ai-tier v0.2 k0s

.env

@@ -1,6 +1,6 @@
 OPERATOR_SDK_VERSION=v1.31.0
 REVIEWERS=vivekr-splunk,rlieberman-splunk,patrykw-splunk,Igor-splunk,kasiakoziol
-GO_VERSION=1.24.0
+GO_VERSION=1.25.0
 AWSCLI_URL=https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.8.6.zip
 KUBECTL_VERSION=v1.29.1
 AZ_CLI_VERSION=2.30.0

.gitignore

@@ -9,6 +9,7 @@ bin
 testbin/*
 examplecodebase/*
 Dockerfile.cross
+tmp/*
 
 # Test binary, build with `go test -c`
 *.test
@@ -30,7 +31,17 @@ Dockerfile.cross
 skaffold.env.local
 .skaffold/
 
+# Logs
+tools/cluster_setup/logs/
+
 # Helm build artifacts
 *.tgz
 helm-chart/**/charts/
 !helm-chart/**/charts/.gitkeep
+
+# Cluster-setup script byproducts (*.original): pristine-snapshot backups
+# written by tools/cluster_setup/k0s_cluster_with_stack.sh on first run and
+# reused as a reset point on subsequent runs (see configure_images()
+# → "Restoring from clean originals"). Needed locally for idempotent
+# re-installs; never committed.
+tools/cluster_setup/*.original

Dockerfile

@@ -1,5 +1,6 @@
 # Build the manager binary
-FROM docker.io/golang:1.24 AS builder
+ARG GO_VERSION=1.25.0
+FROM docker.io/golang:${GO_VERSION} AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -43,7 +44,11 @@ COPY LICENSE LICENSE-2.0.txt
 COPY --from=builder /certs/tls.crt /certs/tls.crt
 COPY --from=builder /certs/tls.key /certs/tls.key
 
-USER 65532:65532
+# Run as non-root UID with GID 0 (root group). GID 0 is required on
+# RHEL / OpenShift / k0s nodes: the container runtime assigns a random
+# UID at launch and only grants group-read/write to GID 0. Without it
+# the process cannot read /manager or the config files copied above.
+USER 1001:0
 ENV INSTANCE_FILE=/instance.yaml
 ENV APPLICATION_FILE=/applications.yaml
 ENTRYPOINT ["/manager"]

Dockerfile.debug

@@ -1,5 +1,6 @@
 # Build the manager binary with debug symbols
-FROM docker.io/golang:1.24 AS builder
+ARG GO_VERSION=1.25.0
+FROM docker.io/golang:${GO_VERSION} AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

Dockerfile.k0s-runner

@@ -0,0 +1,19 @@
+FROM registry.access.redhat.com/ubi9/ubi:latest
+
+RUN dnf install -y --allowerasing openssh-clients git jq && dnf clean all
+
+ARG TARGETARCH
+
+# kubectl
+RUN curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl" \
+      -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+
+# helm
+RUN curl -fsSL "https://get.helm.sh/helm-v3.17.1-linux-${TARGETARCH}.tar.gz" | tar xz -C /tmp \
+      && mv /tmp/linux-${TARGETARCH}/helm /usr/local/bin/helm && rm -rf /tmp/linux-${TARGETARCH}
+
+# yq
+RUN curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${TARGETARCH}" \
+      -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+
+WORKDIR /workspace

Makefile

@@ -65,6 +65,9 @@ endif
 # tools. (i.e. podman)
 CONTAINER_TOOL ?= docker
 
+# GO_VERSION is read from .env if not already set, and passed as a build-arg to docker builds.
+GO_VERSION ?= $(shell grep '^GO_VERSION=' .env | cut -d= -f2)
+
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
 SHELL = /usr/bin/env bash -o pipefail
@@ -215,7 +218,11 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
 docker-build: ## Build docker image with the manager.
-	$(CONTAINER_TOOL) build -t ${IMG} .
+	$(CONTAINER_TOOL) build --build-arg GO_VERSION=$(GO_VERSION) -t ${IMG} .
+
+.PHONY: docker-build-amd64
+docker-build-amd64: ## Build docker image for linux/amd64 (e.g. for x86_64 servers/EC2).
+	$(CONTAINER_TOOL) build --platform=linux/amd64 --build-arg GO_VERSION=$(GO_VERSION) -t ${IMG} .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
@@ -234,7 +241,7 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- $(CONTAINER_TOOL) buildx create --name splunk-ai-operator-builder
 	$(CONTAINER_TOOL) buildx use splunk-ai-operator-builder
-	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg GO_VERSION=$(GO_VERSION) --tag ${IMG} -f Dockerfile.cross .
 	- $(CONTAINER_TOOL) buildx rm splunk-ai-operator-builder
 	rm Dockerfile.cross
 

api/v1/aiplatform_types.go

@@ -364,13 +364,13 @@ type SidecarSpec struct {
 // ObjectStorageSpec defines object storage configuration for AI artifacts, tasks, and models
 type ObjectStorageSpec struct {
 	// Remote volume URI in the format s3://bucketname/<path prefix>, gs://bucketname/<path prefix>,
-	// azure://containername/<path prefix>, or minio://bucketname/<path prefix>
+	// azure://containername/<path prefix>, s3compat://bucketname/<path prefix> (generic S3-compatible), minio://, or seaweedfs://
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Pattern=`^(s3|gs|azure|minio)://[a-zA-Z0-9.\-_]+(/.*)?$`
+	// +kubebuilder:validation:Pattern=`^(s3|gs|azure|minio|seaweedfs|s3compat)://[a-zA-Z0-9.\-_]+(/.*)?$`
 	Path string `json:"path"`
 
-	// Optional override endpoint (only needed for S3-compatible services like MinIO)
-	// Must be a valid HTTP/HTTPS URL
+	// Optional override endpoint (only needed for S3-compatible services like MinIO, SeaweedFS)
+	// Must be a valid HTTP/HTTPS URL. When set with s3:// path, backend is treated as S3-compatible (MinIO, SeaweedFS, etc.)
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Pattern=`^https?://.*$`
 	Endpoint string `json:"endpoint,omitempty"`
@@ -380,11 +380,17 @@ type ObjectStorageSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Region string `json:"region"`
 
-	// Secret name containing storage credentials
+	// Secret name containing storage credentials (e.g. s3_access_key, s3_secret_key for S3-compatible backends)
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	SecretRef string `json:"secretRef,omitempty"`
+
+	// Provider is an optional hint for documentation and tooling. Operator derives behavior from path scheme and endpoint.
+	// Values: aws, minio, seaweedfs, s3compat, gcs, azure
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum=aws;minio;seaweedfs;s3compat;gcs;azure
+	Provider string `json:"provider,omitempty"`
 }
 
 // IngressSpec defines Ingress configuration for external access to platform services

api/v1/aiservice_types.go

@@ -53,6 +53,12 @@ type AIServiceSpec struct {
 	// +kubebuilder:validation:Optional
 	AIPlatformUrl string `json:"aiPlatformUrl,omitempty"`
 
+	// AIPlatformScheme specifies the URL scheme for the AI Platform service ("http" or "https")
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="http"
+	// +kubebuilder:validation:Enum=http;https
+	AIPlatformScheme string `json:"aiPlatformScheme,omitempty"`
+
 	// AIPlatformRef is a reference to the AIPlatform resource
 	// +kubebuilder:validation:Required
 	AIPlatformRef corev1.ObjectReference `json:"aiPlatformRef"`
@@ -117,6 +123,45 @@ type AIServiceSpec struct {
 	// +kubebuilder:default="cluster.local"
 	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
 	ClusterDomain string `json:"clusterDomain,omitempty"`
+
+	// V2 configures the SAIA v2 deployment. v2 is always deployed alongside v1 behind nginx.
+	// Users toggle Agent Mode (v1 vs v2) from the Splunk Settings UI.
+	// +kubebuilder:validation:Optional
+	V2 SAIAv2Config `json:"v2,omitempty"`
+
+	// V2Worker configures the v2 SAIA worker deployment (same v2 image, command=run-worker.sh).
+	// +kubebuilder:validation:Optional
+	V2Worker SAIAWorkerConfig `json:"v2Worker,omitempty"`
+}
+
+// SAIAv2Config defines the configuration for the SAIA v2 API deployment.
+type SAIAv2Config struct {
+	// Image is the container image for the v2 API pod
+	// +kubebuilder:validation:Optional
+	Image string `json:"image,omitempty"`
+
+	// Replicas is the number of v2 API replicas
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=1
+	// +kubebuilder:validation:Minimum=0
+	Replicas int32 `json:"replicas,omitempty"`
+
+	// Resources defines the compute resources for the v2 API pods
+	// +kubebuilder:validation:Optional
+	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+}
+
+// SAIAWorkerConfig defines the configuration for a SAIA worker deployment.
+type SAIAWorkerConfig struct {
+	// Replicas is the number of worker replicas
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=1
+	// +kubebuilder:validation:Minimum=0
+	Replicas int32 `json:"replicas,omitempty"`
+
+	// Resources defines the compute resources for the worker pods
+	// +kubebuilder:validation:Optional
+	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
 }
 
 // MetricsConfig defines the metrics configuration for monitoring