Update kruize UI to Deployment

[shreyabiradar07]

This PR converts Kruize UI from kind Pod to Deployment to ensure UI pod ownerReference is UI deployment and not Kruize CR.

Docker image: quay.io/shbirada/kruize_operator:kruize_ui_deployment

Summary by Sourcery

Convert the Kruize UI nginx component from a standalone Pod to a Deployment and add CI automation to keep Kruize image versions in sync with upstream releases.

New Features:

• Introduce a Deployment resource for the Kruize UI nginx component instead of a direct Pod.
• Add a GitHub Actions workflow to automatically sync Kruize Autotune and UI image versions from upstream projects and open update PRs.

Enhancements:

• Update tests to validate generation of the new Kruize UI Deployment resources and default UI image usage.
• Refresh base UBI minimal image tags in Dockerfile and bundle Dockerfile to a newer version.

CI:

• Add a scheduled and manually-triggerable workflow that checks upstream Kruize Autotune and UI versions, verifies image availability on Quay, updates constants and sample manifests, and creates version bump pull requests automatically.

Summary by Sourcery

Convert the Kruize UI nginx component from a standalone Pod to a Deployment and update tests accordingly.

New Features:

• Introduce a Deployment resource for the Kruize UI nginx component instead of a direct Pod.

Enhancements:

• Ensure the UI Deployment uses the configured UI image and is included in both generic and Kubernetes-specific namespaced resource generation.

Tests:

• Update controller unit tests to assert generation of the Kruize UI Deployment and its default image usage.
• Extend end-to-end tests to verify the UI Deployment becomes ready and that the deployed UI image matches the configured value or default.

[sourcery-ai]

Reviewer's Guide

Convert the Kruize UI nginx component from a standalone Pod to an apps/v1 Deployment and update tests to validate the new resource shape and deployed UI image, ensuring UI ownership is decoupled from the Kruize CR.

Sequence diagram for reconciliation creating Kruize UI nginx Deployment

sequenceDiagram
    participant User
    participant API as KubernetesAPI
    participant CR as KruizeCR
    participant KC as KruizeController
    participant GEN as KruizeResourceGenerator
    participant DEP as Deployment_kruize_ui_nginx

    User->>API: Apply KruizeCR
    API-->>CR: Persist KruizeCR
    API->>KC: Trigger reconcile for KruizeCR
    KC->>GEN: NamespacedResources()
    GEN-->>KC: Service, ConfigMap, Deployment_kruize_ui_nginx
    KC->>API: CreateOrUpdate Service
    KC->>API: CreateOrUpdate ConfigMap
    KC->>API: CreateOrUpdate Deployment_kruize_ui_nginx
    API-->>DEP: Ensure Deployment exists
    DEP-->>API: Manage ReplicaSet and Pods
    API-->>User: Kruize UI nginx Pod running under Deployment ownerReference

Loading

Class diagram for updated KruizeResourceGenerator UI nginx resources

classDiagram
    class KruizeResourceGenerator {
        string Namespace
        string Autotune_ui_image
        NamespacedResources() []client_Object
        KubernetesNamespacedResources() []client_Object
        kruizeServiceMonitor() *monitoringv1_ServiceMonitor
        nginxConfigMap() *corev1_ConfigMap
        kruizeUINginxService() *corev1_Service
        kruizeUINginxDeployment() *appsv1_Deployment
        deletePartitionCronJob() *batchv1_CronJob
    }

    class corev1_Service {
    }

    class corev1_ConfigMap {
    }

    class appsv1_Deployment {
        int32 replicas
        DeploymentStrategy strategy
        LabelSelector selector
        PodTemplateSpec template
    }

    class corev1_PodTemplateSpec {
    }

    class corev1_PodSpec {
        Container[] containers
        Volume[] volumes
    }

    class corev1_Container {
        string name
        string image
        PullPolicy imagePullPolicy
        EnvVar[] env
        VolumeMount[] volumeMounts
        SecurityContext securityContext
    }

    class corev1_Volume {
        string name
        VolumeSource volumeSource
    }

    class corev1_VolumeSource {
        ConfigMapVolumeSource configMap
        EmptyDirVolumeSource emptyDir
    }

    class corev1_ConfigMapVolumeSource {
        LocalObjectReference localObjectReference
    }

    class corev1_EmptyDirVolumeSource {
    }

    class corev1_SecurityContext {
        bool allowPrivilegeEscalation
        Capabilities capabilities
        SeccompProfile seccompProfile
    }

    KruizeResourceGenerator --> corev1_Service : creates
    KruizeResourceGenerator --> corev1_ConfigMap : creates
    KruizeResourceGenerator --> appsv1_Deployment : creates
    appsv1_Deployment o-- corev1_PodTemplateSpec : template
    corev1_PodTemplateSpec o-- corev1_PodSpec : spec
    corev1_PodSpec o-- corev1_Container : containers
    corev1_PodSpec o-- corev1_Volume : volumes
    corev1_Volume o-- corev1_VolumeSource : source
    corev1_VolumeSource o-- corev1_ConfigMapVolumeSource : configMap
    corev1_VolumeSource o-- corev1_EmptyDirVolumeSource : emptyDir
    corev1_Container o-- corev1_SecurityContext : securityContext

Loading

File-Level Changes

Change	Details	Files
Replace the standalone Kruize UI nginx Pod with an apps/v1 Deployment in the resource generator for both generic and Kubernetes-specific namespaced resources.	Swap kruizeUINginxPod() for kruizeUINginxDeployment() in NamespacedResources and KubernetesNamespacedResources so the operator now manages a Deployment instead of a Pod. Implement kruizeUINginxDeployment() returning an apps/v1.Deployment with Recreate strategy, selector/labels on app=kruize-ui-nginx, and a PodTemplate that preserves the prior container image, env vars, volume mounts, and volumes. Ensure the new Deployment reuses the existing nginx config ConfigMap and EmptyDir volumes and keeps the UI nginx container security context configuration.	internal/utils/kruize_generator.go
Extend end-to-end tests to validate the new Deployment-based UI and ensure the configured UI image is what gets deployed.	Add a readiness check for the kruize-ui-nginx Deployment by asserting .status.readyReplicas == 1 via kubectl in the e2e test flow. Add verification that the kruize-ui-nginx Deployment's container image matches either a custom KRUIZE_UI_IMAGE or the default UI image from the CR, logging mismatches as warnings.	test/e2e/e2e_test.go
Update controller unit tests to assert generation of the Kruize UI Deployment and default UI image usage instead of the previous Pod.	Change tests to locate a Deployment named kruize-ui-nginx rather than a Pod named kruize-ui-nginx-pod in NamespacedResources. Update expectations to inspect Deployment.Spec.Template.Spec.Containers when checking for existence of the UI container and for validating the default UI image constant. Adjust helper-based lookups (findTypedResource and findContainerByName) to operate on appsv1.Deployment and its PodTemplate instead of corev1.Pod.	internal/controller/kruize_controller_test.go

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#61	Ensure Kruize UI pods have consistent workload names and workload types when installing with the operator versus without the operator, so they are no longer treated as different workloads.	✅
#61	Eliminate the demo failure / 422 error caused by having two different workload records for the Kruize UI pod when reinstalling with and without the operator.	✅

Possibly linked issues

• #(no explicit number provided): PR changes UI to a Deployment so pods have consistent ownerReference/workload identity, directly addressing the issue’s mismatch problem.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The new Deployment spec drops several previously-set environment variables (e.g., KRUIZE_API_URL, REACT_APP_KRUIZE_API_URL, KRUIZE_UI_API_URL, API_URL); if the UI still relies on these, consider keeping them to avoid breaking existing behavior.
• The Pod’s security context and emptyDir volumes for cache/pid/tmp were removed in the Deployment; if these were originally added for security or nginx runtime stability, consider porting them over to the new Pod template instead of omitting them.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new Deployment spec drops several previously-set environment variables (e.g., KRUIZE_API_URL, REACT_APP_KRUIZE_API_URL, KRUIZE_UI_API_URL, API_URL); if the UI still relies on these, consider keeping them to avoid breaking existing behavior.
- The Pod’s security context and emptyDir volumes for cache/pid/tmp were removed in the Deployment; if these were originally added for security or nginx runtime stability, consider porting them over to the new Pod template instead of omitting them.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[shreyabiradar07]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• When converting the UI pod to a Deployment, the container security context lost RunAsNonRoot and RunAsUser settings; consider preserving these fields to avoid silently weakening the workload’s security posture compared to the original Pod.
• The e2e check for UI readiness assumes .status.readyReplicas equals the string "1"; this can be brittle if replica counts change or the field is temporarily empty—consider asserting that readyReplicas is non-zero or matching the spec replicas instead of a hard-coded string.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- When converting the UI pod to a Deployment, the container security context lost `RunAsNonRoot` and `RunAsUser` settings; consider preserving these fields to avoid silently weakening the workload’s security posture compared to the original Pod.
- The e2e check for UI readiness assumes `.status.readyReplicas` equals the string `"1"`; this can be brittle if replica counts change or the field is temporarily empty—consider asserting that `readyReplicas` is non-zero or matching the spec replicas instead of a hard-coded string.

## Individual Comments

### Comment 1
<location> `internal/utils/kruize_generator.go:708-715` </location>
<code_context>
-						{Name: "nginx-pid", MountPath: "/var/run"},
-						{Name: "nginx-tmp", MountPath: "/tmp"},
 					},
-					SecurityContext: &corev1.SecurityContext{
-						AllowPrivilegeEscalation: boolPtr(false),
-						RunAsNonRoot:             boolPtr(true),
-						RunAsUser:                int64Ptr(101),
-						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{"ALL"},
-						},
-						SeccompProfile: &corev1.SeccompProfile{
-							Type: corev1.SeccompProfileTypeRuntimeDefault,
+					Volumes: []corev1.Volume{
</code_context>

<issue_to_address>
**🚨 issue (security):** Dropping RunAsNonRoot/RunAsUser weakens the previous security posture

These fields previously enforced non-root execution (`RunAsNonRoot: true`, `RunAsUser: 101`) but are now removed from the pod template. If nginx is expected to run as UID 101, please retain equivalent settings (pod or container level) to prevent it from unintentionally running as root in some environments.
</issue_to_address>

### Comment 2
<location> `test/e2e/e2e_test.go:299-308` </location>
<code_context>
+			By("verifying deployed Kruize UI image")
</code_context>

<issue_to_address>
**suggestion (testing):** Strengthen the UI image verification by asserting on mismatches when KRUIZE_UI_IMAGE is set

When `kruizeUIImage` is set, the test only logs a warning if the deployed UI image differs, so CI won’t fail on a miswired or regressed image. Please make a mismatch a failing assertion (e.g. `Expect(deployedUIImage).To(Equal(kruizeUIImage))`), or gate that behavior behind a flag that CI can enable, so `KRUIZE_UI_IMAGE` is actually validated end-to-end.

Suggested implementation:

```golang
			// If custom Kruize UI image was specified, verify it matches and fail on mismatch
			if kruizeUIImage != "" {
				fmt.Fprintf(GinkgoWriter, "Validating deployed UI image against KRUIZE_UI_IMAGE: %s\n", kruizeUIImage)
				ExpectWithOffset(1, deployedUIImage).To(
					Equal(kruizeUIImage),
					fmt.Sprintf("Deployed UI image %s does not match KRUIZE_UI_IMAGE %s", deployedUIImage, kruizeUIImage),
				)
				fmt.Fprintf(GinkgoWriter, "✓ Deployed UI image matches specified KRUIZE_UI_IMAGE: %s\n", kruizeUIImage)

```

The above change makes a mismatch between the deployed UI image and `kruizeUIImage` a hard assertion failure whenever `kruizeUIImage` is set, which aligns with the CI requirement you described.

Because I can only see part of the block, you should:
1. Remove any existing `else` branch below this `if kruizeUIImage != "" { ... }` that only logs a warning on mismatch. With the new `Expect`, such an `else` is no longer needed and will cause compilation issues if it still references the old `if deployedUIImage == kruizeUIImage` structure.
2. If you need the “warning-only” behavior for local runs, consider guarding this strict check behind a boolean flag (e.g. an env var) and wrapping the `Expect` in another `if` so CI can enable strict verification while developers can opt out locally.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[bharathappali]

Are these env vars needed?

[shreyabiradar07]

Thanks for pointing, removed them

[bharathappali]

LGTM