feat: Add ambient mode support to profile-controller

Signed-off-by: madmecodes <ayushguptadev1@gmail.com>
Signed-off-by: Kimonas Sotirchos <kimonas.sotirchos@canonical.com>

Author: madmecodes

components/profile-controller/Dockerfile

@@ -1,7 +1,5 @@
-ARG GOLANG_VERSION=1.22
-FROM --platform=${BUILDPLATFORM} golang:${GOLANG_VERSION} AS builder
-ARG TARGETOS
-ARG TARGETARCH
+# Build the manager binary
+FROM golang:1.23 as builder
 
 WORKDIR /workspace
 
@@ -50,7 +48,6 @@ FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY third_party third_party
 COPY --from=builder /workspace/manager .
-COPY --from=builder /go/pkg/mod/github.com/hashicorp third_party/library/
 
 USER 65532:65532
 

components/profile-controller/config/components/kfam/README.md

@@ -0,0 +1,9 @@
+## KFAM Component
+
+This kustomize component is aimed to provide the configuration for enabling KFAM in the Profile Controller.
+
+Since the Profile Controller is expected to be deployed either standalone or alongside Kubeflow, we'll need to
+be able to include this functionality only in specific cases.
+
+Also, since now we have more than one flavour of the Kubeflow integration (Istio sidecar vs ambient) we need
+to include this common functionality to both overlays.

components/profile-controller/config/components/kfam/authorizationpolicy.yaml

@@ -0,0 +1,17 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: profiles-kfam
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller-manager
+      app.kubernetes.io/name: profile-controller
+      app.kubernetes.io/part-of: kubeflow-dashboard
+      app.kubernetes.io/managed-by: kustomize
+  rules:
+    - from:
+        - source:
+            principals:
+              - cluster.local/ns/kubeflow/sa/dashboard

components/profile-controller/config/components/kfam/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- service.yaml
+- authorizationpolicy.yaml
+
+patchesStrategicMerge:
+- patches/kfam.yaml
+
+images:
+- name: ghcr.io/kubeflow/dashboard/access-management
+  newName: ghcr.io/kubeflow/dashboard/access-management
+  newTag: latest

components/profile-controller/config/components/kfam/patches/kfam.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+spec:
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "true"
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - command:
+        - /access-management
+        - "-cluster-admin"
+        - $(ADMIN)
+        - "-userid-header"
+        - $(USERID_HEADER)
+        - "-userid-prefix"
+        - $(USERID_PREFIX)
+        envFrom:
+          - configMapRef:
+              name: config
+        image: ghcr.io/kubeflow/dashboard/access-management
+        imagePullPolicy: IfNotPresent
+        name: access-management
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: 8081
+          initialDelaySeconds: 30
+          periodSeconds: 30
+        ports:
+        - containerPort: 8081
+          name: kfam-http
+          protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+      serviceAccountName: controller-service-account

components/profile-controller/config/components/kfam/service.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: profiles-kfam
+spec:
+  ports:
+    - port: 8081

components/profile-controller/config/components/remove-system-namespace/README.md

@@ -0,0 +1,7 @@
+## Remove System Namespace Component
+
+This component is aimed to be consumed by the overlays targetted for the Kubeflow installation.
+
+In this case, the manifests will need to install everything in the `kubeflow` namespace and not create
+the `profile-controller-system` namespace. Thus the two kubeflow overlays (Istio sidecar and ambient)
+will need to both include this common component.

components/profile-controller/config/components/remove-system-namespace/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patchesStrategicMerge:
+- patches/remove-namespace.yaml

components/profile-controller/config/components/remove-system-namespace/patches/remove-namespace.yaml

@@ -0,0 +1,9 @@
+$patch: delete
+apiVersion: v1
+kind: Namespace
+metadata:
+<<<<<<<< HEAD:components/profile-controller/manifests/kustomize/overlays/kubeflow/patches/remove-namespace.yaml
+  name: profiles-system
+========
+  name: system
+>>>>>>>> 9024371 (feat: Add ambient mode support to profile-controller):components/profile-controller/config/components/remove-system-namespace/patches/remove-namespace.yaml

components/profile-controller/config/manager/kustomization.yaml

@@ -0,0 +1,18 @@
+resources:
+- manager.yaml
+- service-account.yaml
+
+configMapGenerator:
+- literals:
+  - ADMIN=
+  - WORKLOAD_IDENTITY=
+  - USERID_HEADER="kubeflow-userid"
+  - USERID_PREFIX=
+  - ISTIO_INGRESS_GATEWAY_PRINCIPAL="cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
+  - NOTEBOOK_CONTROLLER_PRINCIPAL="cluster.local/ns/kubeflow/sa/notebook-controller-service-account"
+  - KFP_UI_PRINCIPAL="cluster.local/ns/kubeflow/sa/ml-pipeline-ui"
+  - SERVICE_MESH_MODE="istio-sidecar"
+  - WAYPOINT_NAME="waypoint"
+  - WAYPOINT_NAMESPACE=""
+  - CREATE_WAYPOINT="false"
+  name: config