feat(ossm): adds OSSM annotations to the relevant cluster resources

backend/src/routes/api/namespaces/namespaceUtils.ts

@@ -2,6 +2,7 @@ import { PatchUtils, V1SelfSubjectAccessReview } from '@kubernetes/client-node';
 import { NamespaceApplicationCase } from './const';
 import { K8sStatus, KubeFastifyInstance, OauthFastifyRequest } from '../../../types';
 import { createCustomError } from '../../../utils/requestUtils';
+import { getDashboardConfig } from '../../../utils/resourceUtils';
 import { isK8sStatus, safeURLPassThrough } from '../k8s/pass-through';
 
 const checkNamespacePermission = (
@@ -60,13 +61,19 @@ export const applyNamespaceChange = async (
     throw createCustomError('Forbidden', "You don't have the access to update the namespace", 403);
   }
 
+  const disableServiceMesh = getDashboardConfig().spec.dashboardConfig.disableServiceMesh;
+
   let labels = {};
+  let annotations = {};
   switch (context) {
     case NamespaceApplicationCase.DSG_CREATION:
       labels = {
         'opendatahub.io/dashboard': 'true',
         'modelmesh-enabled': 'true',
       };
+      annotations = {
+        'opendatahub.io/service-mesh': String(!disableServiceMesh),
+      };
       break;
     case NamespaceApplicationCase.MODEL_SERVING_PROMOTION:
       labels = {
@@ -78,9 +85,17 @@ export const applyNamespaceChange = async (
   }
 
   return fastify.kube.coreV1Api
-    .patchNamespace(name, { metadata: { labels } }, undefined, undefined, undefined, undefined, {
-      headers: { 'Content-type': PatchUtils.PATCH_FORMAT_JSON_MERGE_PATCH },
-    })
+    .patchNamespace(
+      name,
+      { metadata: { labels, annotations } },
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      {
+        headers: { 'Content-type': PatchUtils.PATCH_FORMAT_JSON_MERGE_PATCH },
+      },
+    )
     .then(() => ({ applied: true }))
     .catch((e) => {
       fastify.log.error(

backend/src/routes/api/notebooks/utils.ts

@@ -3,12 +3,14 @@ import { PatchUtils, V1ContainerStatus, V1Pod, V1PodList } from '@kubernetes/cli
 import { createCustomError } from '../../../utils/requestUtils';
 import { getUserName } from '../../../utils/userUtils';
 import { RecursivePartial } from '../../../typeHelpers';
+import { getDashboardConfig } from '../../../utils/resourceUtils';
 import {
   createNotebook,
   generateNotebookNameFromUsername,
   getNamespaces,
   getNotebook,
   getRoute,
+  getServiceMeshGwHost,
   updateNotebook,
 } from '../../../utils/notebookUtils';
 import { FastifyRequest } from 'fastify';
@@ -27,12 +29,24 @@ export const getNotebookStatus = async (
   const notebookName = notebook?.metadata.name;
   let newNotebook: Notebook;
   if (isRunning && !notebook?.metadata.annotations?.['opendatahub.io/link']) {
-    const route = await getRoute(fastify, namespace, notebookName).catch((e) => {
-      fastify.log.warn(`Failed getting route ${notebookName}: ${e.message}`);
-      return undefined;
-    });
-    if (route) {
-      newNotebook = await patchNotebookRoute(fastify, route, namespace, notebookName).catch((e) => {
+    const disableServiceMesh = getDashboardConfig().spec.dashboardConfig.disableServiceMesh;
+    let host: string;
+    if (!disableServiceMesh) {
+      host = await getServiceMeshGwHost(fastify, namespace).catch((e) => {
+        fastify.log.warn(`Failed getting route ${notebookName}: ${e.message}`);
+        return undefined;
+      });
+    } else {
+      const route = await getRoute(fastify, namespace, notebookName).catch((e) => {
+        fastify.log.warn(`Failed getting route ${notebookName}: ${e.message}`);
+        return undefined;
+      });
+      if (route) {
+        host = route.spec.host;
+      }
+    }
+    if (host) {
+      newNotebook = await patchNotebookRoute(fastify, host, namespace, notebookName).catch((e) => {
         fastify.log.warn(`Failed patching route to notebook ${notebookName}: ${e.message}`);
         return notebook;
       });
@@ -71,14 +85,14 @@ export const checkPodContainersReady = (pod: V1Pod): boolean => {
 
 export const patchNotebookRoute = async (
   fastify: KubeFastifyInstance,
-  route: Route,
+  host: string,
   namespace: string,
   name: string,
 ): Promise<Notebook> => {
   const patch: RecursivePartial<Notebook> = {
     metadata: {
       annotations: {
-        'opendatahub.io/link': `https://${route.spec.host}/notebook/${namespace}/${name}`,
+        'opendatahub.io/link': `https://${host}/notebook/${namespace}/${name}/`,
       },
     },
   };

backend/src/types.ts

@@ -27,6 +27,7 @@ export type DashboardConfig = K8sResourceCommon & {
       disableModelServing: boolean;
       disableProjectSharing: boolean;
       disableCustomServingRuntimes: boolean;
+      disableServiceMesh: boolean;
       modelMetricsNamespace: string;
       disablePipelines: boolean;
     };
@@ -403,6 +404,9 @@ export type Notebook = K8sResourceCommon & {
       'opendatahub.io/link': string; // redirect notebook url
       'opendatahub.io/username': string; // the untranslated username behind the notebook
 
+      // Openshift Service Mesh specific annotations. They're needed to orchestrate additional resources for nb namespaces.
+      'opendatahub.io/service-mesh': string;
+
       // TODO: Can we get this from the data in the Notebook??
       'notebooks.opendatahub.io/last-image-selection': string; // the last image they selected
       'notebooks.opendatahub.io/last-size-selection': string; // the last notebook size they selected

backend/src/utils/constants.ts

@@ -51,6 +51,7 @@ export const blankDashboardCR: DashboardConfig = {
       disableModelServing: false,
       disableProjectSharing: false,
       disableCustomServingRuntimes: false,
+      disableServiceMesh: true,
       modelMetricsNamespace: '',
       disablePipelines: false,
     },

backend/src/utils/notebookUtils.ts

@@ -21,6 +21,7 @@ import { getUserName, usernameTranslate } from './userUtils';
 import { createCustomError } from './requestUtils';
 import {
   PatchUtils,
+  V1Namespace,
   V1PersistentVolumeClaim,
   V1Role,
   V1RoleBinding,
@@ -68,6 +69,35 @@ export const getRoute = async (
   return kubeResponse.body as Route;
 };
 
+export const getServiceMeshGwHost = async (
+  fastify: KubeFastifyInstance,
+  namespace: string,
+): Promise<string> => {
+  const kubeResponse = await fastify.kube.coreV1Api.readNamespace(namespace).catch((res) => {
+    const e = res.response.body;
+    const error = createCustomError('Error getting Namespace', e.message, e.code);
+    fastify.log.error(error);
+    throw error;
+  });
+
+  const body = kubeResponse.body as unknown;
+  const typedResponse = body as V1Namespace;
+
+  const annotations = typedResponse.metadata?.annotations;
+
+  if (!annotations || !annotations['service-mesh.opendatahub.io/public-gateway-host-external']) {
+    const error = createCustomError(
+      'Annotation not found',
+      `Could not find annotation 'service-mesh.opendatahub.io/public-gateway-host-external' for namespace: ${namespace}`,
+      404,
+    );
+    fastify.log.error(error);
+    throw error;
+  }
+
+  return annotations['service-mesh.opendatahub.io/public-gateway-host-external'];
+};
+
 export const createRBAC = async (
   fastify: KubeFastifyInstance,
   namespace: string,
@@ -250,6 +280,10 @@ export const assembleNotebook = async (
     },
   }));
 
+  const serviceMeshEnabled = String(
+    !getDashboardConfig().spec?.dashboardConfig?.disableServiceMesh,
+  );
+
   return {
     apiVersion: 'kubeflow.org/v1',
     kind: 'Notebook',
@@ -264,7 +298,9 @@ export const assembleNotebook = async (
         'notebooks.opendatahub.io/oauth-logout-url': `${url}/notebookController/${translatedUsername}/home`,
         'notebooks.opendatahub.io/last-size-selection': notebookSize.name,
         'notebooks.opendatahub.io/last-image-selection': imageSelection,
+        'notebooks.opendatahub.io/inject-oauth': String(!serviceMeshEnabled),
         'opendatahub.io/username': username,
+        'opendatahub.io/service-mesh': serviceMeshEnabled,
         'kubeflow-resource-stopped': null,
       },
       name: name,
@@ -413,6 +449,8 @@ export const createNotebook = async (
   url: string,
   notebookData?: NotebookData,
 ): Promise<Notebook> => {
+  const config = getDashboardConfig();
+
   if (!notebookData) {
     const error = createCustomError(
       'Missing Notebook',
@@ -438,7 +476,13 @@ export const createNotebook = async (
     notebookAssembled.metadata.annotations = {};
   }
 
-  notebookAssembled.metadata.annotations['notebooks.opendatahub.io/inject-oauth'] = 'true';
+  notebookAssembled.metadata.annotations['notebooks.opendatahub.io/inject-oauth'] = String(
+    config.spec.dashboardConfig.disableServiceMesh,
+  );
+  notebookAssembled.metadata.annotations['opendatahub.io/service-mesh'] = String(
+    !config.spec.dashboardConfig.disableServiceMesh,
+  );
+
   const notebookContainers = notebookAssembled.spec.template.spec.containers;
 
   if (!notebookContainers[0]) {

docs/dashboard_config.md

@@ -23,6 +23,7 @@ The following are a list of features that are supported, along with there defaul
 | disableProjectSharing        | false   | Disables Project Sharing from Data Science Projects.                                                 |
 | disableCustomServingRuntimes | false   | Disables Custom Serving Runtimes from the Admin Panel.                                               |
 | modelMetricsNamespace        | false   | Enables the namespace in which the Model Serving Metrics' Prometheus Operator is installed.          |
+| disableServiceMesh           | true    | Disables use of service mesh for routing and authorization.                                          |
 
 ## Defaults
 

frontend/src/__mocks__/mockDashboardConfig.ts

@@ -40,17 +40,18 @@ export const mockDashboardConfig = ({
   spec: {
     dashboardConfig: {
       enablement: true,
-      disableInfo,
-      disableSupport,
-      disableClusterManager,
-      disableTracking,
-      disableBYONImageStream,
-      disableISVBadges,
-      disableAppLauncher,
-      disableUserManagement,
-      disableProjects,
-      disableModelServing,
-      disableCustomServingRuntimes,
+      disableInfo: false,
+      disableSupport: false,
+      disableClusterManager: false,
+      disableTracking: true,
+      disableBYONImageStream: false,
+      disableISVBadges: false,
+      disableAppLauncher: false,
+      disableUserManagement: false,
+      disableProjects: false,
+      disableModelServing: false,
+      disableCustomServingRuntimes: false,
+      disableServiceMesh: true,
       modelMetricsNamespace: 'test-project',
       disablePipelines: false,
       disableProjectSharing: false,

frontend/src/api/k8s/notebooks.ts

@@ -25,11 +25,13 @@ import {
 } from '~/concepts/pipelines/elyra/utils';
 import { createRoleBinding } from '~/api';
 import { Volume, VolumeMount } from '~/types';
+import { DashboardConfig } from '~/types';
 import { assemblePodSpecOptions } from './utils';
 
 const assembleNotebook = (
   data: StartNotebookData,
   username: string,
+  dashboardConfig: DashboardConfig,
   canEnablePipelines?: boolean,
 ): NotebookKind => {
   const {
@@ -86,7 +88,12 @@ const assembleNotebook = (
         'notebooks.opendatahub.io/oauth-logout-url': `${origin}/projects/${projectName}?notebookLogout=${notebookId}`,
         'notebooks.opendatahub.io/last-size-selection': notebookSize.name,
         'notebooks.opendatahub.io/last-image-selection': imageSelection,
-        'notebooks.opendatahub.io/inject-oauth': 'true',
+        'notebooks.opendatahub.io/inject-oauth': String(
+          dashboardConfig.spec.dashboardConfig.disableServiceMesh,
+        ),
+        'opendatahub.io/service-mesh': String(
+          !dashboardConfig.spec.dashboardConfig.disableServiceMesh,
+        ),
         'opendatahub.io/username': username,
       },
       name: notebookId,
@@ -174,6 +181,18 @@ const getStopPatch = (): Patch => ({
   value: getStopPatchDataString(),
 });
 
+const getInjectOAuthPatch = (disableServiceMesh: boolean): Patch => ({
+  op: 'add',
+  path: '/metadata/annotations/notebooks.opendatahub.io~1inject-oauth',
+  value: String(disableServiceMesh),
+});
+
+const getServiceMeshPatch = (disableServiceMesh: boolean): Patch => ({
+  op: 'add',
+  path: '/metadata/annotations/opendatahub.io~1service-mesh',
+  value: String(!disableServiceMesh),
+});
+
 export const getNotebooks = (namespace: string): Promise<NotebookKind[]> =>
   k8sListResource<NotebookKind>({
     model: NotebookModel,
@@ -197,10 +216,14 @@ export const startNotebook = async (
   name: string,
   namespace: string,
   tolerationChanges: TolerationChanges,
+  dashboardConfig: DashboardConfig,
   enablePipelines?: boolean,
 ): Promise<NotebookKind> => {
-  const patches: Patch[] = [];
-  patches.push(startPatch);
+  const patches: Patch[] = [
+    startPatch,
+    getInjectOAuthPatch(dashboardConfig.spec.dashboardConfig.disableServiceMesh),
+    getServiceMeshPatch(dashboardConfig.spec.dashboardConfig.disableServiceMesh),
+  ];
 
   const tolerationPatch = getTolerationPatch(tolerationChanges);
   if (tolerationPatch) {
@@ -229,9 +252,10 @@ export const startNotebook = async (
 export const createNotebook = (
   data: StartNotebookData,
   username: string,
+  dashboardConfig: DashboardConfig,
   canEnablePipelines?: boolean,
 ): Promise<NotebookKind> => {
-  const notebook = assembleNotebook(data, username, canEnablePipelines);
+  const notebook = assembleNotebook(data, username, dashboardConfig, canEnablePipelines);
 
   const notebookPromise = k8sCreateResource<NotebookKind>({
     model: NotebookModel,
@@ -251,9 +275,10 @@ export const updateNotebook = (
   existingNotebook: NotebookKind,
   data: StartNotebookData,
   username: string,
+  dashboardConfig: DashboardConfig,
 ): Promise<NotebookKind> => {
   data.notebookId = existingNotebook.metadata.name;
-  const notebook = assembleNotebook(data, username);
+  const notebook = assembleNotebook(data, username, dashboardConfig);
 
   const oldNotebook = structuredClone(existingNotebook);
   const container = oldNotebook.spec.template.spec.containers[0];
@@ -274,9 +299,10 @@ export const updateNotebook = (
 export const createNotebookWithoutStarting = (
   data: StartNotebookData,
   username: string,
+  dashboardConfig: DashboardConfig,
 ): Promise<NotebookKind> =>
   new Promise((resolve, reject) =>
-    createNotebook(data, username).then((notebook) =>
+    createNotebook(data, username, dashboardConfig).then((notebook) =>
       setTimeout(
         () =>
           stopNotebook(notebook.metadata.name, notebook.metadata.namespace)
@@ -286,7 +312,6 @@ export const createNotebookWithoutStarting = (
       ),
     ),
   );
-
 export const deleteNotebook = (notebookName: string, namespace: string): Promise<K8sStatus> =>
   k8sDeleteResource<NotebookKind, K8sStatus>({
     model: NotebookModel,

frontend/src/api/k8s/routes.ts

@@ -1,6 +1,6 @@
 import { k8sGetResource } from '@openshift/dynamic-plugin-sdk-utils';
-import { RouteModel } from '~/api/models';
-import { K8sAPIOptions, RouteKind } from '~/k8sTypes';
+import { RouteModel, NamespaceModel } from '~/api/models';
+import { K8sAPIOptions, RouteKind, NamespaceKind } from '~/k8sTypes';
 import { applyK8sAPIOptions } from '~/api/apiMergeUtils';
 
 export const getRoute = (
@@ -14,3 +14,14 @@ export const getRoute = (
       queryOptions: { name, ns: namespace },
     }),
   );
+
+export const getServiceMeshGwHost = async (namespace: string): Promise<string | null> => {
+  const queryOptions = {
+    name: namespace,
+  };
+  const project = await k8sGetResource<NamespaceKind>({ model: NamespaceModel, queryOptions });
+  return (
+    project?.metadata?.annotations?.['service-mesh.opendatahub.io/public-gateway-host-external'] ||
+    null
+  );
+};