fix: add scaling adapter

Signed-off-by: Julien Mancuso <[email protected]>

Author: julienmancuso

deploy/cloud/helm/crds/templates/nvidia.com_dynamocomponentdeployments.yaml

@@ -10189,8 +10189,12 @@ spec:
                       type: integer
                   type: object
                 replicas:
-                  description: Replicas is the desired number of Pods for this component when autoscaling is not used.
+                  description: |-
+                    Replicas is the desired number of Pods for this component.
+                    When scalingAdapter is enabled (default), this field is managed by the
+                    DynamoGraphDeploymentScalingAdapter and should not be modified directly.
                   format: int32
+                  minimum: 0
                   type: integer
                 resources:
                   description: |-
@@ -10269,6 +10273,20 @@ spec:
                           type: string
                       type: object
                   type: object
+                scalingAdapter:
+                  description: |-
+                    ScalingAdapter configures whether this service uses the DynamoGraphDeploymentScalingAdapter.
+                    When enabled (default), replicas are managed via DGDSA and external autoscalers can scale
+                    the service using the Scale subresource. When disabled, replicas can be modified directly.
+                  properties:
+                    disable:
+                      default: false
+                      description: |-
+                        Disable indicates whether the ScalingAdapter should be disabled for this service.
+                        When false (default), a DGDSA is created and owns the replicas field.
+                        When true, no DGDSA is created and replicas can be modified directly in the DGD.
+                      type: boolean
+                  type: object
                 serviceName:
                   description: The name of the component
                   type: string

deploy/cloud/helm/crds/templates/nvidia.com_dynamographdeployments.yaml

@@ -10324,8 +10324,12 @@ spec:
                             type: integer
                         type: object
                       replicas:
-                        description: Replicas is the desired number of Pods for this component when autoscaling is not used.
+                        description: |-
+                          Replicas is the desired number of Pods for this component.
+                          When scalingAdapter is enabled (default), this field is managed by the
+                          DynamoGraphDeploymentScalingAdapter and should not be modified directly.
                         format: int32
+                        minimum: 0
                         type: integer
                       resources:
                         description: |-
@@ -10404,6 +10408,20 @@ spec:
                                 type: string
                             type: object
                         type: object
+                      scalingAdapter:
+                        description: |-
+                          ScalingAdapter configures whether this service uses the DynamoGraphDeploymentScalingAdapter.
+                          When enabled (default), replicas are managed via DGDSA and external autoscalers can scale
+                          the service using the Scale subresource. When disabled, replicas can be modified directly.
+                        properties:
+                          disable:
+                            default: false
+                            description: |-
+                              Disable indicates whether the ScalingAdapter should be disabled for this service.
+                              When false (default), a DGDSA is created and owns the replicas field.
+                              When true, no DGDSA is created and replicas can be modified directly in the DGD.
+                            type: boolean
+                        type: object
                       serviceName:
                         description: The name of the component
                         type: string

deploy/cloud/operator/api/v1alpha1/common.go

@@ -123,3 +123,15 @@ type ExtraPodSpec struct {
 	*corev1.PodSpec `json:",inline"`
 	MainContainer   *corev1.Container `json:"mainContainer,omitempty"`
 }
+
+// ScalingAdapter configures whether a service uses the DynamoGraphDeploymentScalingAdapter
+// for replica management. When enabled (default), the DGDSA owns the replicas field and
+// external autoscalers (HPA, KEDA, Planner) can control scaling via the Scale subresource.
+type ScalingAdapter struct {
+	// Disable indicates whether the ScalingAdapter should be disabled for this service.
+	// When false (default), a DGDSA is created and owns the replicas field.
+	// When true, no DGDSA is created and replicas can be modified directly in the DGD.
+	// +optional
+	// +kubebuilder:default=false
+	Disable bool `json:"disable,omitempty"`
+}

deploy/cloud/operator/api/v1alpha1/dynamocomponentdeployment_types.go

@@ -110,10 +110,18 @@ type DynamoComponentDeploymentSharedSpec struct {
 	LivenessProbe *corev1.Probe `json:"livenessProbe,omitempty"`
 	// ReadinessProbe to signal when the container is ready to receive traffic.
 	ReadinessProbe *corev1.Probe `json:"readinessProbe,omitempty"`
-	// Replicas is the desired number of Pods for this component when autoscaling is not used.
+	// Replicas is the desired number of Pods for this component.
+	// When scalingAdapter is enabled (default), this field is managed by the
+	// DynamoGraphDeploymentScalingAdapter and should not be modified directly.
+	// +kubebuilder:validation:Minimum=0
 	Replicas *int32 `json:"replicas,omitempty"`
 	// Multinode is the configuration for multinode components.
 	Multinode *MultinodeSpec `json:"multinode,omitempty"`
+	// ScalingAdapter configures whether this service uses the DynamoGraphDeploymentScalingAdapter.
+	// When enabled (default), replicas are managed via DGDSA and external autoscalers can scale
+	// the service using the Scale subresource. When disabled, replicas can be modified directly.
+	// +optional
+	ScalingAdapter *ScalingAdapter `json:"scalingAdapter,omitempty"`
 }
 
 type MultinodeSpec struct {

deploy/cloud/operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -10189,8 +10189,12 @@ spec:
                       type: integer
                   type: object
                 replicas:
-                  description: Replicas is the desired number of Pods for this component when autoscaling is not used.
+                  description: |-
+                    Replicas is the desired number of Pods for this component.
+                    When scalingAdapter is enabled (default), this field is managed by the
+                    DynamoGraphDeploymentScalingAdapter and should not be modified directly.
                   format: int32
+                  minimum: 0
                   type: integer
                 resources:
                   description: |-
@@ -10269,6 +10273,20 @@ spec:
                           type: string
                       type: object
                   type: object
+                scalingAdapter:
+                  description: |-
+                    ScalingAdapter configures whether this service uses the DynamoGraphDeploymentScalingAdapter.
+                    When enabled (default), replicas are managed via DGDSA and external autoscalers can scale
+                    the service using the Scale subresource. When disabled, replicas can be modified directly.
+                  properties:
+                    disable:
+                      default: false
+                      description: |-
+                        Disable indicates whether the ScalingAdapter should be disabled for this service.
+                        When false (default), a DGDSA is created and owns the replicas field.
+                        When true, no DGDSA is created and replicas can be modified directly in the DGD.
+                      type: boolean
+                  type: object
                 serviceName:
                   description: The name of the component
                   type: string

deploy/cloud/operator/config/crd/bases/nvidia.com_dynamocomponentdeployments.yaml

@@ -10324,8 +10324,12 @@ spec:
                             type: integer
                         type: object
                       replicas:
-                        description: Replicas is the desired number of Pods for this component when autoscaling is not used.
+                        description: |-
+                          Replicas is the desired number of Pods for this component.
+                          When scalingAdapter is enabled (default), this field is managed by the
+                          DynamoGraphDeploymentScalingAdapter and should not be modified directly.
                         format: int32
+                        minimum: 0
                         type: integer
                       resources:
                         description: |-
@@ -10404,6 +10408,20 @@ spec:
                                 type: string
                             type: object
                         type: object
+                      scalingAdapter:
+                        description: |-
+                          ScalingAdapter configures whether this service uses the DynamoGraphDeploymentScalingAdapter.
+                          When enabled (default), replicas are managed via DGDSA and external autoscalers can scale
+                          the service using the Scale subresource. When disabled, replicas can be modified directly.
+                        properties:
+                          disable:
+                            default: false
+                            description: |-
+                              Disable indicates whether the ScalingAdapter should be disabled for this service.
+                              When false (default), a DGDSA is created and owns the replicas field.
+                              When true, no DGDSA is created and replicas can be modified directly in the DGD.
+                            type: boolean
+                        type: object
                       serviceName:
                         description: The name of the component
                         type: string

deploy/cloud/operator/config/crd/bases/nvidia.com_dynamographdeployments.yaml

@@ -19,7 +19,9 @@ package webhook
 
 import (
 	"context"
+	"strings"
 
+	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -118,3 +120,54 @@ func (v *LeaseAwareValidator) shouldSkipValidation(obj runtime.Object) bool {
 
 	return false
 }
+
+// DGDReplicasModifierSuffixes defines suffixes for service accounts that are authorized
+// to modify DGD replicas when scaling adapter is enabled.
+// Service accounts matching any of these suffixes are allowed regardless of namespace.
+var DGDReplicasModifierSuffixes = []string{
+	// Dynamo operator controller manager (handles DGDSA reconciliation)
+	// Example: "dynamo-platform-dynamo-operator-controller-manager"
+	"-dynamo-operator-controller-manager",
+
+	// Planner service account (manages DGD replicas for autoscaling)
+	// Example: "planner-serviceaccount"
+	"planner-serviceaccount",
+}
+
+// CanModifyDGDReplicas checks if the request comes from a service account authorized
+// to modify DGD replicas when scaling adapter is enabled.
+// Service accounts are identified by username format: system:serviceaccount:<namespace>:<name>
+//
+// Authorized service accounts (by suffix):
+// - *-dynamo-operator-controller-manager (for DGDSA reconciliation)
+// - *planner-serviceaccount (for Planner autoscaling)
+func CanModifyDGDReplicas(userInfo authenticationv1.UserInfo) bool {
+	username := userInfo.Username
+
+	// Service accounts have username format: system:serviceaccount:<namespace>:<name>
+	if !strings.HasPrefix(username, "system:serviceaccount:") {
+		return false
+	}
+
+	// Parse: system:serviceaccount:<namespace>:<name>
+	parts := strings.Split(username, ":")
+	if len(parts) != 4 {
+		return false
+	}
+
+	namespace := parts[2]
+	saName := parts[3]
+
+	// Check against authorized suffixes
+	for _, suffix := range DGDReplicasModifierSuffixes {
+		if strings.HasSuffix(saName, suffix) {
+			webhookCommonLog.V(1).Info("allowing DGD replicas modification",
+				"serviceAccount", saName,
+				"namespace", namespace,
+				"matchedSuffix", suffix)
+			return true
+		}
+	}
+
+	return false
+}

deploy/cloud/operator/internal/webhook/common.go

@@ -42,16 +42,10 @@ func NewDynamoComponentDeploymentValidator(deployment *nvidiacomv1alpha1.DynamoC
 func (v *DynamoComponentDeploymentValidator) Validate() (admission.Warnings, error) {
 	// Validate shared spec fields using SharedSpecValidator
 	sharedValidator := NewSharedSpecValidator(&v.deployment.Spec.DynamoComponentDeploymentSharedSpec, "spec")
-	if err := sharedValidator.Validate(); err != nil {
-		return nil, err
-	}
-
-	// Collect deprecation warnings
-	warnings := sharedValidator.GetWarnings()
 
 	// DCD-specific validation would go here (currently none)
 
-	return warnings, nil
+	return sharedValidator.Validate()
 }
 
 // ValidateUpdate performs stateful validation comparing old and new DynamoComponentDeployment.

deploy/cloud/operator/internal/webhook/validation/dynamocomponentdeployment.go

@@ -22,6 +22,8 @@ import (
 	"fmt"
 
 	nvidiacomv1alpha1 "github.com/ai-dynamo/dynamo/deploy/cloud/operator/api/v1alpha1"
+	internalwebhook "github.com/ai-dynamo/dynamo/deploy/cloud/operator/internal/webhook"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
@@ -68,29 +70,88 @@ func (v *DynamoGraphDeploymentValidator) Validate() (admission.Warnings, error)
 // ValidateUpdate performs stateful validation comparing old and new DynamoGraphDeployment.
 // Returns warnings and error.
 func (v *DynamoGraphDeploymentValidator) ValidateUpdate(old *nvidiacomv1alpha1.DynamoGraphDeployment) (admission.Warnings, error) {
+	return v.ValidateUpdateWithUserInfo(old, nil)
+}
+
+// ValidateUpdateWithUserInfo performs stateful validation with user identity checking.
+// When userInfo is provided, it validates that only allowed controllers can modify
+// replicas for services with scaling adapter enabled.
+// Returns warnings and error.
+func (v *DynamoGraphDeploymentValidator) ValidateUpdateWithUserInfo(old *nvidiacomv1alpha1.DynamoGraphDeployment, userInfo *authenticationv1.UserInfo) (admission.Warnings, error) {
 	// Validate that BackendFramework is not changed (immutable)
 	if v.deployment.Spec.BackendFramework != old.Spec.BackendFramework {
 		warning := "Changing spec.backendFramework may cause unexpected behavior"
 		return admission.Warnings{warning}, fmt.Errorf("spec.backendFramework is immutable and cannot be changed after creation")
 	}
 
+	// Validate replicas changes for services with scaling adapter enabled
+	if userInfo != nil {
+		if err := v.validateReplicasChanges(old, *userInfo); err != nil {
+			return nil, err
+		}
+	}
+
 	return nil, nil
 }
 
+// validateReplicasChanges checks if replicas were changed for services with scaling adapter enabled.
+// Only authorized service accounts (operator controller, planner) can modify these fields.
+func (v *DynamoGraphDeploymentValidator) validateReplicasChanges(old *nvidiacomv1alpha1.DynamoGraphDeployment, userInfo authenticationv1.UserInfo) error {
+	// If the request comes from an authorized service account, allow the change
+	if internalwebhook.CanModifyDGDReplicas(userInfo) {
+		return nil
+	}
+
+	var errs []error
+
+	for serviceName, newService := range v.deployment.Spec.Services {
+		// Check if scaling adapter is enabled for this service (enabled by default)
+		scalingAdapterEnabled := true
+		if newService.ScalingAdapter != nil && newService.ScalingAdapter.Disable {
+			scalingAdapterEnabled = false
+		}
+
+		if !scalingAdapterEnabled {
+			// Scaling adapter is disabled, users can modify replicas directly
+			continue
+		}
+
+		// Get old service (if exists)
+		oldService, exists := old.Spec.Services[serviceName]
+		if !exists {
+			// New service, no comparison needed
+			continue
+		}
+
+		// Check if replicas changed
+		oldReplicas := int32(1) // default
+		if oldService.Replicas != nil {
+			oldReplicas = *oldService.Replicas
+		}
+
+		newReplicas := int32(1) // default
+		if newService.Replicas != nil {
+			newReplicas = *newService.Replicas
+		}
+
+		if oldReplicas != newReplicas {
+			errs = append(errs, fmt.Errorf(
+				"spec.services[%s].replicas cannot be modified directly when scaling adapter is enabled; "+
+					"use 'kubectl scale dgdsa/%s-%s --replicas=%d' or update the DynamoGraphDeploymentScalingAdapter instead",
+				serviceName, v.deployment.Name, serviceName, newReplicas))
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
 // validateService validates a single service configuration using SharedSpecValidator.
 // Returns warnings and error.
 func (v *DynamoGraphDeploymentValidator) validateService(serviceName string, service *nvidiacomv1alpha1.DynamoComponentDeploymentSharedSpec) (admission.Warnings, error) {
 	// Use SharedSpecValidator to validate service spec (which is a DynamoComponentDeploymentSharedSpec)
 	fieldPath := fmt.Sprintf("spec.services[%s]", serviceName)
 	sharedValidator := NewSharedSpecValidator(service, fieldPath)
-
-	if err := sharedValidator.Validate(); err != nil {
-		return nil, err
-	}
-
-	// Collect deprecation warnings
-	warnings := sharedValidator.GetWarnings()
-	return warnings, nil
+	return sharedValidator.Validate()
 }
 
 // validatePVCs validates the PVC configurations.