Updated to match qa-vectis config with workspaces

devplanetv2/dev-environments/qa-vectis/Chart.yaml

@@ -21,3 +21,9 @@ version: 0.1.4
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 appVersion: "1.0"
+
+dependencies:
+  - name: jeg
+    version: "0.1.0"
+  - name: workspace-proxy
+    version: "0.1.0"

devplanetv2/dev-environments/qa-vectis/charts/jeg/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: jeg
+description: >
+  Jupyter Enterprise Gateway for gen3 vectis workspaces.
+  Launches ephemeral kernel pods in the workspace namespace on behalf of
+  user Jupyter sessions proxied through workspace-proxy.
+type: application
+version: 0.1.0
+appVersion: "3.2.3"

devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/deployment.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jupyter-enterprise-gateway
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: enterprise-gateway
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: enterprise-gateway
+  template:
+    metadata:
+      labels:
+        app: enterprise-gateway
+    spec:
+      serviceAccountName: enterprise-gateway
+      automountServiceAccountToken: true
+      containers:
+        - name: enterprise-gateway
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+          env:
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $val | quote }}
+            {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /api
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /api
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 5
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault

devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/rbac.yaml

@@ -0,0 +1,35 @@
+# JEG needs permission to create/delete kernel pods and services in the
+# workspace namespace. Scoped to a Role (not ClusterRole) for least-privilege.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: enterprise-gateway
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: enterprise-gateway
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "services", "configmaps", "secrets"]
+    verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: enterprise-gateway
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: enterprise-gateway
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: enterprise-gateway
+subjects:
+  - kind: ServiceAccount
+    name: enterprise-gateway
+    namespace: {{ .Values.workspaceNamespace }}

devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: jupyter-enterprise-gateway
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: enterprise-gateway
+spec:
+  type: ClusterIP
+  selector:
+    app: enterprise-gateway
+  ports:
+    - name: http
+      port: 8888
+      targetPort: http
+      protocol: TCP

devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: enterprise-gateway
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: enterprise-gateway

devplanetv2/dev-environments/qa-vectis/charts/jeg/values.yaml

@@ -0,0 +1,34 @@
+# Jupyter Enterprise Gateway default values.
+# Override via qa-vectis/values/jeg-values.yaml
+
+# Namespace where JEG pod runs AND where it launches kernel pods.
+# CRITICAL: must match hatchery user-namespace and workspace-proxy WORKSPACE_NAMESPACE.
+workspaceNamespace: jupyter-pods-qa-vectis
+
+replicaCount: 1
+
+image:
+  repository: elyra/enterprise-gateway
+  tag: "3.2.3"
+  pullPolicy: IfNotPresent
+
+env:
+  EG_NAMESPACE: jupyter-pods-qa-vectis
+  EG_KERNEL_LAUNCH_TIMEOUT: "120"
+  EG_MAX_KERNELS_PER_USER: "2"
+  EG_CULL_IDLE_TIMEOUT: "14400"
+  EG_CULL_CONNECTED: "True"
+  EG_AUTH_TOKEN: ""
+  EG_DEFAULT_KERNEL_NAME: python3
+  EG_LIST_KERNELS: "True"
+  EG_KERNEL_IMAGE_PULL_POLICY: IfNotPresent
+  EG_SHARED_NAMESPACE: "False"
+  EG_MIRROR_WORKING_DIRS: "False"
+
+resources:
+  requests:
+    cpu: "100m"
+    memory: "256Mi"
+  limits:
+    cpu: "500m"
+    memory: "512Mi"

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: workspace-proxy
+description: >
+  Per-user workspace HTTP/WebSocket router for gen3 vectis.
+  Replaces Emissary/Ambassador. Reads Service annotations written by Hatchery
+  to resolve each user's workspace upstream, then proxies traffic from revproxy.
+type: application
+version: 0.1.0
+appVersion: "1.0"

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/ambassador-externalname.yaml

@@ -0,0 +1,3 @@
+# REMOVED: No Ambassador/Emissary. Revproxy routes directly to
+# workspace-proxy-service via additionalConfigs ambassador-service.conf
+# in the main values.yaml. This file is intentionally empty.

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/deployment.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workspace-proxy
+  namespace: {{ .Values.deploymentNamespace }}
+  labels:
+    app: workspace-proxy
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: workspace-proxy
+  template:
+    metadata:
+      labels:
+        app: workspace-proxy
+    spec:
+      serviceAccountName: workspace-proxy
+      automountServiceAccountToken: true
+      containers:
+        - name: workspace-proxy
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --listen={{ .Values.listenAddr }}
+            - --workspace-namespace={{ .Values.workspaceNamespace }}
+          env:
+            - name: JEG_GATEWAY_URL
+              value: "http://jupyter-enterprise-gateway.{{ .Values.workspaceNamespace }}.svc.cluster.local:8888"
+            - name: WORKSPACE_NAMESPACE
+              value: "{{ .Values.workspaceNamespace }}"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.workspaceNamespace }}
+  labels:
+    app: workspace
+    # Allows NetworkPolicy selectors to target this namespace.
+    kubernetes.io/metadata.name: {{ .Values.workspaceNamespace }}

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/netpol.yaml

@@ -0,0 +1,53 @@
+{{- if .Values.networkPolicy.enabled }}
+# Ingress: only allow traffic from revproxy pods in the gen3 namespace.
+# Egress: DNS (kube-system:53) + workspace pod services (workspaceNamespace:80).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: workspace-proxy
+  namespace: {{ .Values.deploymentNamespace }}
+  labels:
+    app: workspace-proxy
+spec:
+  podSelector:
+    matchLabels:
+      app: workspace-proxy
+  policyTypes:
+    - Ingress
+    - Egress
+
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.deploymentNamespace }}
+          podSelector:
+            matchLabels:
+              app: revproxy
+      ports:
+        - protocol: TCP
+          port: 8080
+
+  egress:
+    # DNS resolution via kube-dns (kube-system namespace)
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # Workspace pod services in the workspace namespace
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.workspaceNamespace }}
+      ports:
+        - protocol: TCP
+          port: 80
+        # JEG listens on 8888 — workspace-proxy proxies /jeg-proxy/* to it
+        - protocol: TCP
+          port: 8888
+{{- end }}

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/rbac.yaml

@@ -0,0 +1,29 @@
+# Role in the workspace namespace — workspace-proxy needs to read Services
+# written by Hatchery (one per user session) to resolve proxy upstreams.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: workspace-proxy
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: workspace-proxy
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: workspace-proxy
+  namespace: {{ .Values.workspaceNamespace }}
+  labels:
+    app: workspace-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: workspace-proxy
+subjects:
+  - kind: ServiceAccount
+    name: workspace-proxy
+    namespace: {{ .Values.deploymentNamespace }}

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: workspace-proxy-service
+  namespace: {{ .Values.deploymentNamespace }}
+  labels:
+    app: workspace-proxy
+spec:
+  type: ClusterIP
+  selector:
+    app: workspace-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP

devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: workspace-proxy
+  namespace: {{ .Values.deploymentNamespace }}
+  labels:
+    app: workspace-proxy