forge-orchestration 0.5.0

Rust-native orchestration platform for distributed workloads with MoE routing, autoscaling, and Nomad integration
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
//! Admission controllers for validating and mutating resources
//!
//! Implements Kubernetes-style admission control with:
//! - Validating webhooks
//! - Mutating webhooks
//! - Built-in admission controllers

use serde::{Deserialize, Serialize};
use std::sync::Arc;

/// Admission result
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AdmissionResult {
    /// Whether the request is allowed
    pub allowed: bool,
    /// Reason for denial (if not allowed)
    pub reason: Option<String>,
    /// Warnings to return to the user
    pub warnings: Vec<String>,
    /// Patch to apply (for mutating admission)
    pub patch: Option<serde_json::Value>,
    /// Patch type (e.g., "JSONPatch")
    pub patch_type: Option<String>,
}

impl AdmissionResult {
    /// Create an allowed result
    pub fn allowed() -> Self {
        Self {
            allowed: true,
            reason: None,
            warnings: Vec::new(),
            patch: None,
            patch_type: None,
        }
    }

    /// Create a denied result
    pub fn denied(reason: impl Into<String>) -> Self {
        Self {
            allowed: false,
            reason: Some(reason.into()),
            warnings: Vec::new(),
            patch: None,
            patch_type: None,
        }
    }

    /// Add a warning
    pub fn with_warning(mut self, warning: impl Into<String>) -> Self {
        self.warnings.push(warning.into());
        self
    }

    /// Add a JSON patch
    pub fn with_patch(mut self, patch: serde_json::Value) -> Self {
        self.patch = Some(patch);
        self.patch_type = Some("JSONPatch".to_string());
        self
    }
}

/// Admission request
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AdmissionRequest {
    /// Unique request ID
    pub uid: String,
    /// Operation type
    pub operation: Operation,
    /// Resource kind
    pub kind: String,
    /// Resource namespace
    pub namespace: Option<String>,
    /// Resource name
    pub name: Option<String>,
    /// The object being admitted
    pub object: Option<serde_json::Value>,
    /// The old object (for UPDATE/DELETE)
    pub old_object: Option<serde_json::Value>,
    /// User info
    pub user_info: UserInfo,
}

/// Operation type
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum Operation {
    /// Create operation
    Create,
    /// Update operation
    Update,
    /// Delete operation
    Delete,
    /// Connect operation
    Connect,
}

/// User information
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct UserInfo {
    /// Username
    pub username: String,
    /// User UID
    pub uid: Option<String>,
    /// Groups
    pub groups: Vec<String>,
}

impl Default for UserInfo {
    fn default() -> Self {
        Self {
            username: "system:anonymous".to_string(),
            uid: None,
            groups: vec!["system:unauthenticated".to_string()],
        }
    }
}

/// Admission controller trait
pub trait AdmissionController: Send + Sync {
    /// Controller name
    fn name(&self) -> &str;

    /// Whether this controller handles the given resource
    fn handles(&self, kind: &str, operation: Operation) -> bool;

    /// Validate the request
    fn validate(&self, request: &AdmissionRequest) -> AdmissionResult;

    /// Mutate the request (optional)
    fn mutate(&self, _request: &AdmissionRequest) -> Option<serde_json::Value> {
        None
    }
}

/// Validation webhook configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ValidationWebhook {
    /// Webhook name
    pub name: String,
    /// Webhook URL
    pub url: String,
    /// Failure policy
    pub failure_policy: FailurePolicy,
    /// Resources to match
    pub rules: Vec<WebhookRule>,
    /// Timeout in seconds
    pub timeout_seconds: u32,
}

/// Mutating webhook configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct MutatingWebhook {
    /// Webhook name
    pub name: String,
    /// Webhook URL
    pub url: String,
    /// Failure policy
    pub failure_policy: FailurePolicy,
    /// Resources to match
    pub rules: Vec<WebhookRule>,
    /// Timeout in seconds
    pub timeout_seconds: u32,
    /// Reinvocation policy
    pub reinvocation_policy: ReinvocationPolicy,
}

/// Failure policy for webhooks
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum FailurePolicy {
    /// Fail the request if webhook fails
    Fail,
    /// Ignore webhook failures
    Ignore,
}

/// Reinvocation policy for mutating webhooks
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum ReinvocationPolicy {
    /// Never reinvoke
    Never,
    /// Reinvoke if object was modified
    IfNeeded,
}

/// Webhook rule
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct WebhookRule {
    /// API groups to match
    pub api_groups: Vec<String>,
    /// API versions to match
    pub api_versions: Vec<String>,
    /// Resources to match
    pub resources: Vec<String>,
    /// Operations to match
    pub operations: Vec<Operation>,
}

/// Built-in resource quota admission controller
pub struct ResourceQuotaAdmission {
    /// Namespace quotas
    quotas: std::collections::HashMap<String, ResourceQuota>,
}

/// Resource quota
#[derive(Debug, Clone)]
pub struct ResourceQuota {
    /// CPU limit (millicores)
    pub cpu_limit: u64,
    /// Memory limit (MB)
    pub memory_limit: u64,
    /// GPU limit
    pub gpu_limit: u32,
    /// Workload count limit
    pub workload_limit: u32,
}

impl ResourceQuotaAdmission {
    /// Create new resource quota admission controller
    pub fn new() -> Self {
        Self {
            quotas: std::collections::HashMap::new(),
        }
    }

    /// Set quota for namespace
    pub fn set_quota(&mut self, namespace: impl Into<String>, quota: ResourceQuota) {
        self.quotas.insert(namespace.into(), quota);
    }
}

impl Default for ResourceQuotaAdmission {
    fn default() -> Self {
        Self::new()
    }
}

impl AdmissionController for ResourceQuotaAdmission {
    fn name(&self) -> &str {
        "ResourceQuota"
    }

    fn handles(&self, kind: &str, operation: Operation) -> bool {
        kind == "Workload" && operation == Operation::Create
    }

    fn validate(&self, request: &AdmissionRequest) -> AdmissionResult {
        let namespace = match &request.namespace {
            Some(ns) => ns,
            None => return AdmissionResult::allowed(),
        };

        let quota = match self.quotas.get(namespace) {
            Some(q) => q,
            None => return AdmissionResult::allowed(),
        };

        // Check workload count (simplified - real impl would track current usage)
        if quota.workload_limit == 0 {
            return AdmissionResult::denied(format!(
                "Namespace {} has reached workload limit",
                namespace
            ));
        }

        AdmissionResult::allowed()
    }
}

/// Built-in default values admission controller
pub struct DefaultsAdmission;

impl DefaultsAdmission {
    /// Create new defaults admission controller
    pub fn new() -> Self {
        Self
    }
}

impl Default for DefaultsAdmission {
    fn default() -> Self {
        Self::new()
    }
}

impl AdmissionController for DefaultsAdmission {
    fn name(&self) -> &str {
        "Defaults"
    }

    fn handles(&self, kind: &str, operation: Operation) -> bool {
        kind == "Workload" && operation == Operation::Create
    }

    fn validate(&self, _request: &AdmissionRequest) -> AdmissionResult {
        AdmissionResult::allowed()
    }

    fn mutate(&self, request: &AdmissionRequest) -> Option<serde_json::Value> {
        let obj = request.object.as_ref()?;
        
        let mut patches = Vec::new();

        // Add default namespace if not set
        if obj.get("metadata").and_then(|m| m.get("namespace")).is_none() {
            patches.push(serde_json::json!({
                "op": "add",
                "path": "/metadata/namespace",
                "value": "default"
            }));
        }

        // Add default priority if not set
        if obj.get("spec").and_then(|s| s.get("priority")).is_none() {
            patches.push(serde_json::json!({
                "op": "add",
                "path": "/spec/priority",
                "value": 0
            }));
        }

        if patches.is_empty() {
            None
        } else {
            Some(serde_json::Value::Array(patches))
        }
    }
}

/// Admission controller chain
pub struct AdmissionChain {
    /// Validating controllers
    validators: Vec<Arc<dyn AdmissionController>>,
    /// Mutating controllers
    mutators: Vec<Arc<dyn AdmissionController>>,
}

impl AdmissionChain {
    /// Create new admission chain
    pub fn new() -> Self {
        Self {
            validators: Vec::new(),
            mutators: Vec::new(),
        }
    }

    /// Add validating controller
    pub fn add_validator<T: AdmissionController + 'static>(mut self, controller: T) -> Self {
        self.validators.push(Arc::new(controller));
        self
    }

    /// Add mutating controller
    pub fn add_mutator<T: AdmissionController + 'static>(mut self, controller: T) -> Self {
        self.mutators.push(Arc::new(controller));
        self
    }

    /// Run admission for a request
    pub fn admit(&self, mut request: AdmissionRequest) -> AdmissionResult {
        // Run mutating admission first
        let mut all_patches = Vec::new();
        
        for mutator in &self.mutators {
            if mutator.handles(&request.kind, request.operation) {
                if let Some(patch) = mutator.mutate(&request) {
                    if let Some(patches) = patch.as_array() {
                        all_patches.extend(patches.clone());
                    }
                }
            }
        }

        // Apply patches to request object
        if !all_patches.is_empty() {
            // In a real implementation, we'd apply JSON patches here
            // For now, just track that patches exist
        }

        // Run validating admission
        let mut warnings = Vec::new();
        
        for validator in &self.validators {
            if validator.handles(&request.kind, request.operation) {
                let result = validator.validate(&request);
                
                if !result.allowed {
                    return result;
                }
                
                warnings.extend(result.warnings);
            }
        }

        let mut result = AdmissionResult::allowed();
        result.warnings = warnings;
        
        if !all_patches.is_empty() {
            result = result.with_patch(serde_json::Value::Array(all_patches));
        }

        result
    }
}

impl Default for AdmissionChain {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_admission_result() {
        let allowed = AdmissionResult::allowed();
        assert!(allowed.allowed);

        let denied = AdmissionResult::denied("test reason");
        assert!(!denied.allowed);
        assert_eq!(denied.reason, Some("test reason".to_string()));
    }

    #[test]
    fn test_defaults_admission() {
        let controller = DefaultsAdmission::new();
        
        let request = AdmissionRequest {
            uid: "test".to_string(),
            operation: Operation::Create,
            kind: "Workload".to_string(),
            namespace: None,
            name: Some("test".to_string()),
            object: Some(serde_json::json!({
                "metadata": {"name": "test"},
                "spec": {}
            })),
            old_object: None,
            user_info: UserInfo::default(),
        };

        let patch = controller.mutate(&request);
        assert!(patch.is_some());
    }

    #[test]
    fn test_admission_chain() {
        let chain = AdmissionChain::new()
            .add_mutator(DefaultsAdmission::new())
            .add_validator(ResourceQuotaAdmission::new());

        let request = AdmissionRequest {
            uid: "test".to_string(),
            operation: Operation::Create,
            kind: "Workload".to_string(),
            namespace: Some("default".to_string()),
            name: Some("test".to_string()),
            object: Some(serde_json::json!({})),
            old_object: None,
            user_info: UserInfo::default(),
        };

        let result = chain.admit(request);
        assert!(result.allowed);
    }
}