konduktor-nightly 0.1.0.dev20251128104812__py3-none-any.whl

konduktor/manifests/apoxy-setup.yaml

@@ -0,0 +1,184 @@
+# Apoxy Setup (Part 1/3) - Core Infrastructure
+#
+# This file sets up the core Apoxy infrastructure for external access to deployments:
+# 1. Apoxy system namespace and RBAC
+# 2. Kubeconfig secret for cluster access (populated by CI)
+# 3. Apoxy tunnel controller and proxy services
+# 4. Network policies for cross-namespace access
+#
+# Split into 2 files because:
+# - apoxy-setup.yaml: Core infrastructure (1 per cluster) (needs to be applied first)
+# - apoxy-setup2.yaml: All routing rules for both deployment types
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: apoxy-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: trainy-kubeconfig
+  namespace: apoxy-system
+type: Opaque
+data:
+  # this gets replaced by buildkite CI secret APOXY_AUTH
+  kubeconfig.yaml: |
+    APOXY_AUTH
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-controller
+  namespace: apoxy-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-controller-role
+rules:
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-controller-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-controller-role
+subjects:
+- kind: ServiceAccount
+  name: kube-controller
+  namespace: apoxy-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-controller
+  namespace: apoxy-system
+  labels:
+    app: kube-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kube-controller
+  template:
+    metadata:
+      labels:
+        app: kube-controller
+    spec:
+      containers:
+      - name: kube-controller
+        image: apoxy/kube-controller:v0.11.6
+        args:
+        - --dev
+        - --project_id=7ce458d7-e20c-443c-aeeb-dbc5663c1240
+        - --kubeconfig_path=/data/kubeconfig.yaml
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: kubeconfig-volume
+          mountPath: /data
+          readOnly: true
+      volumes:
+      - name: kubeconfig-volume
+        secret:
+          secretName: trainy-kubeconfig
+          items:
+          - key: kubeconfig.yaml
+            path: kubeconfig.yaml
+            mode: 0600
+      serviceAccountName: kube-controller
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-controller
+  namespace: apoxy-system
+  labels:
+    app: kube-controller
+spec:
+  selector:
+    app: kube-controller
+  ports:
+  - name: http
+    protocol: TCP
+    port: 8443
+    targetPort: 8443
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apoxy-config
+  namespace: apoxy-system
+data:
+  config.yaml: |
+    apiVersion: config.apoxy.dev/v1alpha1
+    kind: Config
+    currentProject: 7ce458d7-e20c-443c-aeeb-dbc5663c1240
+    projects:
+    - id: 7ce458d7-e20c-443c-aeeb-dbc5663c1240
+      kubernetesConfig:
+        kubeconfigPath: /root/kubeconfig.yaml
+    tunnel:
+      mode: userspace
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: apoxy
+  namespace: apoxy-system
+  labels:
+    app: apoxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: apoxy
+  template:
+    metadata:
+      labels:
+        app: apoxy
+    spec:
+      containers:
+      - name: apoxy
+        image: apoxy/apoxy:v0.11.18
+        command: ["apoxy", "tunnel", "run", "UNIQUE-TEMPNAME", "--insecure-skip-verify"]
+        volumeMounts:
+        - name: kubeconfig-volume
+          mountPath: /root/kubeconfig.yaml
+          subPath: kubeconfig.yaml
+        - name: apoxy-config-volume
+          mountPath: /root/.apoxy/config.yaml
+          subPath: config.yaml
+      volumes:
+      - name: kubeconfig-volume
+        secret:
+          secretName: trainy-kubeconfig
+      - name: apoxy-config-volume
+        configMap:
+          name: apoxy-config
+---
+# NetworkPolicy to allow Apoxy to reach services in other namespaces
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: apoxy-cross-namespace-access
+  namespace: apoxy-system
+spec:
+  podSelector:
+    matchLabels:
+      app: apoxy
+  policyTypes:
+  - Egress
+  egress:
+  # Allow all egress traffic
+  - {}

konduktor/manifests/apoxy-setup2.yaml

@@ -0,0 +1,98 @@
+# Apoxy Setup (Part 2/2) - Deployment Routing
+#
+# This file sets up Apoxy routing for both vLLM and general deployments:
+# 1. TunnelNode for secure tunnel connection
+# 2. Backend for vLLM pointing to Envoy Gateway
+# 3. HTTPRoute for company.trainy.us -> vLLM deployments
+# 4. Backend for general deployments pointing to nginx ingress
+# 5. HTTPRoute for company2.trainy.us -> general deployments
+# 6. KEDA proxy service for HTTP autoscaling
+# 7. 60s timeout for all requests
+#
+# Split into 2 files because:
+# - apoxy-setup.yaml: Core infrastructure (1 per cluster) (needs to be applied first)
+# - apoxy-setup2.yaml: All routing rules for both deployment types
+
+# NOTE: TunnelNode should technically be in the first apoxy-setup.yaml but it
+# needs to be created after the core infrastructure is created, so we put it here.
+apiVersion: core.apoxy.dev/v1alpha
+kind: TunnelNode
+metadata:
+  name: UNIQUE-TEMPNAME
+spec:
+  egressGateway:
+    enabled: true
+---
+# Backend for vLLM deployments
+apiVersion: core.apoxy.dev/v1alpha
+kind: Backend
+metadata:
+  name: UNIQUE-TEMPNAME-backend
+spec:
+  endpoints:
+    - fqdn: envoy-aibrix-system-aibrix-eg-903790dc.envoy-gateway-system.UNIQUE-TEMPNAME.tun.apoxy.net
+---
+# HTTPRoute for vLLM deployments
+apiVersion: gateway.apoxy.dev/v1
+kind: HTTPRoute
+metadata:
+  name: UNIQUE-TEMPNAME-route
+spec:
+  parentRefs:
+    - name: default 
+      kind: Gateway
+      port: 443
+  hostnames:
+    - 'TEMPNAME.trainy.us'
+  rules:
+    - backendRefs:
+      - kind: Backend
+        name: UNIQUE-TEMPNAME-backend
+        port: 80
+      timeouts:
+        request: "60s"
+---
+# Backend for general deployments
+apiVersion: core.apoxy.dev/v1alpha
+kind: Backend
+metadata:
+  name: UNIQUE-TEMPNAME-backend2
+spec:
+  endpoints:
+    - fqdn: keda-ingress-nginx-controller.keda.UNIQUE-TEMPNAME.tun.apoxy.net
+---
+# HTTPRoute for general deployments
+apiVersion: gateway.apoxy.dev/v1
+kind: HTTPRoute
+metadata:
+  name: UNIQUE-TEMPNAME-route2
+spec:
+  parentRefs:
+    - name: default 
+      kind: Gateway
+      port: 443
+  hostnames:
+    - 'TEMPNAME2.trainy.us'
+  rules:
+    - backendRefs:
+      - kind: Backend
+        name: UNIQUE-TEMPNAME-backend2
+        port: 80
+      timeouts:
+        request: "60s"
+
+# KEDA proxy service (1 per cluster) (For general deployments)
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keda-proxy
+  namespace: default
+spec:
+  type: ExternalName
+  externalName: keda-add-ons-http-interceptor-proxy.keda
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: 8080

konduktor/manifests/controller_deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: konduktor
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: konduktor-controller-sa
+  namespace: konduktor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: konduktor
+  name: konduktor-controller-role
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  namespace: konduktor
+  name: konduktor-controller-rolebinding
+subjects:
+- kind: ServiceAccount
+  name: konduktor-controller-sa
+  namespace: konduktor
+roleRef:
+  kind: ClusterRole
+  name: konduktor-controller-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: konduktor-controller-deployment
+  namespace: konduktor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: konduktor-controller
+  template:
+    metadata:
+      labels:
+        app: konduktor-controller
+    spec:
+      serviceAccountName: konduktor-controller-sa
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: nvidia.com/gpu
+                operator: DoesNotExist
+      containers:
+      - name: python
+        image: python:3.10
+        command: ["/bin/sh"]
+        args: ["-c", "pip install konduktor-nightly && python -m konduktor.controller.launch"]
+        ## define what namespaces to watch for errors, comma separated.
+        # env:
+        #   - name: WATCHED_NAMESPACES
+        #     value: "default,othernamespace"
+        #   - name: LOG_ENDPOINT
+        #     value: "http://loki.loki.svc.cluster.local:3100"

konduktor/manifests/dashboard_deployment.yaml

@@ -0,0 +1,131 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: konduktor-dashboard
+---
+# ServiceAccount
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: konduktor-service-account
+  namespace: konduktor-dashboard
+
+---
+# ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-access-role
+rules:
+- apiGroups: [""]
+  resources: ["services", "pods", "nodes", "pods/portforward", "namespaces"]
+  verbs: ["get", "list", "patch", "watch", "create"]
+
+# Add permissions to delete Kubernetes jobs
+- apiGroups: ["batch"]  # For Kubernetes native Jobs
+  resources: ["jobs"]
+  verbs: ["get", "list", "delete", "patch"]
+
+# Add permissions to delete Kueue workloads
+- apiGroups: ["kueue.x-k8s.io"]  # For Kueue workloads
+  resources: ["workloads"]
+  verbs: ["get", "list", "delete", "patch"]
+
+---
+# ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-access-binding
+subjects:
+- kind: ServiceAccount
+  name: konduktor-service-account  # Must match the name of the service account
+  namespace: konduktor-dashboard
+roleRef:
+  kind: ClusterRole
+  name: node-access-role  # Must match the ClusterRole name
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Backend Deployment + Service
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: konduktor-dashboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      labels:
+        app: backend
+    spec:
+      serviceAccountName: konduktor-service-account
+      containers:
+      - name: backend
+        image: ryanattrainy/konduktor-dashboard:backend1.16
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 5001
+        command: ["/app/startup.sh"]
+        env:
+        - name: KONDUKTOR_DEBUG
+          value: "0"  # Set debug mode: 1 (DEBUG) or 0 
+        - name: LOGS_URL # Set loki logs URL 
+          value: "http://loki.loki.svc.cluster.local:3100/loki/api/v1/query_range"
+        
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+  namespace: konduktor-dashboard
+spec:
+  ports:
+  - name: backend-port
+    port: 5001
+    targetPort: 5001
+  selector:
+    app: backend
+
+---
+# Frontend Deployment + Service
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: konduktor-dashboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      containers:
+      - name: frontend
+        image: ryanattrainy/konduktor-dashboard:frontend1.16
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 5173
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  namespace: konduktor-dashboard
+spec:
+  ports:
+  - name: frontend-port
+    port: 5173
+    targetPort: 5173
+  selector:
+    app: frontend
+

konduktor/manifests/dmesg_daemonset.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dmesg-logging
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: dmesg
+  namespace: dmesg-logging
+  labels:
+    k8s-app: dmesg-logging
+spec:
+  selector:
+    matchLabels:
+      name: dmesg
+  template:
+    metadata:
+      labels:
+        name: dmesg
+    spec:
+      tolerations:
+      # these tolerations are to have the daemonset runnable on control plane nodes
+      # remove them if your control plane nodes should not run pods
+      - key: "nvidia.com/gpu"
+        operator: "Equal"
+        value: "present"
+        effect: "NoSchedule"
+      - key: "trainy.konduktor.ai/faulty"
+        operator: "Equal"
+        value: "true"
+        effect: "NoSchedule"
+      - key: "cloud.google.com/gke-queued"
+        operator: "Equal"
+        value: "true"
+        effect: "NoSchedule"
+      containers:
+      - name: dmesg
+        image: ubuntu:22.04
+        # required for running `dmesg`
+        securityContext:
+          privileged: true
+        command:
+        - sh
+        - -c
+        - >
+          dmesg -w
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
+      # it may be desirable to set a high priority class to ensure that a DaemonSet Pod
+      # preempts running Pods
+      # priorityClassName: important
+      terminationGracePeriodSeconds: 30

konduktor/manifests/pod_cleanup_controller.yaml

@@ -0,0 +1,129 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-cleanup-controller
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-cleanup-controller
+  namespace: default
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/status", "events"]
+  verbs: ["get", "list", "watch", "delete", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-cleanup-controller
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: pod-cleanup-controller
+  namespace: default
+roleRef:
+  kind: Role
+  name: pod-cleanup-controller
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod-cleanup-controller
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pod-cleanup-controller
+  template:
+    metadata:
+      labels:
+        app: pod-cleanup-controller
+    spec:
+      serviceAccountName: pod-cleanup-controller
+      containers:
+      - name: controller
+        image: python:3.10
+        command: ["/bin/sh", "-c"]
+        args: ["pip install kubernetes && echo 'starting controller' && python /app/controller.py"]
+        env:
+          - name: PYTHONUNBUFFERED
+            value: "0"
+        volumeMounts:
+        - name: controller-code
+          mountPath: /app
+      volumes:
+      - name: controller-code
+        configMap:
+          name: pod-cleanup-controller-code
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pod-cleanup-controller-code
+  namespace: default
+data:
+  controller.py: |
+    from kubernetes import client, config, watch
+    from collections import defaultdict
+    from datetime import datetime
+    import time
+
+    FAILURE_MODES = ['ErrImagePull', 'InvalidImageName']
+
+    def check_failure_mode(message):
+        for mode in FAILURE_MODES:
+            if mode in message:
+                return mode
+        return ''
+
+    def main():
+        # Load kube config
+        try:
+            config.load_incluster_config()
+        except:
+            config.load_kube_config()
+
+        v1 = client.CoreV1Api()
+        error_counts = defaultdict(int)
+
+        w = watch.Watch()
+        while True:
+          for event in w.stream(v1.list_namespaced_event, namespace="default"):
+              if event['object'].type == 'Warning' and event['object'].reason == 'Failed' and  check_failure_mode(event['object'].message):
+                  pod_name = event['object'].involved_object.name
+                  pod_namespace = event['object'].involved_object.namespace
+                  print(f"Pod {pod_namespace}/{pod_name} has failed with ErrImagePull. Patching and deleting...")
+                  try:
+                      # Get current time in UTC
+                      current_time = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
+                      
+                      # Create the status patch
+                      body = {
+                          "status": {
+                              "conditions": [
+                                  {
+                                      "type": "ConfigIssue",
+                                      "status": "True",
+                                      "reason": "ErrImagePull",
+                                      "lastTransitionTime": current_time
+                                  }
+                              ]
+                          }
+                      }
+                      
+                      # Patch pod status
+                      v1.patch_namespaced_pod_status(pod_name, pod_namespace, body)
+                      
+                      # Delete the pod
+                      v1.delete_namespaced_pod(pod_name, pod_namespace)
+                  except Exception as e:
+                      print(f"Error handling pod: {e}")
+          print("Finished event stream... waiting for another stream...")
+          time.sleep(5)
+
+    if __name__ == '__main__':
+        main()