From 347b5793ac4a4d6a71e50fb32d68de8756a591d3 Mon Sep 17 00:00:00 2001 From: Vedant Mahabaleshwarkar Date: Thu, 19 Oct 2023 12:22:10 -0400 Subject: [PATCH] Manifest readiness for Operator v2 (#237) * Use config/ as the manifests source for ODH operator v2 Signed-off-by: Vedant Mahabaleshwarkar * move all changes into an overlay Signed-off-by: Vedant Mahabaleshwarkar * restructure manifests so that kustomize does not need LoadRestrictorNone flag Signed-off-by: Vedant Mahabaleshwarkar * correct label mismatch Signed-off-by: Vedant Mahabaleshwarkar * final modifications Signed-off-by: Vedant Mahabaleshwarkar * remove openvino variable as it is unused Signed-off-by: Vedant Mahabaleshwarkar --------- Signed-off-by: Vedant Mahabaleshwarkar --- config/default/config-defaults.yaml | 2 +- config/manager/manager.yaml | 2 +- .../clusterservingruntime_patch_delete.yaml | 5 + config/overlays/odh/crd/kustomization.yaml | 5 + .../overlays/odh/default/config-defaults.yaml | 53 ++++++ .../overlays/odh/default/kustomization.yaml | 21 +++ .../odh/default/metadataLabelTransformer.yaml | 27 +++ config/overlays/odh/default/params.yaml | 4 + config/overlays/odh/kustomization.yaml | 65 +++++++ .../controller_manager_patch_replace.yaml | 27 +++ .../overlays/odh/manager/kustomization.yaml | 23 +++ config/overlays/odh/manager/params.yaml | 4 + config/overlays/odh/manager/service.yaml | 15 ++ config/overlays/odh/params.env | 4 + config/overlays/odh/params.yaml | 15 ++ config/overlays/odh/quickstart.yaml | 175 ++++++++++++++++++ config/overlays/odh/rbac/kustomization.yaml | 11 ++ .../overlays/odh/rbac/networkpolicy_etcd.yaml | 36 ++++ .../remove_networkpolicy_rumtime_patch.yaml | 5 + .../odh/rbac/role_apps_metrics_access.yaml | 41 ++++ .../overlays/odh/rbac/user_cluster_roles.yaml | 57 ++++++ config/overlays/odh/scripts/enable_auth.sh | 38 ++++ .../overlays/odh/scripts/kustomization.yaml | 8 + .../overlays/odh/webhook/kustomization.yaml | 10 + .../webhook_service_annotation_patch.yaml | 7 + .../model-mesh/base/kustomization.yaml | 2 +- 26 files changed, 659 insertions(+), 3 deletions(-) create mode 100644 config/overlays/odh/crd/clusterservingruntime_patch_delete.yaml create mode 100644 config/overlays/odh/crd/kustomization.yaml create mode 100644 config/overlays/odh/default/config-defaults.yaml create mode 100644 config/overlays/odh/default/kustomization.yaml create mode 100644 config/overlays/odh/default/metadataLabelTransformer.yaml create mode 100644 config/overlays/odh/default/params.yaml create mode 100644 config/overlays/odh/kustomization.yaml create mode 100644 config/overlays/odh/manager/controller_manager_patch_replace.yaml create mode 100644 config/overlays/odh/manager/kustomization.yaml create mode 100644 config/overlays/odh/manager/params.yaml create mode 100644 config/overlays/odh/manager/service.yaml create mode 100644 config/overlays/odh/params.env create mode 100644 config/overlays/odh/params.yaml create mode 100644 config/overlays/odh/quickstart.yaml create mode 100644 config/overlays/odh/rbac/kustomization.yaml create mode 100644 config/overlays/odh/rbac/networkpolicy_etcd.yaml create mode 100644 config/overlays/odh/rbac/remove_networkpolicy_rumtime_patch.yaml create mode 100644 config/overlays/odh/rbac/role_apps_metrics_access.yaml create mode 100644 config/overlays/odh/rbac/user_cluster_roles.yaml create mode 100644 config/overlays/odh/scripts/enable_auth.sh create mode 100644 config/overlays/odh/scripts/kustomization.yaml create mode 100644 config/overlays/odh/webhook/kustomization.yaml create mode 100644 config/overlays/odh/webhook/webhook_service_annotation_patch.yaml diff --git a/config/default/config-defaults.yaml b/config/default/config-defaults.yaml index 0ca50c93..5cc41aab 100644 --- a/config/default/config-defaults.yaml +++ b/config/default/config-defaults.yaml @@ -55,4 +55,4 @@ builtInServerTypes: - triton - mlserver - ovms - - torchserve + - torchserve \ No newline at end of file diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 6a1fc790..0358a0a7 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -86,4 +86,4 @@ spec: - name: config-defaults configMap: defaultMode: 420 - name: model-serving-config-defaults + name: model-serving-config-defaults \ No newline at end of file diff --git a/config/overlays/odh/crd/clusterservingruntime_patch_delete.yaml b/config/overlays/odh/crd/clusterservingruntime_patch_delete.yaml new file mode 100644 index 00000000..a698259e --- /dev/null +++ b/config/overlays/odh/crd/clusterservingruntime_patch_delete.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterservingruntimes.serving.kserve.io \ No newline at end of file diff --git a/config/overlays/odh/crd/kustomization.yaml b/config/overlays/odh/crd/kustomization.yaml new file mode 100644 index 00000000..616d2c33 --- /dev/null +++ b/config/overlays/odh/crd/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../crd/ \ No newline at end of file diff --git a/config/overlays/odh/default/config-defaults.yaml b/config/overlays/odh/default/config-defaults.yaml new file mode 100644 index 00000000..f44938f3 --- /dev/null +++ b/config/overlays/odh/default/config-defaults.yaml @@ -0,0 +1,53 @@ +# Copyright 2021 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# These are the system defaults which users can override with a user config + +# OpenDataHub override : ODH config-defaults is different from upstream +podsPerRuntime: 2 +headlessService: true +modelMeshImage: + name: $(odh-modelmesh) +modelMeshResources: + requests: + cpu: "300m" + memory: "448Mi" + limits: + cpu: "3" + memory: "448Mi" +restProxy: + enabled: true + port: 8008 + image: + name: $(odh-mm-rest-proxy) + resources: + requests: + cpu: "50m" + memory: "96Mi" + limits: + cpu: "1" + memory: "512Mi" +storageHelperImage: + name: $(odh-modelmesh-runtime-adapter) + command: ["/opt/app/puller"] +storageHelperResources: + requests: + cpu: "50m" + memory: "96Mi" + limits: + cpu: "2" + memory: "512Mi" +serviceAccountName: "modelmesh-serving-sa" +metrics: + enabled: true +payloadProcessors: "" diff --git a/config/overlays/odh/default/kustomization.yaml b/config/overlays/odh/default/kustomization.yaml new file mode 100644 index 00000000..02a10c81 --- /dev/null +++ b/config/overlays/odh/default/kustomization.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../crd/ + - ../manager/ + - ../webhook + +configMapGenerator: + - files: + - ./config-defaults.yaml + name: model-serving-config-defaults + +generatorOptions: + disableNameSuffixHash: true + +transformers: + - metadataLabelTransformer.yaml + +configurations: + - params.yaml diff --git a/config/overlays/odh/default/metadataLabelTransformer.yaml b/config/overlays/odh/default/metadataLabelTransformer.yaml new file mode 100644 index 00000000..6bbe669b --- /dev/null +++ b/config/overlays/odh/default/metadataLabelTransformer.yaml @@ -0,0 +1,27 @@ +# Copyright 2021 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: builtin +kind: LabelTransformer +metadata: + name: notImportantHere +labels: + app.kubernetes.io/instance: modelmesh-controller + app.kubernetes.io/managed-by: modelmesh-controller + app.kubernetes.io/name: modelmesh-controller +fieldSpecs: + - path: metadata/labels + create: true + - path: spec/template/metadata/labels + kind: Deployment + create: true diff --git a/config/overlays/odh/default/params.yaml b/config/overlays/odh/default/params.yaml new file mode 100644 index 00000000..a0a19831 --- /dev/null +++ b/config/overlays/odh/default/params.yaml @@ -0,0 +1,4 @@ +varReference: + - path: spec/template/spec/containers[]/image + kind: Deployment + apiVersion: apps/v1 diff --git a/config/overlays/odh/kustomization.yaml b/config/overlays/odh/kustomization.yaml new file mode 100644 index 00000000..72ac1375 --- /dev/null +++ b/config/overlays/odh/kustomization.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../prometheus + - ./default + - ./scripts + - ./quickstart.yaml + - ./rbac + +namespace: opendatahub +configMapGenerator: + - envs: + - params.env + name: mesh-parameters +generatorOptions: + disableNameSuffixHash: true + + +vars: + - fieldref: + fieldPath: metadata.namespace + name: mesh-namespace + objref: + apiVersion: v1 + kind: ConfigMap + name: mesh-parameters + - fieldref: + fieldPath: data.odh-modelmesh + name: odh-modelmesh + objref: + apiVersion: v1 + kind: ConfigMap + name: mesh-parameters + - fieldref: + fieldPath: data.odh-mm-rest-proxy + name: odh-mm-rest-proxy + objref: + apiVersion: v1 + kind: ConfigMap + name: mesh-parameters + - fieldref: + fieldPath: data.odh-modelmesh-runtime-adapter + name: odh-modelmesh-runtime-adapter + objref: + apiVersion: v1 + kind: ConfigMap + name: mesh-parameters + - fieldref: + fieldPath: data.odh-modelmesh-controller + name: odh-modelmesh-controller + objref: + apiVersion: v1 + kind: ConfigMap + name: mesh-parameters + +commonLabels: + app: model-mesh + app.kubernetes.io/part-of: model-mesh + +patchesStrategicMerge: + - ./crd/clusterservingruntime_patch_delete.yaml + +configurations: + - params.yaml diff --git a/config/overlays/odh/manager/controller_manager_patch_replace.yaml b/config/overlays/odh/manager/controller_manager_patch_replace.yaml new file mode 100644 index 00000000..58527e35 --- /dev/null +++ b/config/overlays/odh/manager/controller_manager_patch_replace.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: modelmesh-controller +spec: + replicas: 3 + template: + spec: + containers: + - name: manager + image: $(odh-modelmesh-controller) + resources: + limits: + memory: 2Gi + ports: + - containerPort: 9443 + name: webhook + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: modelmesh-webhook-server-cert + readOnly: true + volumes: + - name: modelmesh-webhook-server-cert + secret: + defaultMode: 420 + secretName: modelmesh-webhook-server-cert \ No newline at end of file diff --git a/config/overlays/odh/manager/kustomization.yaml b/config/overlays/odh/manager/kustomization.yaml new file mode 100644 index 00000000..b4907891 --- /dev/null +++ b/config/overlays/odh/manager/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../manager/ + - ./service.yaml + +patches: + - path: ./controller_manager_patch_replace.yaml + - target: + kind: Deployment + name: modelmesh-controller + patch: | + - op: add + path: /spec/template/spec/affinity/nodeAffinity + value: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 \ No newline at end of file diff --git a/config/overlays/odh/manager/params.yaml b/config/overlays/odh/manager/params.yaml new file mode 100644 index 00000000..a0a19831 --- /dev/null +++ b/config/overlays/odh/manager/params.yaml @@ -0,0 +1,4 @@ +varReference: + - path: spec/template/spec/containers[]/image + kind: Deployment + apiVersion: apps/v1 diff --git a/config/overlays/odh/manager/service.yaml b/config/overlays/odh/manager/service.yaml new file mode 100644 index 00000000..a8e2d9cb --- /dev/null +++ b/config/overlays/odh/manager/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: modelmesh-controller + app.kubernetes.io/managed-by: modelmesh-controller + name: modelmesh-controller +spec: + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 + type: ClusterIP + selector: + control-plane: modelmesh-controller diff --git a/config/overlays/odh/params.env b/config/overlays/odh/params.env new file mode 100644 index 00000000..be8b69b7 --- /dev/null +++ b/config/overlays/odh/params.env @@ -0,0 +1,4 @@ +odh-mm-rest-proxy=quay.io/opendatahub/rest-proxy:fast +odh-modelmesh-runtime-adapter=quay.io/opendatahub/modelmesh-runtime-adapter:fast +odh-modelmesh=quay.io/opendatahub/modelmesh:fast +odh-modelmesh-controller=quay.io/opendatahub/modelmesh-controller:fast diff --git a/config/overlays/odh/params.yaml b/config/overlays/odh/params.yaml new file mode 100644 index 00000000..67e82db8 --- /dev/null +++ b/config/overlays/odh/params.yaml @@ -0,0 +1,15 @@ +varReference: + - path: metadata/namespace + kind: ServiceAccount + apiVersion: v1 + - path: metadata/name + kind: ClusterRoleBinding + apiGroup: rbac.authorization.k8s.io + - path: subjects/namespace + kind: RoleBinding + apiGroup: rbac.authorization.k8s.io + - path: spec/template/spec/containers[]/image + kind: Deployment + apiVersion: apps/v1 + - path: data + kind: ConfigMap diff --git a/config/overlays/odh/quickstart.yaml b/config/overlays/odh/quickstart.yaml new file mode 100644 index 00000000..7c09ce5d --- /dev/null +++ b/config/overlays/odh/quickstart.yaml @@ -0,0 +1,175 @@ +# Copyright 2021 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Service +metadata: + name: etcd + labels: + component: model-mesh-etcd +spec: + ports: + - name: etcd-client-port + port: 2379 + protocol: TCP + targetPort: 2379 + selector: + component: model-mesh-etcd +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: model-mesh-etcd + name: etcd +spec: + replicas: 1 + selector: + matchLabels: + component: model-mesh-etcd + template: + metadata: + labels: + component: model-mesh-etcd + spec: + volumes: + - name: scripts + configMap: + name: etcd-scripts + defaultMode: 0554 + initContainers: + - name: etcd-secret-creator + image: registry.redhat.io/openshift4/ose-cli@sha256:25fef269ac6e7491cb8340119a9b473acbeb53bc6970ad029fdaae59c3d0ca61 + command: ["/bin/bash", "-c", "--"] + args: + - | + etcdpasswordexists=$(oc get secrets -o name | grep etcd-passwords || echo "false") + modelservingetcdexists=$(oc get secrets -o name | grep model-serving-etcd || echo "false") + + if [[ $etcdpasswordexists == "false" && $modelservingetcdexists == "false" ]]; then + echo "creating etcdpasswords and model-serving-etcd secrets" + ETC_ROOT_PSW=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1) + oc create secret generic etcd-passwords --type=string --from-literal=root=$ETC_ROOT_PSW + oc create secret generic model-serving-etcd --type=string --from-literal=etcd_connection="{\"endpoints\": \"http://etcd:2379\",\"root_prefix\": \"modelmesh-serving\",\"userid\": \"root\",\"password\": \"$ETC_ROOT_PSW\"}" + exit 0 + elif [[ $etcdpasswordexists != "false" && $modelservingetcdexists == "false" ]]; then + echo "etcdpasswords exists, creating model-serving-etcd secret" + ETC_ROOT_PSW=$(oc get secrets/etcd-passwords --template={{.data.root}} | base64 -d) + oc create secret generic model-serving-etcd --type=string --from-literal=etcd_connection="{\"endpoints\": \"http://etcd:2379\",\"root_prefix\": \"modelmesh-serving\",\"userid\": \"root\",\"password\": \"$ETC_ROOT_PSW\"}" + exit 0 + elif [[ $etcdpasswordexists == "false" && $modelservingetcdexists != "false" ]]; then + echo "model-serving-etcd exists, creating etcdpasswords secret" + ETC_ROOT_PSW=$(oc get secrets/model-serving-etcd --template={{.data.etcd_connection}} | base64 -d | grep -o '"password": *"[^"]*"' | grep -o '"[^"]*"$' | grep -oP '"\K[^"\047]+(?=["\047])') + oc create secret generic etcd-passwords --type=string --from-literal=root=$ETC_ROOT_PSW + exit 0 + else + echo "secrets etcdpasswords and model-serving-etcd exist, doing nothing" + exit 0 + fi + containers: + - command: + - etcd + - --listen-client-urls + - http://0.0.0.0:2379 + - --advertise-client-urls + - http://0.0.0.0:2379 + - "--data-dir" + - /tmp/etcd.data + image: registry.redhat.io/rhel7/etcd@sha256:d3495b263b103681f1b09a558be43c21989bfc269eb90f84c2609042cebdc626 + name: etcd + env: + - name: ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: etcd-passwords + key: root + volumeMounts: + - mountPath: /home/scripts + name: scripts + ports: + - containerPort: 2379 + name: client + protocol: TCP + - containerPort: 2380 + name: server + protocol: TCP + resources: # ref: https://github.com/coreos/etcd-operator/blob/master/doc/user/spec_examples.md#three-member-cluster-with-resource-requirement + limits: + cpu: 300m + memory: 200Mi + requests: + cpu: 200m + memory: 100Mi + livenessProbe: + tcpSocket: + port: 2379 + initialDelaySeconds: 30 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + tcpSocket: + port: 2379 + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - /home/scripts/enable_auth.sh ${ROOT_PASSWORD} + serviceAccountName: etcd-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + name: etcd-serviceaccount + namespace: $(mesh-namespace) +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + name: etcd-role +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: etcd-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: etcd-role +subjects: + - kind: ServiceAccount + name: etcd-serviceaccount + namespace: $(mesh-namespace) diff --git a/config/overlays/odh/rbac/kustomization.yaml b/config/overlays/odh/rbac/kustomization.yaml new file mode 100644 index 00000000..ba3b49d5 --- /dev/null +++ b/config/overlays/odh/rbac/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../rbac/cluster-scope + - ./networkpolicy_etcd.yaml + - ./role_apps_metrics_access.yaml + - ./user_cluster_roles.yaml + +patchesStrategicMerge: + - remove_networkpolicy_rumtime_patch.yaml diff --git a/config/overlays/odh/rbac/networkpolicy_etcd.yaml b/config/overlays/odh/rbac/networkpolicy_etcd.yaml new file mode 100644 index 00000000..4765b8cd --- /dev/null +++ b/config/overlays/odh/rbac/networkpolicy_etcd.yaml @@ -0,0 +1,36 @@ +# Copyright 2022 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: etcd +spec: + podSelector: + matchLabels: + component: model-mesh-etcd + app.kubernetes.io/part-of: model-mesh + ingress: + # etcd communication + - from: + - namespaceSelector: + # matches controller and runtime pods + matchLabels: + modelmesh-enabled: "true" + # mataches internal pods + - podSelector: {} + ports: + - port: 2379 + protocol: TCP + policyTypes: + - Ingress diff --git a/config/overlays/odh/rbac/remove_networkpolicy_rumtime_patch.yaml b/config/overlays/odh/rbac/remove_networkpolicy_rumtime_patch.yaml new file mode 100644 index 00000000..67a3906f --- /dev/null +++ b/config/overlays/odh/rbac/remove_networkpolicy_rumtime_patch.yaml @@ -0,0 +1,5 @@ +$patch: delete +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: modelmesh-runtimes diff --git a/config/overlays/odh/rbac/role_apps_metrics_access.yaml b/config/overlays/odh/rbac/role_apps_metrics_access.yaml new file mode 100644 index 00000000..417b63e0 --- /dev/null +++ b/config/overlays/odh/rbac/role_apps_metrics_access.yaml @@ -0,0 +1,41 @@ +# Deploying a RoleBinding in a given Namespace +# that gives the Prometheus SA the following role +# will allow that Prometheus to scrape Services +# in that RoleBinding's Namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-ns-access +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get diff --git a/config/overlays/odh/rbac/user_cluster_roles.yaml b/config/overlays/odh/rbac/user_cluster_roles.yaml new file mode 100644 index 00000000..547f09fa --- /dev/null +++ b/config/overlays/odh/rbac/user_cluster_roles.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: model-serving-admin + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-model-serving-admin: "true" +rules: [] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: model-serving-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-model-serving-admin: "true" +rules: + - apiGroups: + - serving.kserve.io + resources: + - inferenceservices + - servingruntimes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: model-serving-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - kubeflow.org + resources: + - servingruntimes + - servingruntimes/status + - servingruntimes/finalizers + - inferenceservices + - inferenceservices/status + - inferenceservices/finalizers + verbs: + - get + - list + - watch diff --git a/config/overlays/odh/scripts/enable_auth.sh b/config/overlays/odh/scripts/enable_auth.sh new file mode 100644 index 00000000..430308dd --- /dev/null +++ b/config/overlays/odh/scripts/enable_auth.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e -o pipefail +export ETCDCTL_API=3 + +function etcd::availability() { + local cmd=$1 # Command whose output we require + local interval=$2 # How many seconds to sleep between tries + local iterations=$3 # How many times we attempt to run the command + + ii=0 + + while [ $ii -le $iterations ] + do + + token=$($cmd) && returncode=$? || returncode=$? + if [ $returncode -eq 0 ]; then + break + fi + + ((ii=ii+1)) + if [ $ii -eq 100 ]; then + echo $cmd "did not return a value" + exit 1 + fi + sleep $interval + done + echo $token +} + +cmd='etcdctl --endpoints=http://0.0.0.0:2379 endpoint health' + +etcd::availability "${cmd}" 6 10 + +PASSWORD="${1:-password}" + +echo $PASSWORD | etcdctl --endpoints=http://0.0.0.0:2379 user add root --interactive=false +etcdctl --endpoints=http://0.0.0.0:2379 auth enable diff --git a/config/overlays/odh/scripts/kustomization.yaml b/config/overlays/odh/scripts/kustomization.yaml new file mode 100644 index 00000000..af731f5e --- /dev/null +++ b/config/overlays/odh/scripts/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: + - name: etcd-scripts + files: + - enable_auth.sh diff --git a/config/overlays/odh/webhook/kustomization.yaml b/config/overlays/odh/webhook/kustomization.yaml new file mode 100644 index 00000000..ddcc8c01 --- /dev/null +++ b/config/overlays/odh/webhook/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../webhook + +commonAnnotations: + service.beta.openshift.io/inject-cabundle: "true" + +patches: + - path: ./webhook_service_annotation_patch.yaml \ No newline at end of file diff --git a/config/overlays/odh/webhook/webhook_service_annotation_patch.yaml b/config/overlays/odh/webhook/webhook_service_annotation_patch.yaml new file mode 100644 index 00000000..37c09aae --- /dev/null +++ b/config/overlays/odh/webhook/webhook_service_annotation_patch.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: modelmesh-webhook-server-service + namespace: system + annotations: + service.beta.openshift.io/serving-cert-secret-name: modelmesh-webhook-server-cert \ No newline at end of file diff --git a/opendatahub/odh-manifests/model-mesh/base/kustomization.yaml b/opendatahub/odh-manifests/model-mesh/base/kustomization.yaml index 66edd70e..4a5ad587 100644 --- a/opendatahub/odh-manifests/model-mesh/base/kustomization.yaml +++ b/opendatahub/odh-manifests/model-mesh/base/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../odh-modelmesh-controller/overlays/odh - - ../odh-model-controller/overlays/odh + # - ../odh-model-controller/overlays/odh namespace: opendatahub configMapGenerator: