opendatahub-io · bartoszmajsak · Sep 6, 2023 · Sep 7, 2023 · Sep 13, 2023 · Sep 13, 2023
diff --git a/enabling-ossm.md b/enabling-ossm.md
@@ -1,6 +1,5 @@
 # Open Data Hub (ODH) Installation Guide with OpenShift Service Mesh (OSSM)
 
-
 This guide will walk you through the installation of Open Data Hub with OpenShift Service Mesh.
 
 ## Prerequisites
@@ -53,26 +52,25 @@ spec:
 EOF"    
 }
 ```
+
 You can use the function above to install all required operators:
 
 ```sh
-createSubscription "kiali-ossm"
-createSubscription "jaeger-product"
 createSubscription "servicemeshoperator"
+# Temporarily, we use our custom operator build until operator changes are merged.
 # createSubscription "opendatahub-operator" "community-operators"
-# temp, until operator changes are merged.
-operator-sdk run bundle quay.io/cgarriso/opendatahub-operator-bundle:dev-0.0.2 --namespace openshift-operators --timeout 5m0s
+operator-sdk run bundle quay.io/maistra-dev/opendatahub-operator-bundle:v0.0.10-plugin --namespace openshift-operators --timeout 5m0s
 createSubscription "authorino-operator" "community-operators" "alpha"
 ```
 
 > **Warning**
 >
-> You may need to manually finalize the installation of the Authorino operator via the Installed Operators tab in the OpenShift Console.
+> You may need to manually update the installation of the Authorino operator via the Installed Operators tab in the OpenShift Console.
 
 
 > **Warning**
 >
-> Make sure to configure the Service Mesh Control Plane, as we are patching it.
+> Please ensure that the Service Mesh Control Plane is properly configured as we apply patches to it. It is assumed that the installation has already been done.
 
 
 For example, the following commands configure a slimmed-down profile:
@@ -83,9 +81,9 @@ kubectl apply -n istio-system -f -<<EOF
 apiVersion: maistra.io/v2
 kind: ServiceMeshControlPlane
 metadata:
-  name: basic
+  name: minimal
 spec:
-  version: v2.3
+  version: v2.4
   tracing:
     type: None
   addons:
@@ -99,7 +97,7 @@ spec:
       name: kiali
       enabled: false
 EOF
-
+```
 
 ## Setting up Open Data Hub Project
 
@@ -113,61 +111,53 @@ cat <<'EOF' > odh-mesh.ign.yaml
 apiVersion: kfdef.apps.kubeflow.org/v1
 kind: KfDef
 metadata:
- name: odh-mesh
+  name: odh-mesh
 spec:
- applications:
- - kustomizeConfig:
-      parameters:
-        - name: namespace
-          value: istio-system
-      repoRef:
-        name: manifests
-        path: service-mesh/control-plane
-   name: control-plane
- - kustomizeConfig:
-      parameters:
-        - name: namespace
-          value: auth-provider
-      repoRef:
-        name: manifests
-        path: service-mesh/authorino
-   name: authorino  
- - kustomizeConfig:
-      overlays:
-        - service-mesh
-      repoRef:
-        name: manifests
-        path: odh-common
-   name: odh-common
- - kustomizeConfig:
-      overlays:
-        - service-mesh
-        - dev
-      repoRef:
-        name: manifests
-        path: odh-dashboard
-   name: odh-dashboard
- - kustomizeConfig:
-      overlays:
-        - service-mesh
-      repoRef:
-        name: manifests
-        path: odh-notebook-controller
-   name: odh-notebook-controller
- - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: odh-project-controller
-   name: odh-project-controller
- - kustomizeConfig:
-      repoRef:
-        name: manifests
-        path: notebook-images
-   name: notebook-images
- repos:
- - name: manifests
-   uri: https://github.com/maistra/odh-manifests/tarball/service-mesh-integration
- version: service-mesh-integration
+  plugins:
+    - kind: KfOssmPlugin
+      spec:
+        mesh:
+          name: minimal
+          namespace: istio-system
+          certificate:
+            generate: true
+        auth:
+          name: authorino
+          namespace: auth-provider
+          authorino:
+            label: authorino/topic=odh
+  applications:
+    - kustomizeConfig:
+        repoRef:
+          name: manifests
+          path: odh-common
+      name: odh-common
+    - kustomizeConfig:
+        overlays:
+          - dev
+        repoRef:
+          name: manifests
+          path: odh-dashboard
+      name: odh-dashboard
+    - kustomizeConfig:
+        repoRef:
+          name: manifests
+          path: odh-notebook-controller
+      name: odh-notebook-controller
+    - kustomizeConfig:
+        repoRef:
+          name: manifests
+          path: odh-project-controller
+      name: odh-project-controller
+    - kustomizeConfig:
+        repoRef:
+          name: manifests
+          path: notebook-images
+      name: notebook-images
+  repos:
+    - name: manifests
+      uri: https://github.com/maistra/odh-manifests/tarball/kf_ossm_plugin
+  version: kf_ossm_plugin
 EOF
 ```
 
@@ -223,7 +213,7 @@ export ODH_ROUTE=$(kubectl get route --all-namespaces -l maistra.io/gateway-name
 xdg-open https://$ODH_ROUTE > /dev/null 2>&1 &    
 ```
 
-## Troubleshooting and Tips
+## Troubleshooting
 
 If you encounter issues while trying to access the web app, follow the steps below to troubleshoot.
 
@@ -240,21 +230,24 @@ This can reveal errors like:
 * Wrong redirect URL
 * Mismatching secret between what OAuth client has defined and what is loaded for Envoy Filters.
 
-If the latter is the case (i.e., an error like `E0328 18:39:56.277217 1 access.go:177] osin: error=unauthorized_client, internal_error=<nil> get_client=client check failed, client_id=odh`)`, check if the token is the same everywhere by comparing the output of the following commands:
+If the latter is the case (i.e., an error like `E0328 18:39:56.277217 1 access.go:177] osin: error=unauthorized_client, internal_error=<nil> get_client=client check failed, client_id=${ODH_NS}-oauth2-client`)`, check if the token is the same everywhere by comparing the output of the following commands:
 
 
 ```sh
-kubectl get oauthclient.oauth.openshift.io odh
-kubectl exec $(kubectl get pods -n istio-system -l app=istio-ingressgateway  -o jsonpath='{.items[*].metadata.name}') -n istio-system -c istio-proxy -- cat /etc/istio/odh-oauth2/token-secret.yaml
-kubectl get secret istio-odh-oauth2 -n istio-system -o yaml
+kubectl get oauthclient.oauth.openshift.io ${ODH_NS}-oauth2-client
+kubectl exec $(kubectl get pods -n istio-system -l app=istio-ingressgateway  -o jsonpath='{.items[*].metadata.name}') -n istio-system -c istio-proxy -- cat /etc/istio/${ODH_NS}-oauth2-tokens/token-secret.yaml
+kubectl get secret ${ODH_NS}-oauth2-tokens -n istio-system -o yaml
 ```
-To read the actual value of secrets you could use a [`kubectl` plugin](https://github.com/elsesiy/kubectl-view-secret) instead. Then the last line would look as follows `kubectl view-secret istio-odh-oauth2 -n istio-system -a`.
+To read the actual value of secrets you could use a [`kubectl` plugin](https://github.com/elsesiy/kubectl-view-secret) instead. Then the last line would look as follows `kubectl view-secret ${ODH_NS}-oauth2-tokens -n istio-system -a`.
 
 The `i`stio-ingressgateway` pod might be out of sync (and so `EnvoyFilter` responsible for OAuth2 flow). Check its logs and consider restarting it:
 
 ```sh
 kubectl rollout restart deployment -n istio-system istio-ingressgateway  
 ```
+
+## Development tips
+
 ### Serving manifests locally
 
 #### Configure `CRC` to have acces to host network
@@ -300,4 +293,4 @@ sed -i'' -e 's,uri: .*,uri: '"http://${ip_address}:9898/odh-${ABBREV_HASH}.tar.g
 
 > **Note** 
 > 
-> `ip_address` might need an adjustment based on your network interface name.
+> `ip_address` might need an adjustment based on your network interface name.
diff --git a/odh-common/base/configmap.yaml b/odh-common/base/configmap.yaml
diff --git a/odh-common/base/kustomization.yaml b/odh-common/base/kustomization.yaml
@@ -11,11 +11,6 @@ commonLabels:
 configMapGenerator:
 - name: odh-common-config
   env: params.env
-- name: service-mesh-refs
-  literals:
-    - MESH_NAMESPACE=$(istioNamespace)
-    - CONTROL_PLANE_NAME=$(smcpName)
-
 generatorOptions:
   disableNameSuffixHash: true
 
@@ -27,20 +22,6 @@ vars:
     apiVersion: v1
   fieldref:
     fieldpath: data.namespace
-- name: istioNamespace
-  objref:
-    kind: ConfigMap
-    name: odh-common-config
-    apiVersion: v1
-  fieldref:
-    fieldpath: data.istioNamespace
-- name: smcpName
-  objref:
-    kind: ConfigMap
-    name: odh-common-config
-    apiVersion: v1
-  fieldref:
-    fieldpath: data.smcpName
 
 configurations:
 - params.yaml
diff --git a/odh-common/base/params.env b/odh-common/base/params.env
@@ -1,3 +1 @@
-namespace=opendatahub
-istioNamespace=istio-system
-smcpName=basic
+namespace=opendatahub
diff --git a/odh-common/base/params.yaml b/odh-common/base/params.yaml
@@ -1,16 +1,4 @@
 varReference:
 - path: spec/targetNamespaces
   kind: OperatorGroup
-  apiGroup: operators.coreos.com
-- path: spec/controlPlaneRef/name
-  kind: ServiceMeshMember
-  apiGroup: maistra.io/v1
-- path: spec/controlPlaneRef/namespace
-  kind: ServiceMeshMember
-  apiGroup: maistra.io/v1
-- path: data/CONTROL_PLANE_NAME
-  kind: ConfigMap
-  apiGroup: v1
-- path: data/MESH_NAMESPACE
-  kind: ConfigMap
-  apiGroup: v1
+  apiGroup: operators.coreos.com
diff --git a/odh-common/overlays/service-mesh/OWNERS b/odh-common/overlays/service-mesh/OWNERS
diff --git a/odh-common/overlays/service-mesh/kustomization.yaml b/odh-common/overlays/service-mesh/kustomization.yaml
diff --git a/odh-common/overlays/service-mesh/smm.yaml b/odh-common/overlays/service-mesh/smm.yaml
diff --git a/odh-dashboard/base/kustomization.yaml b/odh-dashboard/base/kustomization.yaml
@@ -3,32 +3,28 @@ kind: Kustomization
 commonLabels:
   app: odh-dashboard
   app.kubernetes.io/part-of: odh-dashboard
-
 resources:
-- ../apps
-- ../modelserving
-- role.yaml
-- cluster-role.yaml
-- service-account.yaml
-- role-binding.yaml
-- cluster-role-binding.yaml
-- auth-delegator.clusterrolebinding.yaml
-- cluster-monitoring-role-binding.yaml
-- deployment.yaml
-- routes.yaml
-- service.yaml
-- oauth.secret.yaml
-- fetch-builds-and-images.rbac.yaml
-- image-puller.clusterrolebinding.yaml
-- model-serving-role.yaml
-- model-serving-role-binding.yaml
-
+  - ../apps
+  - ../modelserving
+  - role.yaml
+  - cluster-role.yaml
+  - service-account.yaml
+  - role-binding.yaml
+  - cluster-role-binding.yaml
+  - auth-delegator.clusterrolebinding.yaml
+  - cluster-monitoring-role-binding.yaml
+  - deployment.yaml
+  - routes.yaml
+  - service.yaml
+  - oauth.secret.yaml
+  - fetch-builds-and-images.rbac.yaml
+  - image-puller.clusterrolebinding.yaml
+  - model-serving-role.yaml
+  - model-serving-role-binding.yaml
 images:
 - name: odh-dashboard
-  ## FIXME: Temporary until odh-dashboard PR is merged upstream
-  newName: quay.io/maistra-dev/odh-dashboard
-  newTag: ossm_annotations
+  newName: quay.io/opendatahub/odh-dashboard
+  digest: sha256:4478d3830a30058fb87ed3e94dfdc615bf7517fddbd8490d6e2563263a0752fb
 - name: oauth-proxy
   newName: registry.redhat.io/openshift4/ose-oauth-proxy
-  newTag: sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33
-
+  digest: sha256:ab112105ac37352a2a4916a39d6736f5db6ab4c29bad4467de8d613e80e9bb33
diff --git a/odh-dashboard/overlays/dev/deployment-resources-patch.yaml b/odh-dashboard/overlays/dev/deployment-resources-patch.yaml
@@ -9,4 +9,4 @@
 
 - op: replace
   path: /spec/template/spec/containers/0/readinessProbe/periodSeconds
-  value: 300
+  value: 300
diff --git a/odh-dashboard/overlays/service-mesh/dashboard-config.yaml b/odh-dashboard/overlays/service-mesh/dashboard-config.yaml
diff --git a/odh-dashboard/overlays/service-mesh/job-role-binding.yaml b/odh-dashboard/overlays/service-mesh/job-role-binding.yaml