新增 Network Intent Controller 的部署腳本、RBAC 設定及服務定義，並更新相關的 Kustomization 配置

Author: thc1006

README.md

@@ -35,6 +35,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
+        # ServiceMonitor compatible - metrics endpoint available for Prometheus operator
     spec:
       serviceAccountName: llm-processor
       securityContext:
@@ -59,6 +60,8 @@ spec:
         # Service Configuration
         - name: PORT
           value: "8080"
+        - name: HTTP_MAX_BODY
+          value: "1048576"
         - name: LOG_LEVEL
           value: "info"
         - name: SERVICE_VERSION
@@ -83,8 +86,8 @@ spec:
           value: "mistral"
         - name: LLM_MODEL_NAME
           value: "mistral-8x22b"
-        - name: LLM_TIMEOUT
-          value: "60s"
+        - name: LLM_TIMEOUT_SECS
+          value: "15"
         - name: LLM_MAX_TOKENS
           value: "2048"
 

deployments/kustomize/base/llm-processor/deployment.yaml

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# Deploy Network Intent Controller
+# This script deploys the network-intent-controller to a Kubernetes cluster
+
+set -e
+
+echo "========================================"
+echo "Network Intent Controller Deployment"
+echo "========================================"
+echo ""
+
+# Check if kubectl is installed
+if ! command -v kubectl &> /dev/null; then
+    echo "Error: kubectl is not installed"
+    exit 1
+fi
+
+# Check if we can connect to a cluster
+if ! kubectl cluster-info &> /dev/null; then
+    echo "Error: Cannot connect to Kubernetes cluster"
+    echo "Please ensure your kubeconfig is properly configured"
+    exit 1
+fi
+
+# Create namespace if it doesn't exist
+echo "1. Creating namespace 'nephoran-system' if it doesn't exist..."
+kubectl create namespace nephoran-system --dry-run=client -o yaml | kubectl apply -f -
+
+# Deploy the controller
+echo ""
+echo "2. Deploying network-intent-controller..."
+kubectl apply -k .
+
+# Wait for deployment to be ready
+echo ""
+echo "3. Waiting for deployment to be ready..."
+kubectl -n nephoran-system wait --for=condition=available --timeout=120s deployment/network-intent-controller
+
+# Check the status
+echo ""
+echo "4. Deployment Status:"
+kubectl -n nephoran-system get deployment network-intent-controller
+
+echo ""
+echo "5. Pods Status:"
+kubectl -n nephoran-system get pods -l app=network-intent-controller
+
+echo ""
+echo "========================================"
+echo "Deployment Complete!"
+echo "========================================"
+echo ""
+echo "To view logs:"
+echo "  kubectl -n nephoran-system logs -l app=network-intent-controller"
+echo ""
+echo "To view metrics:"
+echo "  kubectl -n nephoran-system port-forward svc/network-intent-controller-metrics 8080:8080"
+echo "  Then visit: http://localhost:8080/metrics"
+echo ""

deployments/kustomize/base/network-intent-controller/deploy.sh

@@ -0,0 +1,182 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: network-intent-controller
+  labels:
+    app: network-intent-controller
+    component: controller
+    version: v2.0.0
+    app.kubernetes.io/name: network-intent-controller
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/part-of: nephoran-intent-operator
+    app.kubernetes.io/version: v2.0.0
+  annotations:
+    deployment.kubernetes.io/revision: "1"
+    nephoran.com/component: "network-intent-controller"
+    nephoran.com/enhanced: "true"
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: network-intent-controller
+  template:
+    metadata:
+      labels:
+        app: network-intent-controller
+        component: controller
+        version: v2.0.0
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+        prometheus.io/path: "/metrics"
+        # ServiceMonitor compatible - metrics endpoint available for Prometheus operator
+    spec:
+      serviceAccountName: network-intent-controller
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+        runAsGroup: 65532
+        fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: controller
+        image: ghcr.io/thc1006/nephoran-intent-operator/network-intent-controller:v2.0.0
+        imagePullPolicy: Always
+        command: ["/network-intent-controller"]
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=:8080"
+        - "--leader-elect"
+        - "--zap-log-level=info"
+        ports:
+        - name: http
+          containerPort: 8080
+          protocol: TCP
+        - name: webhook
+          containerPort: 9443
+          protocol: TCP
+        - name: health
+          containerPort: 8081
+          protocol: TCP
+        env:
+        # Controller Configuration
+        - name: ENABLE_NETWORK_INTENT
+          value: "true"
+        - name: ENABLE_LLM_INTENT
+          value: "false"
+        - name: LOG_LEVEL
+          value: "info"
+        - name: SERVICE_VERSION
+          value: "v2.0.0"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        
+        # Metrics and Monitoring
+        - name: METRICS_ENABLED
+          value: "true"
+        - name: TRACING_ENABLED
+          value: "true"
+        - name: JAEGER_ENDPOINT
+          value: "http://jaeger-collector.monitoring.svc.cluster.local:14268/api/traces"
+        
+        # Git Information (injected at build time)
+        - name: GIT_COMMIT
+          value: "$(GIT_COMMIT)"
+        - name: GIT_BRANCH
+          value: "$(GIT_BRANCH)"
+        
+        # Health Checks
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: health
+            scheme: HTTP
+          initialDelaySeconds: 15
+          periodSeconds: 20
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: health
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 3
+          failureThreshold: 3
+          successThreshold: 1
+        
+        # Startup Probe for slow-starting containers
+        startupProbe:
+          httpGet:
+            path: /healthz
+            port: health
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 30
+          successThreshold: 1
+        
+        # Resource Requirements
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+            ephemeral-storage: 512Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+            ephemeral-storage: 1Gi
+        
+        # Security Context
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 65532
+          runAsGroup: 65532
+        
+        # Volume Mounts
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+          readOnly: false
+        - name: webhook-certs
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+      
+      # Pod-level configurations
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 10
+      
+      # Volumes
+      volumes:
+      - name: tmp
+        emptyDir:
+          sizeLimit: 100Mi
+      - name: webhook-certs
+        secret:
+          secretName: network-intent-controller-webhook-certs
+          optional: true

deployments/kustomize/base/network-intent-controller/deployment.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+metadata:
+  name: network-intent-controller
+  labels:
+    app.kubernetes.io/name: network-intent-controller
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/part-of: nephoran-intent-operator
+
+namespace: nephoran-system
+
+resources:
+- deployment.yaml
+- rbac.yaml
+- service.yaml
+
+labels:
+- pairs:
+    app: network-intent-controller
+    component: controller
+
+images:
+- name: ghcr.io/thc1006/nephoran-intent-operator/network-intent-controller
+  newTag: v2.0.0
+
+# Configuration options
+configurations: []
+
+# Patches for environment-specific customizations
+patches: []
+
+# Generate ConfigMap or Secret from files
+configMapGenerator: []
+secretGenerator: []

deployments/kustomize/base/network-intent-controller/kustomization.yaml

@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: network-intent-controller
+  labels:
+    app: network-intent-controller
+    component: controller
+    app.kubernetes.io/name: network-intent-controller
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/part-of: nephoran-intent-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: network-intent-controller-role
+  labels:
+    app: network-intent-controller
+    component: controller
+    app.kubernetes.io/name: network-intent-controller
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/part-of: nephoran-intent-operator
+rules:
+# NetworkIntent CRD permissions
+- apiGroups: ["nephoran.com"]
+  resources: ["networkintents"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["nephoran.com"]
+  resources: ["networkintents/status"]
+  verbs: ["get", "update", "patch"]
+- apiGroups: ["nephoran.com"]
+  resources: ["networkintents/finalizers"]
+  verbs: ["update"]
+
+# Event permissions for status updates
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+
+# ConfigMap permissions for leader election
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+# Pod permissions for controller runtime
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+
+# Secret permissions if needed for authentication
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+
+# Webhook permissions
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingadmissionwebhooks", "mutatingadmissionwebhooks"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: network-intent-controller-binding
+  labels:
+    app: network-intent-controller
+    component: controller
+    app.kubernetes.io/name: network-intent-controller
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/part-of: nephoran-intent-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: network-intent-controller-role
+subjects:
+- kind: ServiceAccount
+  name: network-intent-controller
+  namespace: nephoran-system