OCDP/ocdp-workload-manifests
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: sync local changes

Browse Source
This commit is contained in:
jackyliu
2026-06-16 01:11:46 +00:00
parent 29056822f9
commit cbea46632e
8 changed files with 40 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -7,7 +7,3 @@ tmp/
*.log *.log
.env .env
.env.* .env.*
!.env.example
!*.env.example
!**/*.env.example
!**/.env.*.example

10
AGENTS.md
View File

@ -7,11 +7,11 @@ This file is the execution guide for `ocdp-workload-manifests`.
- Treat this project as a plain app manifests repository. - Treat this project as a plain app manifests repository.
- Do not store OCDP WorkloadTemplate records here; they belong in `ocdp-server` - Do not store OCDP WorkloadTemplate records here; they belong in `ocdp-server`
PostgreSQL. PostgreSQL.
- Do not store user WorkloadClaim instances here; they belong in target-cluster - Do not store user Workload instances here; they belong in target-cluster
CRs created through `ocdp-server`. CRs created through `ocdp-server`.
- Keep reusable Kubernetes resources under `apps/*/base`. - Keep reusable Kubernetes resources under `apps/*/base`.
- Keep optional Kustomize components under `apps/*/components`. - Keep optional Kustomize components under `apps/*/components`.
- Keep Helm post-render presets under `packages/*/presets/*`. - Keep Helm post-renders under `packages/*/post-renders/*`.
- Keep per-deployment runtime values out of this repository. They belong in - Keep per-deployment runtime values out of this repository. They belong in
temporary source files or runtime specs generated by `ocdp-server`. temporary source files or runtime specs generated by `ocdp-server`.
- Use `tests/kustomize/*` only for generic validation overlays, never for real - Use `tests/kustomize/*` only for generic validation overlays, never for real
@ -23,19 +23,19 @@ This file is the execution guide for `ocdp-workload-manifests`.
- Do not add a global catalog index unless the server explicitly needs one later. - Do not add a global catalog index unless the server explicitly needs one later.
- `ocdp-server` WorkloadTemplate records may reference Helm charts plus - `ocdp-server` WorkloadTemplate records may reference Helm charts plus
`source.preset.repositoryUrl/ref/path`. `source.postRender.repositoryUrl/ref/path`.
- Runtime source generation may render Helm, create Secret, ConfigMap, and patch - Runtime source generation may render Helm, create Secret, ConfigMap, and patch
files, then run Kustomize. files, then run Kustomize.
- Bases should stay template-free YAML. - Bases should stay template-free YAML.
- App bases should keep Services internally reachable; expose apps from - App bases should keep Services internally reachable; expose apps from
WorkloadClaim top-level intent such as `exposure=internal` or Workload top-level intent such as `exposure=internal` or
`exposure=external`, rendered by the agent/template path. `exposure=external`, rendered by the agent/template path.
Components such as `service-nodeport`, `service-loadbalancer`, or `ingress` Components such as `service-nodeport`, `service-loadbalancer`, or `ingress`
are implementation building blocks, not the user-facing contract. are implementation building blocks, not the user-facing contract.
- Environment overlays are platform/admin choices for cluster- or site-level - Environment overlays are platform/admin choices for cluster- or site-level
differences such as StorageClass, IngressClass, GPU runtime, registry prefix, differences such as StorageClass, IngressClass, GPU runtime, registry prefix,
pull secrets, node selectors, tolerations, and site labels. pull secrets, node selectors, tolerations, and site labels.
- NodePort numbers should be assigned per claim by Kubernetes, not hard-coded in - NodePort numbers should be assigned per workload by Kubernetes, not hard-coded in
reusable app bases or components. reusable app bases or components.
## Validation ## Validation

51
README.md
View File

@ -1,11 +1,11 @@
# ocdp-workload-manifests # ocdp-workload-manifests
Standalone Kubernetes manifests and post-render presets for OCDP workloads. Standalone Kubernetes manifests and post-renders for OCDP workloads.
This repository is intentionally just a Git repository of app manifests. There is This repository is intentionally just a Git repository of app manifests. There is
no global catalog index and no dependency on the Gitea API. `ocdp-server` stores no global catalog index and no dependency on the Gitea API. `ocdp-server` stores
the template contract; the operator renders Helm sources and then applies the template contract; the operator renders Helm sources and then applies
Kustomize presets from this repository. Kustomize postRenders from this repository.
## Architecture ## Architecture
@ -15,36 +15,35 @@ OCDP keeps the responsibilities split:
Git repo Git repo
apps/<app>/base apps/<app>/base
apps/<app>/components apps/<app>/components
packages/<app>/presets/<preset> packages/<app>/post-renders/<postRender>
kustomization.yaml kustomization.yaml
userInputs.yaml userInputs.yaml
ocdp-server PostgreSQL ocdp-server PostgreSQL
WorkloadTemplate metadata WorkloadTemplate metadata
WorkloadTemplate Helm source WorkloadTemplate Helm source
WorkloadTemplate source.preset.repositoryUrl/ref/path WorkloadTemplate source.postRender.repositoryUrl/ref/path
user-facing values schema / parameters user-facing values schema / parameters
access bindings access bindings
no WorkloadClaim instance storage no Workload instance storage
target cluster target cluster
WorkloadClaim CR as the canonical user claim Workload CR as the canonical user workload
Workload CR
runtime Kubernetes resources runtime Kubernetes resources
``` ```
This repository stores Git bases, reusable components, and Kustomize presets. This repository stores Git bases, reusable components, and Kustomize postRenders.
For Helm-backed workloads, the operator runs `helm template` first, writes that For Helm-backed workloads, the operator runs `helm template` first, writes that
output as `rendered.yaml`, then renders the selected preset with Workload output as `rendered.yaml`, then renders the selected postRender with Workload
`spec.values`. A preset may include `userInputs.yaml` so admins can see which `spec.values`. A postRender may include `userInputs.yaml` so admins can see which
values should become the WorkloadTemplate user-facing parameter schema. This values should become the WorkloadTemplate user-facing parameter schema. This
metadata file is not a Kubernetes resource and is not referenced by Kustomize. metadata file is not a Kubernetes resource and is not referenced by Kustomize.
An admin creates or updates a `WorkloadTemplate` in `ocdp-server`. That template An admin creates or updates a `WorkloadTemplate` in `ocdp-server`. That template
can point at a Helm chart plus one of these Git presets: can point at a Helm chart plus one of these Git postRenders:
```yaml ```yaml
templateType: kustomize templateType: composite
source: source:
type: helm type: helm
repositoryUrl: https://kuoss.github.io/helm-charts repositoryUrl: https://kuoss.github.io/helm-charts
@ -58,7 +57,7 @@ source:
persistence: persistence:
enabled: true enabled: true
size: 20Gi size: 20Gi
preset: postRender:
type: kustomize type: kustomize
repositoryUrl: https://gitea.example.com/ocdp/ocdp-workload-manifests.git repositoryUrl: https://gitea.example.com/ocdp/ocdp-workload-manifests.git
ref: main ref: main
@ -66,11 +65,11 @@ source:
``` ```
After the template is stored in PostgreSQL and assigned to users or groups, users After the template is stored in PostgreSQL and assigned to users or groups, users
call `ocdp-server` to create a claim by submitting `templateId`, `workspaceId`, call `ocdp-server` to create a workload by submitting `templateId`, `workspaceId`,
and values. `ocdp-server` resolves the template from PostgreSQL and writes a and values. `ocdp-server` resolves the template from PostgreSQL and writes a
`WorkloadClaim` CR into the target Kubernetes cluster. The operator renders Helm `Workload` CR into the target Kubernetes cluster. The operator renders Helm
with the resolved values, applies the Kustomize preset, and then applies the with the resolved values, applies the Kustomize postRender, and then applies the
final Kubernetes resources. The final user-created claim lives in Kubernetes, final Kubernetes resources. The final user-created workload lives in Kubernetes,
not in PostgreSQL. not in PostgreSQL.
## Layout ## Layout
@ -101,7 +100,7 @@ tests/
## Server Usage ## Server Usage
`ocdp-server` should store a Helm source plus a Kustomize preset reference: `ocdp-server` should store a Helm source plus a Kustomize postRender reference:
```yaml ```yaml
source: source:
@ -110,7 +109,7 @@ source:
chart: code-server chart: code-server
version: 3.16.1 version: 3.16.1
releaseName: "{{ name }}" releaseName: "{{ name }}"
preset: postRender:
type: kustomize type: kustomize
repositoryUrl: https://gitea.example.com/ocdp/ocdp-workload-manifests.git repositoryUrl: https://gitea.example.com/ocdp/ocdp-workload-manifests.git
ref: main ref: main
@ -118,16 +117,16 @@ source:
``` ```
For one deployment, `ocdp-server` stores the Helm chart reference, static Helm For one deployment, `ocdp-server` stores the Helm chart reference, static Helm
values, preset reference, and the template value contract. The preset renders values, postRender reference, and the template value contract. The postRender
with Workload `spec.values`, so environment-specific implementation details renders with Workload `spec.values`, so environment-specific implementation
should live in the selected preset instead of in the WorkloadTemplate create details should live in the selected postRender instead of in the WorkloadTemplate
form. create form.
## Exposure ## Exposure
Base services should stay internally reachable unless an environment preset Base services should stay internally reachable unless an environment postRender
intentionally changes the Service shape. For standard self-service workloads, intentionally changes the Service shape. For standard self-service workloads,
exposure is an admin preset decision and a user read view, not a user claim exposure is an admin postRender decision and a user read view, not a user workload
input. input.
Reusable components are still useful implementation building blocks: Reusable components are still useful implementation building blocks:
@ -137,7 +136,7 @@ Reusable components are still useful implementation building blocks:
- `components/service-loadbalancer`: change the app Service to `LoadBalancer`. - `components/service-loadbalancer`: change the app Service to `LoadBalancer`.
- `components/service-nodeport`: change the app Service to `NodePort`. - `components/service-nodeport`: change the app Service to `NodePort`.
When a preset needs NodePort, it may leave the concrete nodePort for Kubernetes When a postRender needs NodePort, it may leave the concrete nodePort for Kubernetes
to allocate: to allocate:
```yaml ```yaml

10
apps/code-server/README.md
View File

@ -8,15 +8,15 @@ The OCDP self-service code-server flow is Helm-backed now:
```text ```text
Helm chart Helm chart
-> operator helm template -> operator helm template
-> packages/code-server/presets/k3s-hami -> packages/code-server/post-renders/k3s-hami
-> final Kubernetes resources -> final Kubernetes resources
``` ```
The environment-specific preset lives in The environment-specific postRender lives in
`packages/code-server/presets/k3s-hami`. That preset owns the platform image `packages/code-server/post-renders/k3s-hami`. That postRender owns the platform image
`harbor.bwgdi.com/library/earth2studio-demo:v6`, registry pull secret, HAMi `harbor.bwgdi.com/library/earth2studio-demo:v6`, registry pull secret, HAMi
scheduler, Service shape, code-server auth mode, and GPU resource keys. scheduler, Service shape, code-server auth mode, and GPU resource keys.
Users only fill CPU, memory, GPU count, and GPU memory. See Users only fill CPU, memory, GPU count, and GPU memory. See
`packages/code-server/presets/k3s-hami/userInputs.yaml` for the values schema `packages/code-server/post-renders/k3s-hami/userInputs.yaml` for the values schema
that the console should render into the WorkloadClaim form. that the console should render into the Workload form.

2
apps/code-server/base/deployment.yaml
View File

@ -20,7 +20,7 @@ spec:
app.kubernetes.io/part-of: ocdp-workload app.kubernetes.io/part-of: ocdp-workload
spec: spec:
imagePullSecrets: imagePullSecrets:
- name: regcred - name: harbor-regcred
schedulerName: hami-scheduler schedulerName: hami-scheduler
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000

4
packages/code-server/README.md
View File

@ -16,7 +16,7 @@ Helm chart + resolved values
environment-managed choices: environment-managed choices:
- image: `harbor.bwgdi.com/library/earth2studio-demo:v6` - image: `harbor.bwgdi.com/library/earth2studio-demo:v6`
- pull secret: `regcred` - pull secret: `harbor-regcred`
- scheduler: `hami-scheduler` - scheduler: `hami-scheduler`
- HAMi resource limit keys: `nvidia.com/gpu` and `nvidia.com/gpumem` - HAMi resource limit keys: `nvidia.com/gpu` and `nvidia.com/gpumem`
- NodePort Service on port `80` - NodePort Service on port `80`
@ -29,6 +29,6 @@ start so the mounted volume does not hide the demo files baked into the image.
`post-renders/k3s-hami/userInputs.yaml` is the user-facing value contract. Users `post-renders/k3s-hami/userInputs.yaml` is the user-facing value contract. Users
only choose CPU, memory, GPU count, and GPU memory. The console renders these only choose CPU, memory, GPU count, and GPU memory. The console renders these
fields as the WorkloadClaim form; the operator receives the resolved values on fields as the Workload form; the operator receives the resolved values on
the Workload CR and applies the postRender patches. Storage, exposure, image, the Workload CR and applies the postRender patches. Storage, exposure, image,
scheduler, pull secret, and code-server auth mode stay in the admin postRender. scheduler, pull secret, and code-server auth mode stay in the admin postRender.

2
packages/code-server/post-renders/k3s-hami-v4/kustomization.yaml
View File

@ -26,7 +26,7 @@ patches:
app.kubernetes.io/part-of: ocdp-workload app.kubernetes.io/part-of: ocdp-workload
spec: spec:
imagePullSecrets: imagePullSecrets:
- name: regcred - name: harbor-regcred
schedulerName: hami-scheduler schedulerName: hami-scheduler
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000

2
packages/code-server/post-renders/k3s-hami/kustomization.yaml
View File

@ -26,7 +26,7 @@ patches:
app.kubernetes.io/part-of: ocdp-workload app.kubernetes.io/part-of: ocdp-workload
spec: spec:
imagePullSecrets: imagePullSecrets:
- name: regcred - name: harbor-regcred
schedulerName: hami-scheduler schedulerName: hami-scheduler
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000