helm: add Kubeflow foundation charts

[danish9039]

Summary

Adds the first two Project 5 foundation Helm charts under experimental/helm/charts:

• kubeflow-namespaces
• kubeflow-platform

kubeflow-namespaces owns the bootstrap namespace layer for the platform install. It renders the Kubeflow namespaces, platform dependency namespaces, and namespace-scoped NetworkPolicies that currently come from common/kubeflow-namespace/base plus the dependency namespace baselines.

kubeflow-platform owns the shared Kubeflow platform RBAC from common/kubeflow-roles/base.

Scope

• Add experimental/helm/charts/kubeflow-namespaces.
• Add experimental/helm/charts/kubeflow-platform.
• Add Helm/Kustomize comparison scenarios for both charts.
• Add a namespace-union comparison scenario for the platform namespaces used by the first wrapper charts.

Namespace behavior

kubeflow-namespaces is the bootstrap chart. Its Helm release is installed in default because it creates kubeflow-system.

Namespaces created by this chart are kept on helm uninstall, since later platform and component charts may create resources inside them.

If a namespace already exists, for example a company-managed cert-manager namespace, the chart skips adopting it and prints a note. Helm does not patch labels on unmanaged pre-existing namespaces, so missing labels must be applied separately.

Install shape

helm install kubeflow-namespaces ./experimental/helm/charts/kubeflow-namespaces --namespace default
helm install kubeflow-platform ./experimental/helm/charts/kubeflow-platform --namespace kubeflow-system

Validation

helm lint experimental/helm/charts/kubeflow-namespaces
helm lint experimental/helm/charts/kubeflow-platform
./tests/helm_kustomize_compare.sh kubeflow-namespaces base
./tests/helm_kustomize_compare.sh kubeflow-namespaces platform-namespaces
./tests/helm_kustomize_compare.sh kubeflow-platform base
./tests/helm_kustomize_compare_all.sh kubeflow-namespaces
./tests/helm_kustomize_compare_all.sh kubeflow-platform

Also validated the namespace lifecycle in kind for:

• fresh install and upgrade
• pre-existing unmanaged cert-manager namespace
• retained namespaces after Helm ownership checks

[github-actions]

Welcome to the Kubeflow Manifests Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronizes from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/manifests to test the platform integration.

Community Resources:

• CNCF Slack channels: https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels
• Community meetings: https://www.kubeflow.org/docs/about/community/

Thanks again for helping to improve Kubeflow.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[juliusvonkohout]

what is the purpose of such comments?

[danish9039]

Removed the redundant values comments in values.yaml.

[juliusvonkohout]

what is the purpose of such comments ?

[danish9039]

Removed the redundant values comments in values.yaml.

[danish9039]

Chart type	Example chart	Release namespace	Workload namespace	Reason
Bootstrap foundation	kubeflow-namespaces	default or maintainer-chosen bootstrap namespace	creates kubeflow, kubeflow-system	kubeflow-system does not exist yet
Platform foundation	kubeflow-platform	kubeflow-system after namespace chart	mostly cluster-scoped	platform-owned shared policy
External wrapper	cert-manager	cert-manager	cert-manager, kube-system	mentor direction: release metadata stays with main workload namespace
External wrapper	istio	istio-system	istio-system, kube-system, kubeflow	release metadata stays with Istio workload namespace
External wrapper	oauth2-proxy	oauth2-proxy	oauth2-proxy, istio-system	release metadata stays with auth proxy workload namespace
External wrapper	dex	auth	auth	release metadata stays with Dex workload namespace
External wrapper	knative-serving	knative-serving	knative-serving, istio-system	release metadata stays with Knative workload namespace
Component chart	kubeflow-pipelines	kubeflow	kubeflow	component runs in Kubeflow namespace
Component chart	kubeflow-katib	kubeflow	kubeflow	component runs in Kubeflow namespace
Component chart	kubeflow-dashboard	kubeflow	kubeflow	component runs in Kubeflow namespace
Component chart	kubeflow-notebooks	kubeflow	kubeflow	component runs in Kubeflow namespace
Component chart	kserve	kubeflow	kubeflow	current Kubeflow KServe path uses kubeflow
Component chart	kubeflow-trainer	kubeflow-system	kubeflow-system	current trainer overlay runs in kubeflow-system
Optional component	workspaces	kubeflow-system or kubeflow-workspaces	kubeflow-workspaces	decide when Workspaces scope is active

[dhanishaphadate]

I am assuming you have captured all the netpol from https://github.com/kubeflow/manifests/tree/master/common/kubeflow-namespace/base/kubeflow kustomize

[danish9039]

Yes, these NetworkPolicies are copied from common/kubeflow-namespace/base/kubeflow and covered by the Helm/Kustomize comparison.

[dhanishaphadate]

Should we also mention in the README that namespaces created by kubeflow-namespaces chart are not deleted when the chart is uninstalled via Helm?

helm uninstall kubeflow-namespaces
This would help clarify the expected behavior for users and prevent accidental assumptions about namespace cleanup during uninstallation.

[danish9039]

Added this to the README; namespaces created by this bootstrap chart are kept on helm uninstall.

[google-oss-prow]

@dhanishaphadate: changing LGTM is restricted to collaborators

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.

[dhanishaphadate]

LGTM

[google-oss-prow]

@dhanishaphadate: changing LGTM is restricted to collaborators

Details

In response to this:

LGTM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign juliusvonkohout for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment