feat[packages]: add kubeflow controllers and components (#58003)

mritunjaysharma394 · web-flow · commit 9b0b54003a92 · 2025-07-02T15:22:55.000+05:30
Fixes: Related: ### Pre-review Checklist  #### For new package PRs only  - [ ] This PR is marked as fixing a pre-existing package request bug - [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency - [ ] REQUIRED - The package is available under an OSI-approved or FSF-approved license - [ ] REQUIRED - The version of the package is still receiving security updates - [ ] This PR links to the upstream project's support policy (e.g. `endoflife.date`) #### For new version streams  - [ ] The upstream project actually supports multiple concurrent versions. - [ ] Any subpackages include the version string in their package name (e.g. `name: ${{package.name}}-compat`) - [ ] The package (and subpackages) `provides:` logical unversioned forms of the package (e.g. `nodejs`, `nodejs-lts`) - [ ] If non-streamed package names no longer built, open PR to withdraw them (see [WITHDRAWING PACKAGES](https://github.com/wolfi-dev/os/blob/main/WITHDRAWING_PACKAGES.md)) #### For package updates (renames) in the base images  When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk) - [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build - [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages - [ ] Upon launch, does `apk upgrade --latest` successfully upgrades packages or performs no actions #### For security-related PRs  - [ ] The security fix is recorded in the [advisories](https://github.com/wolfi-dev/advisories) repo #### For version bump PRs  - [ ] The `epoch` field is reset to 0 #### For PRs that add patches  - [ ] Patch source is documented --------- Signed-off-by: Mritunjay Sharma <mritunjay.sharma@chainguard.dev>
diff --git a/kubeflow.yaml b/kubeflow.yaml
@@ -0,0 +1,114 @@
+# Please note that kubeflow is in pipeline to move its components and then we might have to refactor this in future updates https://github.com/kubeflow/kubeflow/issues/7549
+# Also, similarly in test scripts, they are going to move manifests from apps directory to applications directory in a future release https://github.com/kubeflow/manifests/pull/3167
+# Please update the script for CRDs and other manifest then.
+# This package contains all go kubeflow controllers and components.
+package:
+  name: kubeflow
+  version: "1.10.0"
+  epoch: 0
+  description: Kubeflow Go Components
+  copyright:
+    - license: Apache-2.0
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/kubeflow/kubeflow
+      tag: v${{package.version}}
+      expected-commit: 90e987bf87d3e7c900926310b00bfa16b59e41eb
+
+data:
+  - name: controllers
+    items:
+      notebook-controller: The controller allows users to create a custom resource "Notebook" (jupyter notebook).
+      profile-controller: Profile access management provides namespace level isolation
+      pvcviewer-controller: Using this component, PVC Viewers can easily be created. PVCViewers enable users to open a filebrowser on arbitrary persistent volume claims.
+      tensorboard-controller: Kubeflow Tensorboard Controller
+
+  # not writing descriptions here as their output is different for each
+  - name: components
+    items:
+      access-management: access-management
+      admission-webhook: webhook
+
+subpackages:
+  - range: controllers
+    name: "kubeflow-${{range.key}}"
+    description: ${{range.value}}
+    pipeline:
+      - uses: go/build
+        with:
+          packages: .
+          modroot: components/${{range.key}}
+          output: manager
+    test:
+      environment:
+        contents:
+          packages:
+            - bash
+            - openssl
+      pipeline:
+        - uses: test/kwok/cluster
+        - name: "Test ${{range.key}} functionality with KWOK"
+          runs: |
+            ./controller-test.sh "${{range.key}}" "${{package.version}}"
+
+  - range: controllers
+    name: "kubeflow-${{range.key}}-compat"
+    description: Compat for kubeflow-${{range.key}}
+    pipeline:
+      - runs: |
+          mkdir -p "${{targets.subpkgdir}}"
+          ln -sf /usr/bin/${{range.key}} ${{targets.subpkgdir}}/${{range.key}}
+    test:
+      pipeline:
+        - runs: |
+            stat /${{range.key}}
+
+  - range: components
+    name: "kubeflow-${{range.key}}"
+    description: "kubeflow-${{range.value}}"
+    pipeline:
+      - uses: go/build
+        with:
+          packages: .
+          modroot: components/${{range.key}}
+          output: ${{range.value}}
+    test:
+      environment:
+        contents:
+          packages:
+            - bash
+            - openssl
+            - curl
+            - kustomize
+      pipeline:
+        - uses: test/kwok/cluster
+        - name: "Test ${{range.key}} functionality with KWOK"
+          runs: |
+            ./components-test.sh "${{range.key}}" "${{package.version}}"
+
+  - range: components
+    name: "kubeflow-${{range.key}}-compat"
+    description: Compat for kubeflow-${{range.key}}
+    pipeline:
+      - runs: |
+          mkdir -p "${{targets.subpkgdir}}"
+          ln -sf /usr/bin/${{range.key}} ${{targets.subpkgdir}}/${{range.key}}
+    test:
+      pipeline:
+        - runs: |
+            stat /${{range.key}}
+
+update:
+  enabled: true
+  github:
+    identifier: kubeflow/kubeflow
+    use-tag: true
+    # There were some malformed early tags
+    tag-filter: v1
+    strip-prefix: v
+
+test:
+  pipeline:
+    - uses: test/tw/ldd-check
diff --git a/kubeflow/components-test.sh b/kubeflow/components-test.sh
@@ -0,0 +1,143 @@
+#!/bin/bash
+set -euxo pipefail
+
+COMPONENTS="$1"  # Component name: access-management | admission-webhook
+KUBEFLOW_TAG="$2"  # Kubeflow version tag like v$KUBEFLOW_TAG
+
+kubectl create ns test-ns || true
+
+case "$COMPONENTS" in
+
+access-management)
+    echo "Running Access Management API test..."
+    kubectl apply -f https://raw.githubusercontent.com/kubeflow/manifests/v$KUBEFLOW_TAG/apps/profiles/upstream/crd/bases/kubeflow.org_profiles.yaml
+
+    echo "Simulating namespace-labels.yaml..."
+    mkdir -p /etc/profile-controller
+    cat <<EOF >/etc/profile-controller/namespace-labels.yaml
+kubeflow.org/creator: kubeflow
+environment: test
+EOF
+
+  /usr/bin/access-management &
+  pid=$!
+  sleep 10
+
+  echo "Testing profile creation"
+  curl -s -w '%{http_code}\n' -o /dev/null -X POST -H "Content-Type: application/json" \
+    -d '{"metadata":{"name":"user1"},"spec":{"owner":{"kind":"User","name":"test@kubeflow.org"}}}' \
+    http://127.0.0.1:8081/kfam/v1/profiles
+
+
+  echo "Confirming profile exists"
+  kubectl get profile
+
+  kill $pid
+    ;;
+
+admission-webhook)
+  # Namespace and CRD
+  kubectl create ns kubeflow || true
+  mkdir -p /tmp/webhook-certs
+  openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout /tmp/webhook-certs/key.pem -out /tmp/webhook-certs/cert.pem -subj "/CN=localhost"
+
+
+  kubectl apply -f https://raw.githubusercontent.com/kubeflow/manifests/v$KUBEFLOW_TAG/apps/admission-webhook/upstream/base/crd.yaml
+
+  # Launch webhook
+  /usr/bin/webhook -tlsCertFile /tmp/webhook-certs/cert.pem -tlsKeyFile /tmp/webhook-certs/key.pem &
+
+  pid=$!
+
+  sleep 5
+
+  echo "Fetching manifests..."
+  mkdir -p /tmp/admission-webhook
+  cd /tmp/admission-webhook
+
+  kubectl apply -f https://raw.githubusercontent.com/kubeflow/manifests/v$KUBEFLOW_TAG/apps/admission-webhook/upstream/base/crd.yaml
+
+  echo "Creating namespace..."
+  kubectl create ns kubeflow || true
+
+  echo "Deploying Service..."
+  kubectl apply -f - <<EOF
+  apiVersion: v1
+  kind: Service
+  metadata:
+    name: poddefault-webhook
+    namespace: kubeflow
+  spec:
+    ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP
+    selector:
+      app: poddefault-webhook
+EOF
+
+  echo "Applying MutatingWebhookConfiguration..."
+  kubectl apply -f - <<EOF
+  apiVersion: admissionregistration.k8s.io/v1
+  kind: MutatingWebhookConfiguration
+  metadata:
+    name: mutating-webhook-configuration
+  webhooks:
+  - admissionReviewVersions:
+    - v1beta1
+    - v1
+    clientConfig:
+      caBundle: ""
+      service:
+        name: poddefault-webhook
+        namespace: kubeflow
+        path: /apply-poddefault
+    sideEffects: None
+    failurePolicy: Fail
+    name: poddefault-webhook.kubeflow.org
+    namespaceSelector:
+      matchLabels:
+        app.kubernetes.io/part-of: kubeflow-profile
+    rules:
+    - apiGroups:
+      - ""
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      resources:
+      - pods
+EOF
+
+  echo "Testing PodDefault CR..."
+  kubectl apply -f - <<EOF
+apiVersion: kubeflow.org/v1alpha1
+kind: PodDefault
+metadata:
+  name: add-gcp-secret
+  namespace: kubeflow
+spec:
+  selector:
+    matchLabels:
+      add-gcp-secret: "true"
+  desc: "Add GCP credential"
+  volumeMounts:
+  - name: secret-volume
+    mountPath: /secret/gcp
+  volumes:
+  - name: secret-volume
+    secret:
+      secretName: gcp-secret
+EOF
+
+  echo "Listing PodDefaults..."
+  kubectl get poddefaults -n kubeflow
+
+  kill $pid
+    ;;
+
+*)
+    echo "No functional test defined for $COMPONENTS"
+    exit 0
+    ;;
+esac
diff --git a/kubeflow/controller-test.sh b/kubeflow/controller-test.sh
