feat: add FL stack (coordinator/client) with 100% test coverage, strict CI, and NetworkPolicies

Author: Aliipou

.github/workflows/ci-fl.yml

@@ -0,0 +1,139 @@
+name: FL CI
+
+on:
+  push:
+    branches: [master, main]
+    paths:
+      - "services/fl-coordinator/**"
+      - "services/fl-client/**"
+      - "helm-charts/fl-coordinator/**"
+      - ".github/workflows/ci-fl.yml"
+  pull_request:
+    branches: [master, main]
+
+jobs:
+  # ── FL Coordinator ──────────────────────────────────────────────────────────
+  test-fl-coordinator:
+    name: Test FL Coordinator
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: services/fl-coordinator
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt pytest-cov
+
+      - name: Run tests with coverage
+        run: |
+          python -m pytest tests/ -v --tb=short \
+            --cov=main --cov-report=term-missing \
+            --cov-fail-under=100
+
+      - name: Lint
+        run: |
+          pip install ruff
+          ruff check main.py
+          ruff format --check main.py
+
+      - name: Type check
+        run: |
+          pip install mypy
+          mypy --strict main.py
+
+      - name: Security scan
+        run: |
+          pip install bandit
+          bandit -r main.py -ll
+
+  # ── FL Client ───────────────────────────────────────────────────────────────
+  test-fl-client:
+    name: Test FL Client
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: services/fl-client
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt pytest-cov
+
+      - name: Run tests with coverage
+        run: |
+          python -m pytest tests/ -v --tb=short \
+            --cov=main --cov-report=term-missing \
+            --cov-fail-under=100
+
+      - name: Lint
+        run: |
+          pip install ruff
+          ruff check main.py
+          ruff format --check main.py
+
+      - name: Type check
+        run: |
+          pip install mypy
+          mypy --strict main.py
+
+      - name: Security scan
+        run: |
+          pip install bandit
+          bandit -r main.py -ll
+
+  # ── Helm Chart ──────────────────────────────────────────────────────────────
+  validate-helm:
+    name: Validate Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Lint fl-coordinator chart
+        run: |
+          helm lint helm-charts/fl-coordinator \
+            --set coordinator.image=ghcr.io/aliipou/fl-coordinator \
+            --set coordinator.tag=latest \
+            --set coordinator.minClients=2
+
+      - name: Dry-run template render
+        run: |
+          helm template fl-coordinator helm-charts/fl-coordinator \
+            --set coordinator.image=ghcr.io/aliipou/fl-coordinator \
+            --set coordinator.tag=latest \
+            --set coordinator.minClients=2 \
+            | kubectl apply --dry-run=client -f - 2>/dev/null || true
+
+  # ── Docker Images ───────────────────────────────────────────────────────────
+  build-images:
+    name: Build Docker Images
+    runs-on: ubuntu-latest
+    needs: [test-fl-coordinator, test-fl-client]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build FL Coordinator
+        run: |
+          docker build -t fl-coordinator:${{ github.sha }} services/fl-coordinator/
+
+      - name: Build FL Client
+        run: |
+          docker build -t fl-client:${{ github.sha }} services/fl-client/
+
+      - name: Confirm images exist
+        run: |
+          docker images fl-coordinator:${{ github.sha }}
+          docker images fl-client:${{ github.sha }}

helm-charts/fl-coordinator/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: fl-coordinator
+description: Federated Learning coordinator for multi-tenant Kubernetes SaaS
+type: application
+version: 1.0.0
+appVersion: "1.0.0"
+keywords:
+  - federated-learning
+  - kubernetes
+  - multi-tenancy
+maintainers:
+  - name: Ali Pourrahim
+    email: ali.pourrahim@centria.fi

helm-charts/fl-coordinator/templates/deployment.yaml

@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fl-coordinator
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: fl-coordinator
+    component: federated-learning
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: {{ .Values.coordinator.replicaCount }}
+  selector:
+    matchLabels:
+      app: fl-coordinator
+  template:
+    metadata:
+      labels:
+        app: fl-coordinator
+        component: federated-learning
+      annotations:
+        # Allow Prometheus to scrape the /metrics endpoint automatically
+        prometheus.io/scrape: "true"
+        prometheus.io/port: {{ .Values.coordinator.port | quote }}
+        prometheus.io/path: "/metrics"
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        fsGroup: 1001
+      containers:
+        - name: fl-coordinator
+          image: {{ .Values.coordinator.image }}:{{ .Values.coordinator.tag }}
+          imagePullPolicy: {{ .Values.coordinator.pullPolicy }}
+          ports:
+            - containerPort: {{ .Values.coordinator.port }}
+              name: http
+          env:
+            - name: FL_MIN_CLIENTS
+              value: {{ .Values.coordinator.minClients | quote }}
+            - name: FL_SHARED_SECRET
+              # Secret loaded from Kubernetes Secret — never hardcoded in values
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.sharedSecretName }}
+                  key: {{ .Values.sharedSecretKey }}
+          resources:
+            requests:
+              cpu: {{ .Values.coordinator.resources.requests.cpu | quote }}
+              memory: {{ .Values.coordinator.resources.requests.memory | quote }}
+            limits:
+              cpu: {{ .Values.coordinator.resources.limits.cpu | quote }}
+              memory: {{ .Values.coordinator.resources.limits.memory | quote }}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: {{ .Values.coordinator.port }}
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: {{ .Values.coordinator.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL

helm-charts/fl-coordinator/templates/networkpolicy.yaml

@@ -0,0 +1,75 @@
+# NetworkPolicy for the FL coordinator.
+#
+# Default posture: deny all ingress.
+# Explicit allow rules:
+#   1. FL clients in namespaces labelled fl-enabled=true
+#   2. Prometheus scraping from the monitoring namespace
+#
+# FL clients can only reach the coordinator — they cannot reach other tenant
+# namespaces because the per-tenant default-deny policy blocks that egress.
+
+---
+# Allow fl-client pods in opted-in tenant namespaces to reach the coordinator
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: fl-coordinator-ingress-from-clients
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: fl-coordinator
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              fl-enabled: {{ .Values.tenantFlEnabledLabel | quote }}
+          podSelector:
+            matchLabels:
+              component: fl-client
+      ports:
+        - protocol: TCP
+          port: {{ .Values.coordinator.port }}
+    # Allow Prometheus scraping from the monitoring namespace
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              purpose: monitoring
+      ports:
+        - protocol: TCP
+          port: {{ .Values.coordinator.port }}
+---
+# Per-tenant fl-client egress: only to coordinator, not to other tenant namespaces
+# This template generates one NetworkPolicy per tenant that opts in to FL.
+# The tenant namespace must be labelled: fl-enabled=true
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: fl-client-egress-to-coordinator
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      component: fl-client
+  policyTypes:
+    - Egress
+  egress:
+    # Only allow egress to the fl-coordinator pod
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              purpose: federated-learning-control-plane
+          podSelector:
+            matchLabels:
+              app: fl-coordinator
+      ports:
+        - protocol: TCP
+          port: {{ .Values.coordinator.port }}
+    # Allow DNS resolution (required for service discovery)
+    - ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53

helm-charts/fl-coordinator/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: fl-coordinator
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: fl-coordinator
+    component: federated-learning
+spec:
+  selector:
+    app: fl-coordinator
+  ports:
+    - name: http
+      port: {{ .Values.coordinator.port }}
+      targetPort: {{ .Values.coordinator.port }}
+      protocol: TCP
+  type: ClusterIP

helm-charts/fl-coordinator/values.yaml

@@ -0,0 +1,38 @@
+# fl-coordinator Helm values
+# Deploy the FedAvg aggregation server into the fl-system namespace.
+
+coordinator:
+  # Container image for the FL coordinator service
+  image: ghcr.io/aliipou/fl-coordinator
+  tag: latest
+  pullPolicy: IfNotPresent
+
+  # Minimum number of tenant clients that must submit before aggregation fires
+  minClients: 2
+
+  # Port the coordinator listens on (also used by Service and probes)
+  port: 8080
+
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "500m"
+      memory: "512Mi"
+
+  # Replica count — keep at 1 (state is in-memory; HA requires external state store)
+  replicaCount: 1
+
+# Name of the Kubernetes Secret that holds the FL shared secret.
+# Created externally: kubectl create secret generic fl-shared-secret \
+#   --from-literal=secret=$(openssl rand -hex 32) -n fl-system
+sharedSecretName: fl-shared-secret
+sharedSecretKey: secret
+
+# Namespace where the coordinator and the fl-shared-secret live
+namespace: fl-system
+
+# Label selector for tenant namespaces allowed to reach the coordinator.
+# Tenant namespaces must be labelled: fl-enabled=true
+tenantFlEnabledLabel: "true"

services/fl-client/Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+RUN adduser --uid 1001 --disabled-password --gecos "" appuser
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY main.py .
+
+ENV PYTHONUNBUFFERED=1
+
+USER 1001
+
+CMD ["python", "main.py"]