feat: K8s allow proxying through Gateway

[NicholasBlaskey]

Ticket

https://hpe-aiatscale.atlassian.net/browse/RM-137

Description

Add support for reaching K8s tasks in additional k8s clusters.

Test Plan

Checklist

• Changes have been manually QA'd
• User-facing API changes need the "User-facing API Change" label.
• Release notes should be added as a separate file under docs/release-notes/.
  See Release Note for details.
• Licenses should be included for new code which was copied and/or modified from any external code.

[netlify]

✅ Deploy Preview for determined-ui canceled.

Name	Link
🔨 Latest commit	3a99b0c
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/6671b8c0bd17b90007caf3d9

[codecov]

Codecov Report

Attention: Patch coverage is 54.62795% with 250 lines in your changes missing coverage. Please review.

Project coverage is 49.33%. Comparing base (fec31a1) to head (131d0a6).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9469      +/-   ##
==========================================
+ Coverage   49.31%   49.33%   +0.01%     
==========================================
  Files        1241     1243       +2     
  Lines      161338   161827     +489     
  Branches     2868     2868              
==========================================
+ Hits        79566    79831     +265     
- Misses      81600    81824     +224     
  Partials      172      172              

Flag	Coverage Δ
backend	44.02% <54.82%> (+0.10%)	⬆️
harness	63.80% <0.00%> (-0.02%)	⬇️
web	44.91% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
master/internal/rm/kubernetesrm/gateway_spec.go	100.00% <100.00%> (ø)
master/internal/task/allocation.go	76.42% <100.00%> (ø)
master/pkg/check/check_numbers.go	28.00% <100.00%> (+11.56%)	⬆️
master/pkg/check/check_string.go	78.94% <100.00%> (+78.94%)	⬆️
...nal/rm/kubernetesrm/kubernetes_resource_manager.go	30.81% <0.00%> (-0.11%)	⬇️
harness/determined/exec/prep_container.py	17.30% <0.00%> (-0.17%)	⬇️
master/internal/rm/kubernetesrm/spec.go	82.02% <97.18%> (+2.72%)	⬆️
master/internal/config/resource_manager_config.go	68.42% <84.21%> (+3.15%)	⬆️
master/internal/rm/kubernetesrm/request_queue.go	82.40% <50.00%> (-7.50%)	⬇️
master/internal/rm/kubernetesrm/gateway_service.go	66.66% <66.66%> (ø)
... and 3 more

... and 4 files with indirect coverage changes

[NicholasBlaskey]

I think it might make sense to list out the steps for deploying the gateway and explaining each step so customers will have an easier time understanding.

[hamidzr]

specifically about this script or in general for deploying a gateway?
There are some shared steps but the rest are controller dependent. We don't add a lot of custom steps on top, do we?
https://projectcontour.io/getting-started/ gives a good description for Contour would we do something differently

[hamidzr]

reasonable?

[hamidzr]

not sure what'd be a reasonable way to de-indent this but it's going too far right makes it hard to read on gh

[carolinaecalderon]

LGTM -- a few clarifying comments, but code looks good!

[carolinaecalderon]

nit: can we add a case with special characters like "#$%"?

[carolinaecalderon]

is there a minimum version we recommend?

[hamidzr]

for k8s? or this particula gateway implementaiton?
for k8s we do mention 1.27 in the other page.

[carolinaecalderon]

should we add a TODO for this? in the rm backlog

[NicholasBlaskey]

I removed this comment since it is less relevant that we switched the design to use the gateway to decide which ports are free

[tara-det-ai]

:orphan:

New Features

• Kubernetes: The Internal Task Gateway feature enables Determined tasks running on remote Kubernetes clusters to be exposed to the Determined master and proxies. This feature facilitates multi-resource manager setups by configuring a Gateway controller in the external Kubernetes cluster.

[tara-det-ai]

.. important::

  Enabling this feature exposes Determined tasks to the outside world. It is crucial to implement appropriate security measures to restrict access to exposed tasks and secure communication between the external cluster and the main cluster. Recommended measures include:

• Setting up a firewall
• Using a VPN
• Implementing IP whitelisting
• Configuring Kubernetes Network Policies
• Employing other security measures as needed

[tara-det-ai]

for a similar restructured text format, visit this release note: https://docs.determined.ai/latest/release-notes.html#version-0-30-0

[tara-det-ai]

For any https:// URL, use this format

Link text <https://url>_

e.g.,

Cilium Gateway API Support <https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/#gs-gateway-api>_

[tara-det-ai]

.. note::

To enable north-south access to Determined proxied tasks in external-to-master
clusters, set up a gateway as described in the docs :doc:Internal Task Gateway <internal-task-gateway>

[tara-det-ai]

Enabling this feature exposes Determined tasks to the outside world. It is crucial to implement appropriate security measures to restrict access to exposed tasks and secure communication between the external cluster and the main cluster. Recommended measures include:

• Setting up a firewall
• Using a VPN
• Implementing IP whitelisting
• Configuring Kubernetes Network Policies
• Employing other security measures as needed

Some tasks including JupyterLab notebooks and shells already have secure transport built-in.
Since TensorBoards do not use TLS, you should consider a tunneling solution.

[molinamelendezj]

Any chance we can stamp this version at the top of file in case we need test other version later?

[hamidzr]

I pushed it up to the job level. I'm thinking we can push it higher up if/when we use it elsewhere?
Also I wasn't sure how those top-level parameters exactly work

[molinamelendezj]

Same here so it's easy to update in one place