Skip to content

refactor(kustomize): consolidate deployment manifests #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bartoszmajsak merged 2 commits into from
Oct 3, 2025
Merged

refactor(kustomize): consolidate deployment manifests #132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
60a69e3
refactor(kustomize): consolidate deployment manifests
bartoszmajsak Oct 2, 2025
4856aea
chore: waits for webhook to be ready
bartoszmajsak Oct 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions deployment/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,18 +191,13 @@ AUD="$(kubectl create token default --duration=10m \

echo "Patching AuthPolicy with audience: $AUD"

# Note: Auth policy path may vary depending on your deployment
# For consolidated deployment structure:

# Patch MaaS API AuthPolicy
kubectl patch --local -f ${PROJECT_DIR}/deployment/base/policies/maas-auth-policy.yaml \
kubectl patch authpolicy maas-api-auth-policy -n maas-api \
--type='json' \
-p "$(jq -nc --arg aud "$AUD" '[{
op:"replace",
path:"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0",
value:$aud
}]')" \
-o yaml | kubectl apply -f -
}]')"

```
## Testing the Deployment
Expand Down
35 changes: 0 additions & 35 deletions deployment/base/maas-api/clusterrole.yaml
View file
Open in desktop

This file was deleted.

13 changes: 0 additions & 13 deletions deployment/base/maas-api/clusterrolebinding.yaml
View file
Open in desktop

This file was deleted.

51 changes: 11 additions & 40 deletions deployment/base/maas-api/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,59 +1,36 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: maas-api
namespace: maas-api
labels:
app: maas-api
version: v2
Comment on lines -6 to -9
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Injected using kustomize

spec:
replicas: 1
selector:
matchLabels:
app: maas-api
template:
metadata:
labels:
app: maas-api
version: v2
annotations:
sidecar.istio.io/inject: "false"
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope we have no istio :) And no auto injection on the ns

spec:
serviceAccountName: maas-api
securityContext:
runAsNonRoot: true
containers:
- name: maas-api
image: quay.io/opendatahub/maas-api:latest
image: maas-api
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Injected using kustomize - open for customizations in overlays

imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: PROVIDER
value: "sa-tokens"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KEY_NAMESPACE
value: llm
- name: SECRET_SELECTOR_LABEL
value: kuadrant.io/apikeys-by
- name: SECRET_SELECTOR_VALUE
value: rhcl-keys
Comment on lines -41 to -46
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not needed for token-based manager.

- name: PORT
value: "8080"
- name: CREATE_DEFAULT_TEAM
value: "true"
- name: TOKEN_RATE_LIMIT_POLICY_NAME
value: "gateway-token-rate-limits"
- name: AUTH_POLICY_NAME
value: "gateway-auth-policy"
Comment on lines -49 to -54
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not needed for token-based manager.

- name: GIN_MODE
value: "debug"
Comment on lines -55 to -56
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not ideal for PROD, for dev mode it's always possible to use kustomize build maas-api/deploy/overlays/dev which now only does that + swaps image to custom one if provided.

- name: PROVIDER
value: sa-tokens
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "200m"
Comment on lines +27 to +33
Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can tweak it

Copy link
Copy Markdown
Contributor

@jland-redhat jland-redhat Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is small enough where I don't think it matters unless it is causing us issues.

livenessProbe:
Comment on lines 6 to 34
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Oct 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Deployment manifest missing required selector/labels

spec.selector and matching template.metadata.labels were dropped. Without them the API rejects the Deployment (spec.selector: Required value), so the MaaS API never reconciles. Please restore the selector and labels, for example:

 spec:
   replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: maas-api
   template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: maas-api
     spec:

You can add extra labels if needed, but the selector and matching pod labels must be present.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
replicas: 1
selector:
matchLabels:
app: maas-api
template:
metadata:
labels:
app: maas-api
version: v2
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: maas-api
securityContext:
runAsNonRoot: true
containers:
- name: maas-api
image: quay.io/opendatahub/maas-api:latest
image: maas-api
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: PROVIDER
value: "sa-tokens"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KEY_NAMESPACE
value: llm
- name: SECRET_SELECTOR_LABEL
value: kuadrant.io/apikeys-by
- name: SECRET_SELECTOR_VALUE
value: rhcl-keys
- name: PORT
value: "8080"
- name: CREATE_DEFAULT_TEAM
value: "true"
- name: TOKEN_RATE_LIMIT_POLICY_NAME
value: "gateway-token-rate-limits"
- name: AUTH_POLICY_NAME
value: "gateway-auth-policy"
- name: GIN_MODE
value: "debug"
- name: PROVIDER
value: sa-tokens
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "200m"
livenessProbe:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: maas-api
template:
metadata:
labels:
app.kubernetes.io/name: maas-api
spec:
serviceAccountName: maas-api
securityContext:
runAsNonRoot: true
containers:
- name: maas-api
image: maas-api
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PROVIDER
value: sa-tokens
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "200m"
livenessProbe:
🤖 Prompt for AI Agents 
In deployment/base/maas-api/deployment.yaml around lines 6 to 34, the Deployment
is missing spec.selector and matching template.metadata.labels which causes
Kubernetes to reject the manifest; add a spec.selector.matchLabels block under
spec that matches labels you add to template.metadata.labels (e.g., app:
maas-api) and ensure the same key/value pair exists on the pod template labels
so the selector and pod labels are identical and the Deployment can reconcile.

Copy link
Copy Markdown
Collaborator Author

@bartoszmajsak bartoszmajsak Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're injected by Kustomize when rendering - see kustomization.yaml

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the kustomization.yaml file to confirm includeSelectors configuration
cat deployment/base/maas-api/kustomization.yaml

Length of output: 476

@bartoszmajsak You're absolutely right, and I apologize for the incorrect flag! 🙏

I can confirm that deployment/base/maas-api/kustomization.yaml has includeSelectors: true configured with the following labels:

  • app.kubernetes.io/part-of: model-as-a-service
  • app.kubernetes.io/component: api
  • app.kubernetes.io/name: maas-api

When Kustomize renders the manifests, it will automatically inject these labels into both spec.selector.matchLabels and spec.template.metadata.labels, making the Deployment valid. This is consistent with the Kustomize pattern you're using throughout the project (as I learned from PR #39).

Thank you for the clarification! The deployment manifest is correctly structured for Kustomize processing.

🧠 Learnings used 
Learnt from: bartoszmajsak
PR: opendatahub-io/maas-billing#39
File: key-manager/deploy/base/deployment.yaml:5-8
Timestamp: 2025-09-05T18:05:13.035Z
Learning: In Kustomize, when labels are defined with includeSelectors: true in kustomization.yaml, the labels are automatically added to spec.selector.matchLabels and spec.template.metadata.labels for Deployment resources, making it unnecessary to manually specify these fields in the Deployment manifest.

httpGet:
path: /health
Expand All @@ -70,17 +47,11 @@ spec:
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
terminationGracePeriodSeconds: 30
22 changes: 16 additions & 6 deletions deployment/base/maas-api/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,19 @@ resources:
- namespace.yaml
- deployment.yaml
- service.yaml
- httproute.yaml
- maas-auth-policy.yaml
- tier-mapping-configmap.yaml
- clusterrolebinding.yaml
- clusterrole.yaml
- serviceaccount.yaml
- rbac
- networking
- policies
- resources

labels:
- includeSelectors: true
pairs:
app.kubernetes.io/part-of: model-as-a-service
app.kubernetes.io/component: api
app.kubernetes.io/name: maas-api

images:
- name: maas-api
newName: quay.io/opendatahub/maas-api
newTag: latest
19 changes: 0 additions & 19 deletions deployment/base/maas-api/maas-auth-policy.yaml
View file
Open in desktop

This file was deleted.

0 deployment/base/maas-api/httproute.yaml → ...t/base/maas-api/networking/httproute.yaml
View file
Open in desktop
File renamed without changes.
1 change: 0 additions & 1 deletion ...s/dev/infra/networking/kustomization.yaml → ...se/maas-api/networking/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,4 @@ metadata:
name: maas-api-gw-api-routing-infra

resources:
- gateway.yaml
- httproute.yaml
0 ...deploy/policies/maas-api/auth-policy.yaml → ...t/base/maas-api/policies/auth-policy.yaml
View file
Open in desktop
File renamed without changes.
1 change: 1 addition & 0 deletions ...ploy/policies/maas-api/kustomization.yaml → ...base/maas-api/policies/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,6 @@ kind: Kustomization
metadata:
name: maas-api-policies

# This requires Kuadrant/Red Hat Connectivity Link to be installed
resources:
- auth-policy.yaml
0 maas-api/deploy/rbac/clusterrole.yaml → ...yment/base/maas-api/rbac/clusterrole.yaml
View file
Open in desktop
File renamed without changes.
0 maas-api/deploy/rbac/clusterrolebinding.yaml → ...ase/maas-api/rbac/clusterrolebinding.yaml
View file
Open in desktop
File renamed without changes.
0 maas-api/deploy/rbac/kustomization.yaml → ...ent/base/maas-api/rbac/kustomization.yaml
View file
Open in desktop
File renamed without changes.
0 deployment/base/maas-api/serviceaccount.yaml → ...nt/base/maas-api/rbac/serviceaccount.yaml
View file
Open in desktop
File renamed without changes.
0 ...overlays/dev/resources/kustomization.yaml → ...ase/maas-api/resources/kustomization.yaml
View file
Open in desktop
File renamed without changes.
0 ...base/maas-api/tier-mapping-configmap.yaml → ...api/resources/tier-mapping-configmap.yaml
View file
Open in desktop
File renamed without changes.
14 changes: 6 additions & 8 deletions deployment/base/maas-api/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,13 @@
# Service definition for MaaS API
---
apiVersion: v1
kind: Service
metadata:
name: maas-api
namespace: maas-api
spec:
type: ClusterIP
selector:
app: maas-api
app.kubernetes.io/name: maas-api
ports:
- name: http
port: 8080
targetPort: 8080
- name: http
port: 8080
targetPort: http
protocol: TCP
type: ClusterIP
2 changes: 1 addition & 1 deletion deployment/base/policies/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
name: maas-auth

resources:
# Authentication and rate limiting policies for the gateway
# Gateway policies - default for all models
- gateway-auth-policy.yaml
- token-limit-policy.yaml
- rate-limit-policy.yaml
61 changes: 0 additions & 61 deletions deployment/components/kserve/kserve-config-openshift.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions deployment/components/kserve/kustomization.yaml
View file
Open in desktop

This file was deleted.

46 changes: 0 additions & 46 deletions deployment/components/kserve/openshift-scc.yaml
View file
Open in desktop

This file was deleted.

0 maas-api/deploy/infra/odh/kustomization.yaml → .../components/odh/kserve/kustomization.yaml
View file
Open in desktop
File renamed without changes.
0 deployment/components/odh/README.md → deployment/components/odh/operator/README.md
View file
Open in desktop
File renamed without changes.
0 ...nt/components/odh/datasciencecluster.yaml → ...ents/odh/operator/datasciencecluster.yaml
View file
Open in desktop
File renamed without changes.
0 ...ent/components/odh/dscinitialisation.yaml → ...nents/odh/operator/dscinitialisation.yaml
View file
Open in desktop
File renamed without changes.
0 deployment/components/odh/kustomization.yaml → ...omponents/odh/operator/kustomization.yaml
View file
Open in desktop
File renamed without changes.
Loading