Skip to content

Commit

Permalink
Trust OpenShift service CA in kserve-router
Browse files Browse the repository at this point in the history 
This changes kserve-controller to mount the OpenShift Service CA bundle into kserve-router container and a configures it to trust the bundle. This affects InferenceGraph deployed in Serverless mode.

With these changes, InferenceGraphs will work correctly when deployed without an Istio sidecar.

These changes are needed because in ODH the InferenceServices are secured with TLS. The internal endpoints (which are the ones InferenceGraph uses) are using OpenShift service serving certificates.

Related to: https://issues.redhat.com/browse/RHOAIENG-13448

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
  • Loading branch information
@israel-hdez
israel-hdez committed Nov 28, 2024
1 parent 1382a8e commit 9675012
Showing 3 changed files with 100 additions and 5 deletions.
5 changes: 5 additions & 0 deletions pkg/constants/constants.go
View file
Original file line number Diff line number Diff line change
@@ -496,6 +496,11 @@ var (
MultiNodeHead = "head"
)

// OpenShift constants
const (
OpenShiftServiceCaConfigMapName = "openshift-service-ca.crt"
)

// GetRawServiceLabel generate native service label
func GetRawServiceLabel(service string) string {
return "isvc." + service
66 changes: 66 additions & 0 deletions pkg/controller/v1alpha1/inferencegraph/controller_test.go
View file
Original file line number Diff line number Diff line change
@@ -147,6 +147,10 @@ var _ = Describe("Inference Graph controller test", func() {
{
Image: "kserve/router:v0.10.0",
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
{
Name: "PROPAGATE_HEADERS",
Value: "Authorization,Intuit_tid",
@@ -175,9 +179,27 @@ var _ = Describe("Inference Graph controller test", func() {
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
},
},
AutomountServiceAccountToken: proto.Bool(false),
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
},
},
},
@@ -283,6 +305,10 @@ var _ = Describe("Inference Graph controller test", func() {
{
Image: "kserve/router:v0.10.0",
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
{
Name: "PROPAGATE_HEADERS",
Value: "Authorization,Intuit_tid",
@@ -311,9 +337,27 @@ var _ = Describe("Inference Graph controller test", func() {
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
},
},
AutomountServiceAccountToken: proto.Bool(false),
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
},
},
},
@@ -433,6 +477,10 @@ var _ = Describe("Inference Graph controller test", func() {
{
Image: "kserve/router:v0.10.0",
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
{
Name: "PROPAGATE_HEADERS",
Value: "Authorization,Intuit_tid",
@@ -461,6 +509,12 @@ var _ = Describe("Inference Graph controller test", func() {
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
},
},
Affinity: &v1.Affinity{
@@ -487,6 +541,18 @@ var _ = Describe("Inference Graph controller test", func() {
},
},
AutomountServiceAccountToken: proto.Bool(false),
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
},
},
},
34 changes: 29 additions & 5 deletions pkg/controller/v1alpha1/inferencegraph/knative_reconciler.go
View file
Original file line number Diff line number Diff line change
@@ -203,6 +203,30 @@ func createKnativeService(componentMeta metav1.ObjectMeta, graph *v1alpha1api.In
Drop: []v1.Capability{v1.Capability("ALL")},
},
},
VolumeMounts: []v1.VolumeMount{
{
Name: "openshift-service-ca-bundle",
MountPath: "/etc/odh/openshift-service-ca-bundle",
},
},
Env: []v1.EnvVar{
{
Name: "SSL_CERT_FILE",
Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
},
},
},
},
Volumes: []v1.Volume{
{
Name: "openshift-service-ca-bundle",
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: constants.OpenShiftServiceCaConfigMapName,
},
},
},
},
},
Affinity: graph.Spec.Affinity,
@@ -217,12 +241,12 @@ func createKnativeService(componentMeta metav1.ObjectMeta, graph *v1alpha1api.In
// Only adding this env variable "PROPAGATE_HEADERS" if router's headers config has the key "propagate"
value, exists := config.Headers["propagate"]
if exists {
service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env = []v1.EnvVar{
{
Name: constants.RouterHeadersPropagateEnvVar,
Value: strings.Join(value, ","),
},
propagateEnv := v1.EnvVar{
Name: constants.RouterHeadersPropagateEnvVar,
Value: strings.Join(value, ","),
}

service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env = append(service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env, propagateEnv)
}
return service
}

0 comments on commit 9675012

Please sign in to comment.