Skip to content

Commit

Permalink
Trust OpenShift service CA in kserve-router
Browse files Browse the repository at this point in the history 
This changes kserve-controller to mount the OpenShift Service CA bundle into kserve-router container and a configures it to trust the bundle. This affects InferenceGraph deployed in Serverless mode.

With these changes, InferenceGraphs will work correctly when deployed without an Istio sidecar.

These changes are needed because in ODH the InferenceServices are secured with TLS. The internal endpoints (which are the ones InferenceGraph uses) are using OpenShift service serving certificates.

Related to: https://issues.redhat.com/browse/RHOAIENG-13448

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
  • Loading branch information
@israel-hdez
israel-hdez committed Nov 28, 2024
1 parent f7ec4b6 commit 1455c07
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 5 deletions.
5 changes: 5 additions & 0 deletions pkg/constants/constants.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,11 @@ var (
MultiNodeHead = "head"
)

// OpenShift constants
const (
OpenShiftServiceCaConfigMapName = "openshift-service-ca.crt"
)

// GetRawServiceLabel generate native service label
func GetRawServiceLabel(service string) string {
return "isvc." + service
Expand Down
66 changes: 66 additions & 0 deletions pkg/controller/v1alpha1/inferencegraph/controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,10 @@ var _ = Describe("Inference Graph controller test", func() {
{
Image: "kserve/router:v0.10.0",
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
{
Name: "PROPAGATE_HEADERS",
Value: "Authorization,Intuit_tid",
Expand Down Expand Up @@ -175,9 +179,27 @@ var _ = Describe("Inference Graph controller test", func() {
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
},
},
AutomountServiceAccountToken: proto.Bool(false),
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
},
},
},
Expand Down Expand Up @@ -283,6 +305,10 @@ var _ = Describe("Inference Graph controller test", func() {
{
Image: "kserve/router:v0.10.0",
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
{
Name: "PROPAGATE_HEADERS",
Value: "Authorization,Intuit_tid",
Expand Down Expand Up @@ -311,9 +337,27 @@ var _ = Describe("Inference Graph controller test", func() {
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
},
},
AutomountServiceAccountToken: proto.Bool(false),
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
},
},
},
Expand Down Expand Up @@ -433,6 +477,10 @@ var _ = Describe("Inference Graph controller test", func() {
{
Image: "kserve/router:v0.10.0",
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
{
Name: "PROPAGATE_HEADERS",
Value: "Authorization,Intuit_tid",
Expand Down Expand Up @@ -461,6 +509,12 @@ var _ = Describe("Inference Graph controller test", func() {
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
},
},
Affinity: &v1.Affinity{
Expand All @@ -487,6 +541,18 @@ var _ = Describe("Inference Graph controller test", func() {
},
},
AutomountServiceAccountToken: proto.Bool(false),
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
},
},
},
Expand Down
34 changes: 29 additions & 5 deletions pkg/controller/v1alpha1/inferencegraph/knative_reconciler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,30 @@ func createKnativeService(componentMeta metav1.ObjectMeta, graph *v1alpha1api.In
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
},
},
},
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
Affinity: graph.Spec.Affinity,
Expand All @@ -217,12 +241,12 @@ func createKnativeService(componentMeta metav1.ObjectMeta, graph *v1alpha1api.In
// Only adding this env variable "PROPAGATE_HEADERS" if router's headers config has the key "propagate"
value, exists := config.Headers["propagate"]
if exists {
service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env = []v1.EnvVar{
{
Name: constants.RouterHeadersPropagateEnvVar,
Value: strings.Join(value, ","),
},
propagateEnv := v1.EnvVar{
Name: constants.RouterHeadersPropagateEnvVar,
Value: strings.Join(value, ","),
}

service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env = append(service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env, propagateEnv)
}
return service
}
Expand Down

0 comments on commit 1455c07

Please sign in to comment.