Skip to content

design-proposal(compute-plane): deliver as kind: Kubernetes presets, not a new kind (per #26 / #17 review)#27

Open
Andrei Kvapil (kvaps) wants to merge 1 commit into
mainfrom
design/compute-plane-presets
Open

design-proposal(compute-plane): deliver as kind: Kubernetes presets, not a new kind (per #26 / #17 review)#27
Andrei Kvapil (kvaps) wants to merge 1 commit into
mainfrom
design/compute-plane-presets

Conversation

@kvaps

@kvaps Andrei Kvapil (kvaps) commented Jun 30, 2026

Copy link
Copy Markdown
Member

Revises the merged ComputePlane design (design-proposals/compute-plane) to adopt the surface proposed in #26 (myasnikovdaniil) and the #17 review (Timofei Larkin), which converge.

  • Not a new kind. ComputePlane becomes a configuration of the existing kind: Kubernetes — two orthogonal presets: isolationProfile (standard | sandbox | cluster-meshed) × componentProfile (minimal | standard-addons | gpu | bundles). A "ComputePlane" is just kind: Kubernetes + isolationProfile: sandbox. Avoids a parallel CRD / reconcile / RBAC surface and the combinatorial explosion of kinds.
  • placement → named cluster. ApplicationDefinition.placement = ManagementPlane | <cluster name>, routing a catalog app onto any of the tenant's named clusters (the generic target the design-proposal: compute plane for untrusted-code workloads #17 review asked for) — not hard-coded to "ComputePlane". Allows N sandbox clusters per tenant (drops the single-string module's cap).
  • sandbox = managedDataplane (withheld kubeconfig) + hardening + scoped per-service egress; cluster-meshed = the PR design-proposal: cross-cluster mesh for tenant access to host services #7 mesh for trusted clusters. Encodes the broad-mesh-for-trusted vs narrow-egress-for-untrusted distinction as named presets.
  • New: tenant-side visibility/mutation control in cozystack-api — the enforcement substrate for sandbox (hide the cluster/app from a tenant's regular users; withhold admin), and a standalone intra-tenant privilege-separation feature. v1 is per-kind (plain RBAC); per-instance/label filtering is deferred.

The mechanism settled in the merged first revision (remote Flux apply via kubeConfig.secretRef, per-VM kernel boundary, single-tenant, connectivity §6) is unchanged — this is a surface revision. The distinct-kind framing and the single-string computePlane: module are moved to Alternatives (rejected).

Closes #26. Refs #17.

Summary by CodeRabbit

  • Documentation
    • Updated the platform design to use configurable cluster presets instead of a separate compute-plane type.
    • Clarified placement settings, tenant isolation, and admin-access controls for stronger sandbox-style environments.
    • Refined rollout guidance, security expectations, and connectivity details for managed Kubernetes and VM workloads.

…not a new kind

Adopt the surface proposed in #26 and the #17 review (converge): ComputePlane
becomes a configuration of kind: Kubernetes via two orthogonal presets
(isolationProfile x componentProfile), placement generalized to a named cluster,
plus a cozystack-api visibility/mutation control as the sandbox enforcement
substrate. Mechanism (remote Flux apply, per-VM boundary, single-tenant) unchanged.

Refs #26, #17.

Signed-off-by: Andrei Kvapil <andrei.kvapil@aenix.io>
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The design-proposals/compute-plane/README.md document is revised to replace the earlier kind: ComputePlane approach with ComputePlane delivered as two preset axes (isolationProfile, componentProfile) on the existing kind: Kubernetes. Placement now targets a named cluster, and cozystack-api enforces tenant visibility/mutation control as the substrate for the sandbox isolation profile.

ComputePlane Design Revision

Layer / File(s) Summary
Overview, scope, goals, and non-goals
design-proposals/compute-plane/README.md
PR metadata updated; overview reframed around two preset axes and generalized placement; scope/goals/non-goals remove the dedicated kind/module and introduce cozystack-api enforcement as the sandbox substrate.
Core design: preset axes, placement, remote Flux apply
design-proposals/compute-plane/README.md
Design section rewritten: isolationProfile and componentProfile on kind: Kubernetes replace a new kind; placement targets a named cluster; remote Flux apply derives spec.kubeConfig.secretRef from the placement cluster name.
Connectivity, access control, and tenant semantics
design-proposals/compute-plane/README.md
sandbox connectivity defined as scoped per-service Cilium policy; tenant-side visibility/mutation control enforced at cozystack-api (not UI-only); N-clusters-per-tenant semantics added; user-facing changes and security model updated; no new CRD introduced.
Failure cases, testing, rollout phases, alternatives
design-proposals/compute-plane/README.md
Failure/edge cases and testing aligned to named-cluster placement and cozystack-api enforcement; rollout phases updated to new primitives; alternatives considered rewritten to reject the distinct kind and single-string module in favor of the two-axis preset model.

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly Related PRs

  • cozystack/community#17: The original ComputePlane design PR that introduced the remote Flux apply mechanism, placement, and kubeconfig secret wiring that this PR revises and reframes.

🐇 A new kind? No, no, that's too much fuss,
Two preset axes — let simplicity discuss!
isolationProfile: sandbox keeps secrets tight,
componentProfile: gpu brings GPU delight.
One kind: Kubernetes to rule them all,
Composable presets answer every call! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: replacing a new kind with presets on kind: Kubernetes.
Linked Issues check ✅ Passed The revised design covers the requested isolation/component axes, named-cluster placement, tenant-side access control, and preserves the existing mechanism.
Out of Scope Changes check ✅ Passed The changes stay focused on the ComputePlane surface-model revision and do not introduce unrelated scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch design/compute-plane-presets

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the ComputePlane design proposal, shifting the implementation from a new top-level CRD to composable presets (isolationProfile and componentProfile) on the existing kind: Kubernetes. It also generalizes application placement to target named clusters and introduces tenant-side visibility and mutation controls in cozystack-api. Feedback on the proposal points out a minor grammatical error in the rollout phase description where 'placement' is incorrectly used as a verb.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

2. **Phase 2 — first consumer (`cozyllm`).** Set `placement: ComputePlane` on the code-executing apps (JupyterHub, n8n, ComfyUI, Langflow, code-exec features of Open WebUI); keep vLLM/LiteLLM at the default `placement: ManagementPlane` (inference-only, no code execution). See the cozyllm-specific technical design.
3. **Phase 3 — extensions (deferred).** Tenant-facing scoped read/observability view of the ComputePlane; additional consumers (WordPress / application-platform); billing/metering hooks; secret delivery of managed-service connection strings into ComputePlane workloads.
1. **Phase 1 — core primitive.** `placement` (named cluster) + `isolationProfile`/`componentProfile` presets on `kind: Kubernetes` (`sandbox` posture: managedDataplane + hardening + scoped per-service egress) + the per-kind visibility/mutation control.
2. **Phase 2 — first consumer (`cozyllm`).** `placement` the code-executing apps (JupyterHub, n8n, ComfyUI, Langflow, code-exec Open WebUI) onto a `sandbox` cluster; keep vLLM/LiteLLM on `ManagementPlane`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In the Phase 2 rollout description, the word placement is used as a verb in an ungrammatical way: "placement the code-executing apps...". It should be changed to "Place the code-executing apps" or "Route the code-executing apps" to maintain grammatical correctness and professional style.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
design-proposals/compute-plane/README.md (1)

216-222: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Clarify finalizer ownership for cluster deletion ordering.

Line 222 states "a finalizer on the cluster blocks teardown until they're cleaned up" but doesn't specify which controller sets this finalizer. Consider clarifying whether the kubernetes app controller, the cluster lifecycle controller, or Flux itself enforces this ordering, as this affects operational runbooks.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@design-proposals/compute-plane/README.md` around lines 216 - 222, Clarify who
owns the cluster-deletion finalizer in the failure-and-edge-cases section so the
teardown ordering is unambiguous. Update the wording around the Tenant deletion
bullet to explicitly name the controller responsible for adding and removing the
finalizer (for example, the cluster lifecycle controller or the kubernetes app
controller) and how it blocks deprovisioning until remote HelmRelease cleanup
completes. Keep the reference aligned with the existing Tenant deletion /
HelmRelease deletion flow described in this section.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@design-proposals/compute-plane/README.md`:
- Around line 216-222: Clarify who owns the cluster-deletion finalizer in the
failure-and-edge-cases section so the teardown ordering is unambiguous. Update
the wording around the Tenant deletion bullet to explicitly name the controller
responsible for adding and removing the finalizer (for example, the cluster
lifecycle controller or the kubernetes app controller) and how it blocks
deprovisioning until remote HelmRelease cleanup completes. Keep the reference
aligned with the existing Tenant deletion / HelmRelease deletion flow described
in this section.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5aab362a-9428-4f00-8ae6-4bf1894fc369

📥 Commits

Reviewing files that changed from the base of the PR and between 62ecd0b and 033277c.

📒 Files selected for processing (1)
  • design-proposals/compute-plane/README.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Follow-up to #17 (ComputePlane): deliver it as composable presets on kind: Kubernetes, not a new kind

1 participant