OCDP/ocdp-workload-manifests
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update workload runtime integration

Browse Source
This commit is contained in:
jackyliu
2026-06-02 09:48:58 +00:00
parent 80a063a167
commit cb6cf58229
11 changed files with 45 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
AGENTS.md
View File

@ -26,14 +26,15 @@ This file is the execution guide for `ocdp-workload-manifests`.
- Runtime source generation may create Secret, ConfigMap, and patch files, then
run Kustomize.
- Bases should stay template-free YAML.
- App bases should keep Services as `ClusterIP`; expose apps from
WorkloadTemplate values such as `exposure=nodeport` or `exposure=loadbalancer`.
- App bases should keep Services internally reachable; expose apps from
WorkloadClaim top-level intent such as `exposure=internal` or
`exposure=external`, rendered by the agent/template path.
Components such as `service-nodeport`, `service-loadbalancer`, or `ingress`
are implementation building blocks, not the user-facing contract.
- Environment overlays are platform/admin choices for cluster- or site-level
differences such as StorageClass, IngressClass, GPU runtime, registry prefix,
pull secrets, node selectors, tolerations, and site labels.
- NodePort numbers belong in per-claim values handled by `ocdp-server`, not in
- NodePort numbers should be assigned per claim by Kubernetes, not hard-coded in
reusable app bases or components.
## Validation

23
README.md
View File

@ -19,7 +19,7 @@ ocdp-server PostgreSQL
WorkloadTemplate metadata
WorkloadTemplate source.repositoryUrl/ref/path
user-facing values schema / parameters
environment overlay/profile metadata
environment overlay and policy metadata
access bindings
no WorkloadClaim instance storage
@ -56,6 +56,8 @@ user-created claim lives in Kubernetes, not in PostgreSQL.
```text
apps/
earth2studio-demo/
base/
code-server/
base/
components/
@ -87,10 +89,10 @@ Secrets, ConfigMaps, components, and patches.
## Exposure
Base services are `ClusterIP`. User-facing exposure choices such as
`clusterip`, `nodeport`, and `loadbalancer` belong in the WorkloadTemplate
values schema. `ocdp-server` can translate that value into runtime Service
configuration or a generated patch.
Base services should stay internally reachable. User-facing exposure choices
belong on the WorkloadClaim top-level intent such as `exposure=internal` or
`exposure=external`; the agent/template renderer turns that intent into runtime
Service resources.
Reusable components are still useful implementation building blocks:
@ -99,19 +101,20 @@ Reusable components are still useful implementation building blocks:
- `components/service-loadbalancer`: change the app Service to `LoadBalancer`.
- `components/service-nodeport`: change the app Service to `NodePort`.
When `nodeport` is selected by the user, `ocdp-server` may generate an instance
patch or runtime Service field for an explicit port:
When `exposure=external` is selected by the user, the agent/template renderer
may generate a NodePort Service and leave the concrete nodePort for Kubernetes
to allocate:
```yaml
- op: add
path: /spec/ports/0/nodePort
value: 30080
path: /spec/type
value: NodePort
```
Do not hard-code shared NodePort values in app bases or reusable components.
Environment overlays are different from user choices. They are selected by the
platform from cluster, workspace, or customer profile information and can carry
platform from cluster, workspace, or customer policy information and can carry
things like StorageClass, IngressClass, GPU runtime class, registry prefix,
pull-secret wiring, node selectors, tolerations, and site-specific labels.

16
apps/code-server/README.md
View File

@ -1,7 +1,17 @@
# code-server
The base deploys code-server with a PVC, Service, and password Secret reference.
The base deploys code-server from `harbor.bwgdi.com/library/earth2studio-demo:v6`
with a Service and password Secret reference.
The Secret is generated by the instance overlay. Do not commit real passwords or
tokens to this catalog.
The Secret is generated by the instance overlay. Workspace storage is mounted
from top-level WorkloadClaim `storage`, and exposure is rendered from top-level
`exposure`. Do not commit real passwords or tokens to this catalog.
The WorkloadTemplate exposes storage intent (`temporary`, `retained`,
`existing`) and exposure intent (`internal`, `external`) as claim-time choices.
Workspace storage defaults to retained. The template also mounts a hidden
retained `weight` StorageClass PVC at `/models` for model weights; this
StorageClass detail is platform-owned and is not exposed as a user parameter.
The Deployment keeps HAMi resource keys in `resources.limits` at all times:
`nvidia.com/gpu` for GPU count and `nvidia.com/gpumem` for GPU memory in MiB.

19
apps/code-server/base/deployment.yaml
View File

@ -19,18 +19,23 @@ spec:
app.kubernetes.io/component: ide
app.kubernetes.io/part-of: ocdp-workload
spec:
imagePullSecrets:
- name: regcred
schedulerName: hami-scheduler
securityContext:
fsGroup: 1000
containers:
- name: code-server
image: codercom/code-server:latest
image: harbor.bwgdi.com/library/earth2studio-demo:v6
imagePullPolicy: IfNotPresent
command:
- code-server
args:
- --bind-addr
- 0.0.0.0:8080
- --auth
- password
- /home/coder/project
- /workspace
env:
- name: PASSWORD
valueFrom:
@ -55,11 +60,5 @@ spec:
limits:
cpu: "2"
memory: 4Gi
volumeMounts:
- name: workspace
mountPath: /home/coder/project
volumes:
- name: workspace
persistentVolumeClaim:
claimName: code-server-data
nvidia.com/gpu: "1"
nvidia.com/gpumem: "8192"

2
apps/code-server/base/kustomization.yaml
View File

@ -1,7 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- pvc.yaml
- deployment.yaml
- service.yaml

15
apps/code-server/base/pvc.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-data
labels:
app.kubernetes.io/name: code-server
app.kubernetes.io/component: workspace-storage
app.kubernetes.io/part-of: ocdp-workload
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi

8
apps/code-server/components/nfs/kustomization.yaml
View File

@ -1,8 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
patches:
- path: pvc-rwx-patch.yaml
target:
kind: PersistentVolumeClaim
name: code-server-data

4
apps/code-server/components/nfs/pvc-rwx-patch.yaml
View File

@ -1,4 +0,0 @@
- op: replace
path: /spec/accessModes/0
value: ReadWriteMany

9
tests/kustomize/code-server-nodeport/deployment-patch.yaml
View File

@ -11,10 +11,13 @@
path: /spec/template/spec/containers/0/resources/limits/memory
value: 4Gi
- op: replace
path: /spec/template/spec/containers/0/args/4
value: /home/coder/workspace
path: /spec/template/spec/containers/0/resources/limits/nvidia.com~1gpu
value: "1"
- op: replace
path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
path: /spec/template/spec/containers/0/resources/limits/nvidia.com~1gpumem
value: "8192"
- op: replace
path: /spec/template/spec/containers/0/args/4
value: /home/coder/workspace
- op: add
path: /spec/template/spec/containers/0/env/-

5
tests/kustomize/code-server-nodeport/kustomization.yaml
View File

@ -6,7 +6,6 @@ resources:
- ../../../apps/code-server/base
- generated-secret.yaml
components:
- ../../../apps/code-server/components/nfs
- ../../../apps/code-server/components/service-nodeport
patches:
- path: deployment-patch.yaml
@ -15,10 +14,6 @@ patches:
version: v1
kind: Deployment
name: code-server
- path: pvc-patch.yaml
target:
kind: PersistentVolumeClaim
name: code-server-data
- path: service-nodeport-patch.yaml
target:
kind: Service

4
tests/kustomize/code-server-nodeport/pvc-patch.yaml
View File

@ -1,4 +0,0 @@
- op: replace
path: /spec/resources/requests/storage
value: 10Gi