Add Istio overlay for UI integration with Central Dashboard

Signed-off-by: Griffin-Sullivan <[email protected]>
kubeflow · Dec 4, 2024 · e82aa05 · e82aa05
1 parent a12fd00
commit e82aa05
Show file tree

Hide file tree

Showing 9 changed files with 123 additions and 3 deletions.
diff --git a/clients/ui/manifests/base/README.md b/clients/ui/manifests/base/README.md
@@ -79,3 +79,4 @@ Events:
 
 To fix this, you'll need to increase the amount of memory available to the VM. This can be done through either the Podman Desktop or Docker Desktop GUI. 6-8GB of memory is generally a sufficient amount to use.
 
+## TODO: Add istio instructions
diff --git a/clients/ui/manifests/base/model-registry-bff-service.yaml b/clients/ui/manifests/base/model-registry-bff-service.yaml
@@ -8,4 +8,5 @@ spec:
   ports:
     - protocol: TCP
       port: 4000
-      targetPort: 4000
+      targetPort: 4000
+      name: http
diff --git a/clients/ui/manifests/base/model-registry-service-account.yaml b/clients/ui/manifests/base/model-registry-service-account.yaml
@@ -1,4 +1,10 @@
+---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: model-registry-bff
+  name: model-registry-bff
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: model-registry-ui
diff --git a/clients/ui/manifests/base/model-registry-ui-deployment.yaml b/clients/ui/manifests/base/model-registry-ui-deployment.yaml
@@ -14,9 +14,11 @@ spec:
       labels:
         app: model-registry-ui
     spec:
+      serviceAccountName: model-registry-ui 
       containers:
       - name: model-registry-ui
         image: model-registry-ui-image
+        imagePullPolicy: Never
         resources:
           limits:
             cpu: 500m
@@ -27,5 +29,13 @@ spec:
         ports:
           - containerPort: 8080
         env:
+        # TODO: Add env variables
           - name: API_URL
-            value: "http://model-registry-bff-service:4000"
+            value: "http://model-registry-bff-service.kubeflow.svc.cluster.local:4000"
+          - name: APP_PREFIX
+            value: /model-registry
+          - name: USERID_HEADER
+            value: kubeflow-userid
+          # TODO: Come back to this before committing
+          # - name: USERID_PREFIX
+          #   value: ""
diff --git a/clients/ui/manifests/overlays/istio/authorization-policy.yaml b/clients/ui/manifests/overlays/istio/authorization-policy.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: model-registry-ui
+  namespace: kubeflow
+spec:
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+  - to:
+    - {}
+  selector:
+    matchLabels:
+      app: model-registry-ui
+
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: model-registry-bff
+  namespace: kubeflow
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+              - cluster.local/ns/kubeflow/sa/model-registry-ui
+  selector:
+    matchLabels:
+      app: model-registry-bff
diff --git a/clients/ui/manifests/overlays/istio/destination-rule.yaml b/clients/ui/manifests/overlays/istio/destination-rule.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: model-registry-ui
+  namespace: kubeflow
+spec:
+  host: model-registry-ui-service.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: model-registry-bff
+  namespace: kubeflow
+spec:
+  host: model-registry-bff-service.kubeflow.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
diff --git a/clients/ui/manifests/overlays/istio/kustomization.yaml b/clients/ui/manifests/overlays/istio/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+- virtual-service.yaml
+- authorization-policy.yaml
+- destination-rule.yaml
+namespace: kubeflow
+commonLabels:
+  app: model-registry-ui
+  kustomize.component: model-registry-ui
+configurations:
+- params.yaml
diff --git a/clients/ui/manifests/overlays/istio/params.yaml b/clients/ui/manifests/overlays/istio/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: spec/http/route/destination/host
+  kind: VirtualService
diff --git a/clients/ui/manifests/overlays/istio/virtual-service.yaml b/clients/ui/manifests/overlays/istio/virtual-service.yaml
@@ -0,0 +1,27 @@
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: model-registry-ui
+  namespace: kubeflow
+spec:
+  gateways:
+    - kubeflow-gateway
+  hosts:
+    - '*'
+  http:
+    # Rule for the main application path
+    - match:
+        - uri:
+            prefix: /model-registry/
+      rewrite:
+        uri: /
+      headers:
+        request:
+          add:
+            x-forwarded-prefix: /model-registry
+      route:
+        - destination:
+            host: model-registry-ui-service.kubeflow.svc.cluster.local
+            port:
+              number: 8080
Original file line number	Diff line number	Diff line change
Expand Up		@@ -79,3 +79,4 @@ Events:

		To fix this, you'll need to increase the amount of memory available to the VM. This can be done through either the Podman Desktop or Docker Desktop GUI. 6-8GB of memory is generally a sufficient amount to use.

		## TODO: Add istio instructions