forked from opendatahub-io/opendatahub-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(authz): Authorino for Service Mesh (opendatahub-io#784)
* feat(authz): Authorino for Service Mesh This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Fix linter issues Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Resolve feedback: Bartosz Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * fix: Remove port from the authorization policy Also, add `/metrics` to the ignored paths for auth. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Fix feedback: Bartosz Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * More feedback: Bartosz Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> * Fix feedback: Reto - Adjust AuthorizationPolicy Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Fix more feedback: Bartosz - Remove Authorino namespace field from DSCI. - Move around some code in kserve.go to servicemesh_setup.go Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: adds sec. prefix to authorino label selector * fix: adds base dir to manifest sources * chore: uses security instead of sec as a prefix in authorino label * fix: /healthz is called by _something_, skipp * fix: adopt ODH-ADR-0006 for clean up label * fix: uses correct CRD name for authconfigs Co-authored-by: Cameron Garrison <cgarriso@redhat.com> * Remove left-over file Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Feedback: remove auth-refs ConfigMap Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Add missing role.yaml changes Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Go back to installing Authorino on its own namespace Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Feedback: Add clean-up for KServe/OSSM-auth Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Feedback: Simplify namings Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * fix: add auth-refs cm * Feedback: adjust labels and a log message Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Bugfix: Extension provider terminating with error when SMCP is gone Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Fix: add missing RBAC for ConfigMaps func Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Fix: Run `make bundle` and commit resulting changes Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Feedback: Wen - Better feature namings Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Feedback: Bartosz * Use feature logger * Don't trim -applications suffix on ResolveAuthNamespace Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * Feedback: Wen - revert image placeholder was replaced Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> --------- Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Aslak Knutsen <aslak@4fs.no> Co-authored-by: Cameron Garrison <cgarriso@redhat.com> (cherry picked from commit e32a7c2)
- Loading branch information
1 parent
6b7ee56
commit ed731c8
Showing
29 changed files
with
654 additions
and
43 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
package kserve | ||
|
||
import ( | ||
"path" | ||
|
||
operatorv1 "github.com/openshift/api/operator/v1" | ||
|
||
dsciv1 "github.com/opendatahub-io/opendatahub-operator/v2/apis/dscinitialization/v1" | ||
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature" | ||
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh" | ||
) | ||
|
||
func (k *Kserve) configureServiceMesh(dscispec *dsciv1.DSCInitializationSpec) error { | ||
if dscispec.ServiceMesh.ManagementState == operatorv1.Managed && k.GetManagementState() == operatorv1.Managed { | ||
serviceMeshInitializer := feature.ComponentFeaturesHandler(k, dscispec, k.defineServiceMeshFeatures()) | ||
return serviceMeshInitializer.Apply() | ||
} | ||
if dscispec.ServiceMesh.ManagementState == operatorv1.Unmanaged && k.GetManagementState() == operatorv1.Managed { | ||
return nil | ||
} | ||
|
||
return k.removeServiceMeshConfigurations(dscispec) | ||
} | ||
|
||
func (k *Kserve) removeServiceMeshConfigurations(dscispec *dsciv1.DSCInitializationSpec) error { | ||
serviceMeshInitializer := feature.ComponentFeaturesHandler(k, dscispec, k.defineServiceMeshFeatures()) | ||
return serviceMeshInitializer.Delete() | ||
} | ||
|
||
func (k *Kserve) defineServiceMeshFeatures() feature.FeaturesProvider { | ||
return func(handler *feature.FeaturesHandler) error { | ||
kserveExtAuthzErr := feature.CreateFeature("kserve-external-authz"). | ||
For(handler). | ||
Manifests( | ||
path.Join(feature.KServeDir), | ||
). | ||
WithData(servicemesh.ClusterDetails). | ||
Load() | ||
|
||
if kserveExtAuthzErr != nil { | ||
return kserveExtAuthzErr | ||
} | ||
|
||
return nil | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.