename from clients/ui/manifests/base/model-registry-bff-role.yaml
rename to clients/ui/manifests/bff/base/model-registry-bff-role.yaml
diff --git a/clients/ui/manifests/base/model-registry-bff-service.yaml b/clients/ui/manifests/bff/base/model-registry-bff-service.yaml
similarity index 80%
rename from clients/ui/manifests/base/model-registry-bff-service.yaml
rename to clients/ui/manifests/bff/base/model-registry-bff-service.yaml
index 20c1e0df..9efe6fd1 100644
--- a/clients/ui/manifests/base/model-registry-bff-service.yaml
+++ b/clients/ui/manifests/bff/base/model-registry-bff-service.yaml
@@ -8,4 +8,5 @@ spec:
   ports:
     - protocol: TCP
       port: 4000
-      targetPort: 4000
\ No newline at end of file
+      targetPort: 4000
+      name: http
\ No newline at end of file
diff --git a/clients/ui/manifests/bff/base/model-registry-service-account.yaml b/clients/ui/manifests/bff/base/model-registry-service-account.yaml
new file mode 100644
index 00000000..5cbafe20
--- /dev/null
+++ b/clients/ui/manifests/bff/base/model-registry-service-account.yaml
@@ -0,0 +1,5 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: model-registry-bff
diff --git a/clients/ui/manifests/bff/overlays/istio/auth-pol-bff.yaml b/clients/ui/manifests/bff/overlays/istio/auth-pol-bff.yaml
new file mode 100644
index 00000000..6ffc25f1
--- /dev/null
+++ b/clients/ui/manifests/bff/overlays/istio/auth-pol-bff.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: model-registry-bff
+  namespace: kubeflow
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+  selector:
+    matchLabels:
+      app: model-registry-bff
\ No newline at end of file
diff --git a/clients/ui/manifests/bff/overlays/istio/dest-rule-bff.yaml b/clients/ui/manifests/bff/overlays/istio/dest-rule-bff.yaml
new file mode 100644
index 00000000..986b96cd
--- /dev/null
+++ b/clients/ui/manifests/bff/overlays/istio/dest-rule-bff.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: model-registry-bff
+  namespace: kubeflow
+spec:
+  host: model-registry-bff-service.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
\ No newline at end of file
diff --git a/clients/ui/manifests/bff/overlays/istio/kustomization.yaml b/clients/ui/manifests/bff/overlays/istio/kustomization.yaml
new file mode 100644
index 00000000..55db1113
--- /dev/null
+++ b/clients/ui/manifests/bff/overlays/istio/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+- auth-pol-bff.yaml
+- dest-rule-bff.yaml
+namespace: kubeflow
+commonLabels:
+  app: model-registry-bff
+  kustomize.component: model-registry-bff
diff --git a/clients/ui/manifests/frontend/base/kustomization.yaml b/clients/ui/manifests/frontend/base/kustomization.yaml
new file mode 100644
index 00000000..94ce7430
--- /dev/null
+++ b/clients/ui/manifests/frontend/base/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- model-registry-ui-service.yaml
+- model-registry-ui-deployment.yaml
+- model-registry-service-account.yaml
+
+images:
+- name: model-registry-ui-image
+  newName: docker.io/kubeflow/model-registry-ui
+  newTag: latest
diff --git a/clients/ui/manifests/base/model-registry-service-account.yaml b/clients/ui/manifests/frontend/base/model-registry-service-account.yaml
similarity index 61%
rename from clients/ui/manifests/base/model-registry-service-account.yaml
rename to clients/ui/manifests/frontend/base/model-registry-service-account.yaml
index 86cbfc9b..eb02a284 100644
--- a/clients/ui/manifests/base/model-registry-service-account.yaml
+++ b/clients/ui/manifests/frontend/base/model-registry-service-account.yaml
@@ -1,4 +1,5 @@
+---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: model-registry-bff
\ No newline at end of file
+  name: model-registry-ui
\ No newline at end of file
diff --git a/clients/ui/manifests/base/model-registry-ui-deployment.yaml b/clients/ui/manifests/frontend/base/model-registry-ui-deployment.yaml
similarity index 59%
rename from clients/ui/manifests/base/model-registry-ui-deployment.yaml
rename to clients/ui/manifests/frontend/base/model-registry-ui-deployment.yaml
index 23c55eb0..f70e0aea 100644
--- a/clients/ui/manifests/base/model-registry-ui-deployment.yaml
+++ b/clients/ui/manifests/frontend/base/model-registry-ui-deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         app: model-registry-ui
     spec:
+      serviceAccountName: model-registry-ui 
       containers:
       - name: model-registry-ui
         image: model-registry-ui-image
@@ -27,5 +28,13 @@ spec:
         ports:
           - containerPort: 8080
         env:
+        # TODO: Add env variables
           - name: API_URL
-            value: "http://model-registry-bff-service:4000"
+            value: "http://model-registry-bff-service.kubeflow.svc.cluster.local:4000"
+          - name: APP_PREFIX
+            value: /model-registry
+          - name: USERID_HEADER
+            value: kubeflow-userid
+          # TODO: Come back to this before committing
+          # - name: USERID_PREFIX
+          #   value: ""
\ No newline at end of file
diff --git a/clients/ui/manifests/base/model-registry-ui-service.yaml b/clients/ui/manifests/frontend/base/model-registry-ui-service.yaml
similarity index 91%
rename from clients/ui/manifests/base/model-registry-ui-service.yaml
rename to clients/ui/manifests/frontend/base/model-registry-ui-service.yaml
index 10211cd1..b4bc0be8 100644
--- a/clients/ui/manifests/base/model-registry-ui-service.yaml
+++ b/clients/ui/manifests/frontend/base/model-registry-ui-service.yaml
@@ -7,6 +7,6 @@ spec:
     app: model-registry-ui
   ports:
     - protocol: TCP
-      port: 8080
+      port: 80
       targetPort: 8080
       name: http
diff --git a/clients/ui/manifests/frontend/overlays/istio/authorization-policy.yaml b/clients/ui/manifests/frontend/overlays/istio/authorization-policy.yaml
new file mode 100644
index 00000000..50893533
--- /dev/null
+++ b/clients/ui/manifests/frontend/overlays/istio/authorization-policy.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: model-registry-ui
+  namespace: kubeflow
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+  selector:
+    matchLabels:
+      app: model-registry-ui
diff --git a/clients/ui/manifests/frontend/overlays/istio/destination-rule.yaml b/clients/ui/manifests/frontend/overlays/istio/destination-rule.yaml
new file mode 100644
index 00000000..68cc8f7e
--- /dev/null
+++ b/clients/ui/manifests/frontend/overlays/istio/destination-rule.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: model-registry-ui
+  namespace: kubeflow
+spec:
+  host: model-registry-ui-service.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
diff --git a/clients/ui/manifests/frontend/overlays/istio/kustomization.yaml b/clients/ui/manifests/frontend/overlays/istio/kustomization.yaml
new file mode 100644
index 00000000..6cdc45e7
--- /dev/null
+++ b/clients/ui/manifests/frontend/overlays/istio/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+- virtual-service.yaml
+- authorization-policy.yaml
+- destination-rule.yaml
+namespace: kubeflow
+commonLabels:
+  app: model-registry-ui
+  kustomize.component: model-registry-ui
diff --git a/clients/ui/manifests/frontend/overlays/istio/virtual-service.yaml b/clients/ui/manifests/frontend/overlays/istio/virtual-service.yaml
new file mode 100644
index 00000000..cadd6fd9
--- /dev/null
+++ b/clients/ui/manifests/frontend/overlays/istio/virtual-service.yaml
@@ -0,0 +1,25 @@
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: model-registry-ui
+spec:
+  gateways:
+  - kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - headers:
+      request:
+        add:
+          x-forwarded-prefix: /model-registry
+    match:
+    - uri:
+        prefix: /model-registry/
+    rewrite:
+      uri: /
+    route:
+    - destination:
+        host: model-registry-ui-service.kubeflow.svc.cluster.local
+        port:
+          number: 80
diff --git a/clients/ui/manifests/user-rbac/kubeflow-dashboard-rbac.yaml b/clients/ui/manifests/user-rbac/kubeflow-dashboard-rbac.yaml
new file mode 100644
index 00000000..744f14d2
--- /dev/null
+++ b/clients/ui/manifests/user-rbac/kubeflow-dashboard-rbac.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: service-access-cluster-role
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: service-access-cluster-binding
+  namespace: kubeflow
+subjects:
+  - kind: User
+    name: user@example.com
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: service-access-cluster-role
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/clients/ui/manifests/user-rbac/kustomization.yaml b/clients/ui/manifests/user-rbac/kustomization.yaml
index cb01d8d0..3e513a32 100644
--- a/clients/ui/manifests/user-rbac/kustomization.yaml
+++ b/clients/ui/manifests/user-rbac/kustomization.yaml
@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - admin-rbac.yaml
\ No newline at end of file
+  - admin-rbac.yaml
+  - kubeflow-dashboard-rbac.yaml
\ No newline at end of file