Ruigao/update for 1.6 (#177)

* update golang toolchain to latest version

* fix the package updates suggested by dependbot

* Update webportal to node.js 24 with necessary packages updating

* update webportal docker file to use node slim for output

* fix go version for some of dockerfiles

* reduce the size of clustrer-local-storage docker image

* reduce the size of copilot-chat docker image

* reduce the size of dashboard-data-backup docker image

* reduce the docker image size of utilization-reporter

* rduce the size of abnormal-detector docker image

* reduce the docker image size of cert-expiration-checker

* reduce the docker image size of cluster-utilization

* reduce the docker image size of reverse proxy

* reduce the docker image size of model-proxy

* downgrade the kube-scheduler version to the same one as the service k8s version

* fix the display problem of job's YAML and output log

* add cilium docker build to fix Azure security warnings

* fix the security warnings found by ai fix tool

* fix the build problem

* fix the dockerfile errors

* update k8s-rdma-shared-dev-plugin version to adapt latest grpc package

* update cilium to version 1.18.8

* update all the binaries with go version to 1.25

* security update with GO package update and NPM package update

* remove npm related packages for webportal service

* make imagePullSecrets conditional to eliminate FailedToRetrieveImagePullSecret warnings

When secret-name is not configured (or empty), deployment templates no longer
render imagePullSecrets, and the cluster-configuration scripts skip secret
creation/deletion. The rest-server also handles empty secret-name gracefully.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* skip the validation job submittion for CPU nodes

* fix the proble that no pip update for copilot chat

* fix NPM packages for docker images including rest server, alert manager and database controller

* update reverseproxy

* fix the gprc version for kube-scheduler

* fix S360 vulnerabilities for alert-handler (nodemailer) and job-status-change-notification (minimatch)

- alert-handler: add nodemailer resolution to force >=7.0.11, fixing vulnerable 6.10.1 pulled by email-templates/preview-email
- job-status-change-notification: switch to yarn workspaces focus --production to avoid installing devDependencies (eslint plugins with vulnerable minimatch), matching database-controller pattern

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* update package version for reverseproxy

* upgrade Cilium v1.18.8 to v1.18.9 to fix S360 grpc vulnerability (google.golang.org/grpc v1.74.2 -> v1.79.3)

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* fix job-detail page error handling for permission denied errors

When a user without permission opens another user's job page, fetchJobInfo
returns 403 but the error was silently ignored, causing the page to show
"Loading..." forever with a vague empty alert. Now fetchJobInfo checks HTTP
status, shows a clear permission error, and skips subsequent requests.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Add IPoIB subnet route in init.sh to fix IB TCP connectivity on NM-managed nodes

On VMSS nodes where NetworkManager manages IB interfaces, ifconfig sets
the IP with noprefixroute flag, preventing automatic subnet route creation.
This causes IPoIB TCP (rsync/bcast) to fail between nodes while RDMA works.
Add explicit route check and creation after ifconfig to ensure connectivity.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Skip classification for cordoned nodes with empty NodeId to prevent OFR pipeline from stalling

Nodes with empty NodeId would transition to triaged_hardware but OFR cannot
create IcM tickets without a valid NodeId, causing the pipeline to stall.
Now these nodes stay in cordoned status so the classifier retries on the next cycle.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Fix nodemailer S360 vulnerability by upgrading yarn resolution from 7.x to 8.0.5

The resolutions field pinned nodemailer to ^7.0.11 which overrode the
dependencies entry of ^8.0.5, causing yarn to install 7.0.13 in the image.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Fix S360 vulnerabilities across 13 container images

npm upgrades:
- alert-handler: axios 1.13.5->1.15.2, follow-redirects 1.15.11->1.16.0
- database-controller: lodash 4.17.23->4.18.1 (added yarn resolution)
- rest-server, job-status-change-notification, webportal: follow-redirects 1.15.11->1.16.0

Dockerfile updates (add tdnf update for Azure Linux openssl 3.3.5-4->3.3.5-5):
- alert-parser, node-recycler, node-issue-classifier, job-data-recorder

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Downgrade hardware issues without Azure FaultCode to triaged_unknown

Hardware issues like FrontendNetworkIssue and DiskError have no matching
Azure OFR fault code. Submitting OFR for these results in unresolvable
tickets and, combined with the lack of dedup in node-recycler, causes
repeated OFR submissions (as seen with openpai-00000s). By downgrading
to triaged_unknown the node stays visible for manual investigation
while avoiding the broken OFR pipeline.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Prevent node-recycler from submitting duplicate OFR tickets for the same node

Check the latest action before creating a new IcM OFR ticket — if
triaged_hardware-ua already exists, skip ticket creation and reuse the
existing ticket ID for polling.  This fixes the bug where every pipeline
loop could spawn a new OFR request for the same node because
get_latest_action_by_state (endswith query) never matches the
triaged_hardware-ua action.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Make Prometheus retention size configurable per service

Hardcoded 8TB retention caused disk full on the we cluster (16T disk).
Now each service can override retention_size in services-configuration.yaml.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Fix KeyError when alert-parser processes validating node with no alerts

When a validating/available_nodata node has zero alert records in Kusto
(e.g. due to Prometheus data gap), find_node_alerts returns an empty
DataFrame without columns. Accessing period_alerts['alertname'] then
raises KeyError, causing the node to be stuck in validating indefinitely.

Add an empty check before accessing DataFrame columns.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* update go-ntlmssp version to 0.1.1 for reverse proxy

* Remove webportal-dind replacement logic from CI build workflow

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Filter out deleted webportal-dind from changed services detection

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Filter out dev-box from changed services detection in CI

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

* Upgrade metrics-cleaner base image from Python 3.7 to 3.12-slim

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

---------

Co-authored-by: Rui Gao <ruigao@microsoft.com>
Co-authored-by: Claude Opus 4 <noreply@anthropic.com>

Author: 3 people

.github/workflows/build-deploy-changes.yaml

@@ -63,7 +63,7 @@ jobs:
           # extract service folders under src/
           folders=$(echo "$changed_files" | grep '^src/' \
             |  awk -F'/' '{print $2}' \
-            | sort -u | tr '\n' ' ')
+            | sort -u | grep -v -E '^(webportal-dind|dev-box)$' | tr '\n' ' ')
           echo "Changed folders: $folders"
 
           # export as output for next steps
@@ -182,18 +182,7 @@ jobs:
             --overwrite-existing
           kubelogin convert-kubeconfig -l azurecli
           kubectl config use-context ${{ secrets.KUBERNETES_CLUSTER }}
-            # Replace "webportal" with "webportal-dind" if "webportal" is changed
             services_to_deploy="${{ steps.changes.outputs.folders }}"
-            if echo " $services_to_deploy " | grep -q " webportal "; then
-              tmp=""
-              for s in $services_to_deploy; do
-                [ "$s" = "webportal" ] && continue
-                [ "$s" = "webportal-dind" ] && continue
-                tmp="$tmp $s"
-              done
-              services_to_deploy="$tmp webportal-dind"
-              services_to_deploy=$(echo "$services_to_deploy" | xargs)
-            fi
             echo "Final services to deploy: $services_to_deploy"
           if echo " $services_to_deploy " | grep -q " cluster-local-storage-worker "; then
             sed -i '42s/value: "8"/value: "0"/' $GITHUB_WORKSPACE/src/cluster-local-storage-worker/deploy/cluster-local-storage-worker.yaml.template

build/model/config_model.py

@@ -49,7 +49,8 @@ def build_config_parse(self):
             self.buildConfigDict["dockerRegistryInfo"]["dockerTag"] = \
                 buildConfigContent["cluster"]["docker-registry-info"]["docker-tag"]
             self.buildConfigDict["dockerRegistryInfo"]["secretName"] = \
-                buildConfigContent["cluster"]["docker-registry-info"]["secret-name"]
+                buildConfigContent["cluster"]["docker-registry-info"]["secret-name"] \
+                if "secret-name" in buildConfigContent["cluster"]["docker-registry-info"] else ""
 
         else:
             self.buildConfigDict["dockerRegistryInfo"] = buildConfigContent["cluster"]["docker-registry"]
@@ -66,6 +67,7 @@ def build_config_parse(self):
             self.buildConfigDict["dockerRegistryInfo"]["dockerTag"] = \
                 buildConfigContent["cluster"]["docker-registry"]["tag"]
             self.buildConfigDict["dockerRegistryInfo"]["secretName"] = \
-                buildConfigContent["cluster"]["docker-registry"]["secret-name"]
+                buildConfigContent["cluster"]["docker-registry"]["secret-name"] \
+                if "secret-name" in buildConfigContent["cluster"]["docker-registry"] else ""
 
         return self.buildConfigDict

contrib/aks/k8s-deploy/cilium.yaml

@@ -0,0 +1,51 @@
+declare module '*.css' {
+  const content: { [className: string]: string };
+  export default content;
+}
+
+declare module '*.scss' {
+  const content: { [className: string]: string };
+  export default content;
+}
+
+declare module '*.sass' {
+  const content: { [className: string]: string };
+  export default content;
+}
+
+declare module '*.svg' {
+  import * as React from 'react';
+  export const ReactComponent: React.FunctionComponent<React.SVGProps<SVGSVGElement> & { title?: string }>;
+  const src: string;
+  export default src;
+}
+
+declare module '*.png' {
+  const src: string;
+  export default src;
+}
+
+declare module '*.jpg' {
+  const src: string;
+  export default src;
+}
+
+declare module '*.jpeg' {
+  const src: string;
+  export default src;
+}
+
+declare module '*.gif' {
+  const src: string;
+  export default src;
+}
+
+declare module '*.bmp' {
+  const src: string;
+  export default src;
+}
+
+declare module '*.webp' {
+  const src: string;
+  export default src;
+}

contrib/chat-plugin/src/react-app-env.d.ts

@@ -1,26 +1,26 @@
 {
   "compilerOptions": {
-    "lib": ["dom", "dom.iterable", "esnext"],
+    "target": "es5",
+    "lib": [
+      "dom",
+      "dom.iterable",
+      "esnext"
+    ],
     "allowJs": true,
     "skipLibCheck": true,
-    "strict": true,
-    "noEmit": true,
     "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true,
+    "strict": true,
+    "forceConsistentCasingInFileNames": true,
+    "noFallthroughCasesInSwitch": true,
     "module": "esnext",
-    "moduleResolution": "bundler",
+    "moduleResolution": "node",
     "resolveJsonModule": true,
     "isolatedModules": true,
-    "jsx": "preserve",
-    "incremental": true,
-    "plugins": [
-      {
-        "name": "next"
-      }
-    ],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
+    "noEmit": true,
+    "jsx": "react-jsx"
   },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts", "src/index.tsx"],
-  "exclude": ["node_modules"]
+  "include": [
+    "src"
+  ]
 }

contrib/chat-plugin/tsconfig.json

@@ -20,24 +20,30 @@
   "homepage": "https://github.com/Microsoft/pai#readme",
   "license": "MIT",
   "dependencies": {
-    "@microsoft/openpai-js-sdk": "^0.1.5",
+    "@microsoft/openpai-js-sdk": "file:../../src/openpai-js-sdk/microsoft-openpai-js-sdk-0.2.0.tgz",
+    "ajv": "^8.18.0",
+    "buffer": "^6.0.3",
     "core-js": "^3.0.1",
     "office-ui-fabric-react": "^6.162.1",
+    "process": "^0.11.10",
     "react": "^16.8.4",
     "react-dom": "^16.8.4",
+    "stream-browserify": "^3.0.0",
+    "util": "^0.12.5",
     "whatwg-fetch": "^3.0.0"
   },
   "devDependencies": {
     "@types/react": "^16.8.7",
     "@types/react-dom": "^16.8.2",
-    "node-sass": "^4.14.1",
-    "ts-loader": "^6.2.1",
-    "ts-node": "^8.0.3",
+    "sass": "^1.69.0",
+    "sass-loader": "^13.0.0",
+    "ts-loader": "^9.0.0",
+    "ts-node": "^10.0.0",
     "tslint": "^5.20.1",
     "tslint-react": "^3.6.0",
-    "typescript": "^3.3.3333",
-    "webpack": "^4.29.6",
-    "webpack-cli": "^3.2.3",
-    "webpack-dev-server": "^3.2.1"
+    "typescript": "^4.9.0",
+    "webpack": "^5.88.0",
+    "webpack-cli": "^5.1.0",
+    "webpack-dev-server": "^4.15.0"
   }
 }

contrib/cluster-local-storage-plugin/package.json

@@ -5,10 +5,12 @@ import React from "react";
 import {
   ChoiceGroup, DefaultPalette, Dropdown, DropdownMenuItemType, IDropdownOption,
   Fabric, IChoiceGroupOption, PrimaryButton, Stack, Spinner, SpinnerSize, Text,
-  TextField, Toggle, initializeIcons, mergeStyleSets, getTheme,
+  TextField, Toggle, mergeStyleSets, getTheme,
 } from "office-ui-fabric-react";
 import { PAIV2 } from "@microsoft/openpai-js-sdk";
 
+import { initializeIconsOnce } from "../utils/icon-initializer";
+
 const theme = getTheme();
 const styles = mergeStyleSets({
   form: {
@@ -80,7 +82,7 @@ const styles = mergeStyleSets({
   },
 });
 
-initializeIcons();
+initializeIconsOnce();
 
 interface IFormProps {
   api: string;
@@ -269,7 +271,7 @@ export default class Form extends React.Component<IFormProps, IFormState> {
     try {
       clusterlist = Object.keys(await this.client.virtualCluster.listVirtualClusters());
     } catch (err) {
-      alert(`Failed to get virtual clusters: ${err.message}`);
+      alert(`Failed to get virtual clusters: ${err instanceof Error ? err.message : String(err)}`);
     }
 
     const endpoint = new URL("cluster-local-storage", window.location.href).href;

contrib/cluster-local-storage-plugin/src/App/form.tsx

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 import React from "react";
-import Form from "./Form";
+import Form from "./form";
 
 interface IProps {
   api: string;

contrib/cluster-local-storage-plugin/src/App/index.tsx

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import { initializeIcons as fluentInitializeIcons } from "office-ui-fabric-react";
+
+// Global flag to ensure icons are only initialized once
+const ICONS_INITIALIZED_KEY = "__FLUENT_ICONS_INITIALIZED__";
+
+/**
+ * Initialize Fluent UI icons once globally
+ * This wrapper ensures initializeIcons is only called once across the entire application
+ * to prevent duplicate icon registration warnings
+ */
+export function initializeIconsOnce() {
+  // Check if icons have already been initialized
+  if (typeof window !== "undefined" && (window as any)[ICONS_INITIALIZED_KEY]) {
+    return;
+  }
+
+  // Mark as initialized before calling to prevent race conditions
+  if (typeof window !== "undefined") {
+    (window as any)[ICONS_INITIALIZED_KEY] = true;
+  }
+
+  // Initialize all Fluent UI MDL2 icons
+  fluentInitializeIcons();
+}

contrib/cluster-local-storage-plugin/src/utils/icon-initializer.ts

@@ -29,26 +29,41 @@ const configuration = {
   },
   resolve: {
     extensions: [".tsx", ".ts", ".js", ".json"],
+    alias: {
+      'process/browser': require.resolve('process/browser.js'),
+    },
+    fallback: {
+      fs: false,
+      net: false,
+      tls: false,
+      process: require.resolve('process/browser'),
+      buffer: require.resolve('buffer/'),
+      util: require.resolve("util/"),
+      stream: require.resolve("stream-browserify"),
+      http: false,
+      https: false,
+      zlib: false,
+      path: false,
+      crypto: false,
+      url: false,
+      querystring: false,
+      assert: false,
+    }
   },
   plugins: [
     new webpack.IgnorePlugin({
       resourceRegExp: /^esprima$/,
       contextRegExp: /js-yaml/,
     }),
+    new webpack.ProvidePlugin({
+      process: 'process/browser',
+      Buffer: ['buffer', 'Buffer'],
+    }),
   ],
   devServer: {
     host: "0.0.0.0",
     port: 9290,
-    contentBase: false,
-    watchOptions: {
-      ignored: /node_modules/,
-    },
-    disableHostCheck: true,
-  },
-  node: {
-    fs: 'empty',
-    net: 'empty',
-    tls: 'empty',
+    static: false,
   }
 };