feat: add istio virtualservice reconciliation to controller (#500)

* setup virtualservice to route traffic for workspaces
- Update the helper func with CopyDeepVirtualService
- set istio env var as config across controller
- make controller manifest consistent with frontend/backend
- fix the configmap name in manager_istio_patch.yaml

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* add e2e test to verify workspace connection

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* fixed controller config with istio component

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* restructure the virtual service httproute configuration

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* Remove the extend e2e test of portforward gateway

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* remove the reference of istio overlays

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* set service name with available service for e2e test

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

* Fix the naming convention and e2e changes

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

---------

Signed-off-by: Harshad Reddy Nalla <hnalla@redhat.com>

Author: harshad16

workspaces/backend/internal/models/workspaces/funcs.go

@@ -359,7 +359,7 @@ func buildServices(ws *kubefloworgv1beta1.Workspace, wskPodTemplatePorts map[kub
 		case kubefloworgv1beta1.ImagePortProtocolHTTP:
 			services[i].HttpService = &HttpService{
 				DisplayName: ptr.Deref(port.DisplayName, wskPort.DefaultDisplayName),
-				HttpPath:    fmt.Sprintf("/workspace/%s/%s/%s/", ws.Namespace, ws.Name, port.Id),
+				HttpPath:    fmt.Sprintf("/workspace/connect/%s/%s/%s/", ws.Namespace, ws.Name, port.Id),
 			}
 		}
 	}

workspaces/controller/api/v1beta1/workspacekind_types.go

@@ -279,7 +279,7 @@ type WorkspaceKindVolumeMounts struct {
 
 type HTTPProxy struct {
 	// if the path prefix is stripped from incoming HTTP requests
-	//  - if true, the '/workspace/{profile_name}/{workspace_name}/' path prefix
+	//  - if true, the '/workspace/connect/{profile_name}/{workspace_name}/' path prefix
 	//    is stripped from incoming requests, the application sees the request
 	//    as if it was made to '/...'
 	//  - this only works if the application serves RELATIVE URLs for its assets
@@ -291,7 +291,7 @@ type HTTPProxy struct {
 	//  - sets the `spec.http[].headers.request` of the Istio VirtualService
 	//    https://istio.io/latest/docs/reference/config/networking/virtual-service/#Headers-HeaderOperations
 	//  - the following string templates are available:
-	//     - `.PathPrefix`: the path prefix of the Workspace (e.g. '/workspace/{profile_name}/{workspace_name}/')
+	//     - `.PathPrefix`: the path prefix of the Workspace (e.g. '/workspace/connect/{profile_name}/{workspace_name}/')
 	// +kubebuilder:validation:Optional
 	RequestHeaders *IstioHeaderOperations `json:"requestHeaders,omitempty"`
 }

workspaces/controller/cmd/main.go

@@ -20,11 +20,13 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
+	"strconv"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
+	istiov1 "istio.io/client-go/pkg/apis/networking/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -36,6 +38,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	kubefloworgv1beta1 "github.com/kubeflow/notebooks/workspaces/controller/api/v1beta1"
+	"github.com/kubeflow/notebooks/workspaces/controller/internal/config"
 	controllerInternal "github.com/kubeflow/notebooks/workspaces/controller/internal/controller"
 	"github.com/kubeflow/notebooks/workspaces/controller/internal/helper"
 	webhookInternal "github.com/kubeflow/notebooks/workspaces/controller/internal/webhook"
@@ -50,6 +53,8 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
+	utilruntime.Must(istiov1.AddToScheme(scheme))
+
 	utilruntime.Must(kubefloworgv1beta1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
@@ -60,6 +65,10 @@ func main() {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
+
+	// Define command line flags
+	cfg := &config.EnvConfig{}
+
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -69,6 +78,15 @@ func main() {
 		"If set the metrics endpoint is served securely")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.StringVar(&cfg.IstioGateway, "istio-gateway", getEnvAsStr("ISTIO_GATEWAY", ""),
+		"The name of the Istio gateway to use")
+	flag.StringVar(&cfg.IstioHosts, "istio-hosts", getEnvAsStr("ISTIO_HOSTS", "*"),
+		"The hosts to use for the Istio VirtualService")
+	flag.StringVar(&cfg.ClusterDomain, "cluster-domain", getEnvAsStr("CLUSTER_DOMAIN", "cluster.local"),
+		"The domain to use for the Istio VirtualService")
+	flag.BoolVar(&cfg.UseIstio, "use-istio", getEnvAsBool("USE_ISTIO", false),
+		"If set, Istio will be used")
+
 	opts := zap.Options{
 		Development: true,
 	}
@@ -129,14 +147,15 @@ func main() {
 
 	// setup field indexers on the manager cache. we use these indexes to efficiently
 	// query the cache for things like which Workspaces are using a particular WorkspaceKind
-	if err := helper.SetupManagerFieldIndexers(mgr); err != nil {
+	if err := helper.SetupManagerFieldIndexers(mgr, cfg); err != nil {
 		setupLog.Error(err, "unable to setup field indexers")
 		os.Exit(1)
 	}
 
 	if err = (&controllerInternal.WorkspaceReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
+		Config: cfg,
 	}).SetupWithManager(mgr, controller.Options{
 		RateLimiter: helper.BuildRateLimiter(),
 	}); err != nil {
@@ -188,3 +207,19 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+func getEnvAsStr(name string, defaultVal string) string {
+	if value, exists := os.LookupEnv(name); exists {
+		return value
+	}
+	return defaultVal
+}
+
+func getEnvAsBool(name string, defaultVal bool) bool {
+	if value, exists := os.LookupEnv(name); exists {
+		if boolValue, err := strconv.ParseBool(value); err == nil {
+			return boolValue
+		}
+	}
+	return defaultVal
+}

workspaces/controller/config/crd/bases/kubeflow.org_workspacekinds.yaml

@@ -3699,7 +3699,7 @@ spec:
                               default: false
                               description: |-
                                 if the path prefix is stripped from incoming HTTP requests
-                                 - if true, the '/workspace/{profile_name}/{workspace_name}/' path prefix
+                                 - if true, the '/workspace/connect/{profile_name}/{workspace_name}/' path prefix
                                    is stripped from incoming requests, the application sees the request
                                    as if it was made to '/...'
                                  - this only works if the application serves RELATIVE URLs for its assets
@@ -3710,7 +3710,7 @@ spec:
                                  - sets the `spec.http[].headers.request` of the Istio VirtualService
                                    https://istio.io/latest/docs/reference/config/networking/virtual-service/#Headers-HeaderOperations
                                  - the following string templates are available:
-                                    - `.PathPrefix`: the path prefix of the Workspace (e.g. '/workspace/{profile_name}/{workspace_name}/')
+                                    - `.PathPrefix`: the path prefix of the Workspace (e.g. '/workspace/connect/{profile_name}/{workspace_name}/')
                               properties:
                                 add:
                                   additionalProperties:

workspaces/controller/config/default/components/istio/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- envs:
+  - params.env
+  name: kubeflow-workspaces-istio-config
+
+patches:
+- path: manager_istio_patch.yaml

workspaces/controller/config/default/components/istio/manager_istio_patch.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workspaces-controller
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        env:
+        - name: USE_ISTIO
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-workspaces-istio-config
+              key: USE_ISTIO
+        - name: ISTIO_GATEWAY
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-workspaces-istio-config
+              key: ISTIO_GATEWAY
+        - name: ISTIO_HOST
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-workspaces-istio-config
+              key: ISTIO_HOST
+        - name: CLUSTER_DOMAIN
+          valueFrom:
+            configMapKeyRef:
+              name: kubeflow-workspaces-istio-config
+              key: CLUSTER_DOMAIN

workspaces/controller/config/default/components/istio/params.env

@@ -0,0 +1,4 @@
+USE_ISTIO=true
+ISTIO_GATEWAY=kubeflow/kubeflow-gateway
+ISTIO_HOST=*
+CLUSTER_DOMAIN=cluster.local

workspaces/controller/config/default/kustomization.yaml

@@ -15,6 +15,7 @@ resources:
 
 components:
 - components/common
+- components/istio
 
 patches:
 # [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint.

workspaces/controller/config/samples/jupyterlab_v1beta1_workspacekind.yaml

@@ -153,7 +153,7 @@ spec:
         httpProxy:
 
           ## if the path prefix is stripped from incoming HTTP requests
-          ##  - if true, the '/workspace/{profile_name}/{workspace_name}/' path prefix
+          ##  - if true, the '/workspace/connect/{profile_name}/{workspace_name}/' path prefix
           ##    is stripped from incoming requests, the application sees the request
           ##    as if it was made to '/...'
           ##  - this only works if the application serves RELATIVE URLs for its assets
@@ -164,7 +164,7 @@ spec:
           ##  - sets the `spec.http[].headers.request` of the Istio VirtualService
           ##    https://istio.io/latest/docs/reference/config/networking/virtual-service/#Headers-HeaderOperations
           ##  - the following string templates are available:
-          ##      - `.PathPrefix`: the path prefix of the Workspace (e.g. '/workspace/{profile_name}/{workspace_name}/')
+          ##      - `.PathPrefix`: the path prefix of the Workspace (e.g. '/workspace/connect/{profile_name}/{workspace_name}/')
           ##
           requestHeaders: {}
             #set: { "X-RStudio-Root-Path": "{{ .PathPrefix }}" } # for RStudio

workspaces/controller/go.mod

@@ -7,6 +7,8 @@ require (
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
 	golang.org/x/time v0.3.0
+	istio.io/api v1.22.8
+	istio.io/client-go v1.22.8
 	k8s.io/api v0.31.0
 	k8s.io/apimachinery v0.31.0
 	k8s.io/client-go v0.31.0
@@ -59,6 +61,7 @@ require (
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect