trustyai-explainability · ruivieira · Nov 28, 2023 · Nov 2, 2023 · Nov 6, 2023 · Nov 7, 2023
diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml
@@ -37,4 +37,11 @@ vars:
       name: config
       apiVersion: v1
     fieldref:
-      fieldpath: data.trustyaiOperatorImage
+      fieldpath: data.trustyaiOperatorImage
+  - name: oauthProxyImage
+    objref:
+      kind: ConfigMap
+      name: config
+      apiVersion: v1
+    fieldref:
+      fieldpath: data.oauthProxyImage
diff --git a/config/base/params.env b/config/base/params.env
@@ -1,2 +1,3 @@
 trustyaiServiceImage=quay.io/trustyai/trustyai-service:latest
-trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest
+trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest
+oauthProxyImage=registry.redhat.io/openshift4/ose-oauth-proxy:latest
diff --git a/config/rbac/auth-delegator.yml b/config/rbac/auth-delegator.yml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -37,6 +37,29 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -103,6 +126,17 @@ rules:
   - create
   - list
   - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - route.openshift.io
   resources:

diff --git a/controllers/config_maps.go b/controllers/config_maps.go
@@ -0,0 +1,46 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// getImageFromConfigMap gets a custom image value from a ConfigMap in the operator's namespace
+func (r *TrustyAIServiceReconciler) getImageFromConfigMap(ctx context.Context, key string, defaultImage string) (string, error) {
+	if r.Namespace != "" {
+		// Define the key for the ConfigMap
+		configMapKey := types.NamespacedName{
+			Namespace: r.Namespace,
+			Name:      imageConfigMap,
+		}
+
+		// Create an empty ConfigMap object
+		var cm corev1.ConfigMap
+
+		// Try to get the ConfigMap
+		if err := r.Get(ctx, configMapKey, &cm); err != nil {
+			if errors.IsNotFound(err) {
+				// ConfigMap not found, fallback to default values
+				return defaultImage, nil
+			}
+			// Other error occurred when trying to fetch the ConfigMap
+			return defaultImage, fmt.Errorf("error reading configmap %s", configMapKey)
+		}
+
+		// ConfigMap is found, extract the image and tag
+		image, ok := cm.Data[key]
+
+		if !ok {
+			// One or both of the keys are not present in the ConfigMap, return error
+			return defaultImage, fmt.Errorf("configmap %s does not contain necessary keys", configMapKey)
+		}
+
+		// Return the image and tag
+		return image, nil
+	} else {
+		return defaultImage, nil
+	}
+}
diff --git a/controllers/config_maps_test.go b/controllers/config_maps_test.go
@@ -0,0 +1,147 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+var _ = Describe("ConfigMap tests", func() {
+
+	BeforeEach(func() {
+		recorder = record.NewFakeRecorder(10)
+		k8sClient = fake.NewClientBuilder().WithScheme(scheme.Scheme).Build()
+		reconciler = &TrustyAIServiceReconciler{
+			Client:        k8sClient,
+			Scheme:        scheme.Scheme,
+			EventRecorder: recorder,
+			Namespace:     operatorNamespace,
+		}
+		ctx = context.Background()
+	})
+
+	AfterEach(func() {
+		// Attempt to delete the ConfigMap
+		configMap := &corev1.ConfigMap{}
+		err := k8sClient.Get(ctx, types.NamespacedName{
+			Namespace: operatorNamespace,
+			Name:      imageConfigMap,
+		}, configMap)
+
+		// If the ConfigMap exists, delete it
+		if err == nil {
+			Expect(k8sClient.Delete(ctx, configMap)).To(Succeed())
+		} else if !apierrors.IsNotFound(err) {
+			Fail(fmt.Sprintf("Unexpected error while getting ConfigMap: %s", err))
+		}
+	})
+
+	Context("When deploying a ConfigMap to the operator's namespace", func() {
+
+		It("Should get back the correct values", func() {
+
+			serviceImage := "custom-service-image:foo"
+			oauthImage := "custom-oauth-proxy:bar"
+
+			WaitFor(func() error {
+				configMap := createConfigMap(operatorNamespace, oauthImage, serviceImage)
+				return k8sClient.Create(ctx, configMap)
+			}, "failed to create ConfigMap")
+
+			var actualOAuthImage string
+			var actualServiceImage string
+
+			WaitFor(func() error {
+				var err error
+				actualOAuthImage, err = reconciler.getImageFromConfigMap(ctx, configMapOAuthProxyImageKey, defaultOAuthProxyImage)
+				return err
+			}, "failed to get oauth image from ConfigMap")
+
+			WaitFor(func() error {
+				var err error
+				actualServiceImage, err = reconciler.getImageFromConfigMap(ctx, configMapServiceImageKey, defaultImage)
+				return err
+			}, "failed to get service image from ConfigMap")
+
+			Expect(actualOAuthImage).Should(Equal(oauthImage))
+			Expect(actualServiceImage).Should(Equal(serviceImage))
+		})
+	})
+
+	Context("When no ConfigMap in the operator's namespace", func() {
+
+		It("Should get back the default values", func() {
+
+			var actualOAuthImage string
+			var actualServiceImage string
+
+			WaitFor(func() error {
+				var err error
+				actualOAuthImage, err = reconciler.getImageFromConfigMap(ctx, configMapOAuthProxyImageKey, defaultOAuthProxyImage)
+				return err
+			}, "failed to get oauth image from ConfigMap")
+
+			WaitFor(func() error {
+				var err error
+				actualServiceImage, err = reconciler.getImageFromConfigMap(ctx, configMapServiceImageKey, defaultImage)
+				return err
+			}, "failed to get service image from ConfigMap")
+
+			Expect(actualOAuthImage).Should(Equal(defaultOAuthProxyImage))
+			Expect(actualServiceImage).Should(Equal(defaultImage))
+		})
+	})
+
+	Context("When deploying a ConfigMap to the operator's namespace with the wrong keys", func() {
+
+		It("Should get back the default values", func() {
+
+			serviceImage := "custom-service-image:foo"
+			oauthImage := "custom-oauth-proxy:bar"
+
+			WaitFor(func() error {
+				configMap := &corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      imageConfigMap,
+						Namespace: operatorNamespace,
+					},
+					Data: map[string]string{
+						"foo-oauth-image": oauthImage,
+						"foo-image":       serviceImage,
+					},
+				}
+				return k8sClient.Create(ctx, configMap)
+			}, "failed to create ConfigMap")
+
+			var actualOAuthImage string
+			var actualServiceImage string
+
+			configMapPath := operatorNamespace + "/" + imageConfigMap
+
+			Eventually(func() error {
+				var err error
+				actualOAuthImage, err = reconciler.getImageFromConfigMap(ctx, configMapOAuthProxyImageKey, defaultOAuthProxyImage)
+				return err
+			}, defaultTimeout, defaultPolling).Should(MatchError(fmt.Sprintf("configmap %s does not contain necessary keys", configMapPath)), "failed to get oauth image from ConfigMap")
+
+			Eventually(func() error {
+				var err error
+				actualServiceImage, err = reconciler.getImageFromConfigMap(ctx, configMapServiceImageKey, defaultImage)
+				return err
+			}, defaultTimeout, defaultPolling).Should(MatchError(fmt.Sprintf("configmap %s does not contain necessary keys", configMapPath)), "failed to get oauth image from ConfigMap")
+
+			Expect(actualOAuthImage).Should(Equal(defaultOAuthProxyImage))
+			Expect(actualServiceImage).Should(Equal(defaultImage))
+		})
+	})
+
+})
diff --git a/controllers/constants.go b/controllers/constants.go
@@ -15,6 +15,21 @@ const (
 	defaultRequeueDelay  = time.Minute
 )
 
+// Configuration constants
+const (
+	imageConfigMap              = "trustyai-service-operator-config"
+	configMapOAuthProxyImageKey = "oauthProxyImage"
+	configMapServiceImageKey    = "trustyaiServiceImage"
+)
+
+// OAuth constants
+const (
+	OAuthServicePort       = 443
+	OAuthName              = "oauth-proxy"
+	OAuthServicePortName   = "oauth-proxy"
+	defaultOAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
+)
+
 // Status types
 const (
 	StatusTypeInferenceServicesPresent = "InferenceServicesPresent"

diff --git a/controllers/deployment.go b/controllers/deployment.go
@@ -2,6 +2,8 @@ package controllers
 
 import (
 	"context"
+	"strconv"
+
 	trustyaiopendatahubiov1alpha1 "github.com/trustyai-explainability/trustyai-service-operator/api/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -10,12 +12,13 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log"
-	"strconv"
 )
 
+// createDeploymentObject returns a Deployment for the TrustyAI Service instance
 func (r *TrustyAIServiceReconciler) createDeploymentObject(ctx context.Context, cr *trustyaiopendatahubiov1alpha1.TrustyAIService, image string) *appsv1.Deployment {
 	labels := getCommonLabels(cr.Name)
 	pvcName := generatePVCName(cr)
+	serviceAccountName := generateServiceAccountName(cr)
 
 	replicas := int32(1)
 	if cr.Spec.Replicas == nil {
@@ -29,6 +32,15 @@ func (r *TrustyAIServiceReconciler) createDeploymentObject(ctx context.Context,
 		batchSize = *cr.Spec.Metrics.BatchSize
 	}
 
+	// Create the OAuth-Proxy container spec
+
+	// Get OAuth-proxy image from ConfigMap
+	oauthProxyImage, err := r.getImageFromConfigMap(ctx, configMapOAuthProxyImageKey, defaultOAuthProxyImage)
+	if err != nil {
+		log.FromContext(ctx).Error(err, "Error getting OAuth image from ConfigMap. Using the default image value of "+defaultOAuthProxyImage)
+	}
+	oauthProxyContainer := generateOAuthProxyContainer(cr, oauthProxyImage)
+
 	containers := []corev1.Container{
 		{
 			Name:  containerName,
@@ -67,8 +79,23 @@ func (r *TrustyAIServiceReconciler) createDeploymentObject(ctx context.Context,
 				},
 			},
 		},
+		oauthProxyContainer,
 	}
 
+	volume := corev1.Volume{
+
+		Name: volumeMountName,
+		VolumeSource: corev1.VolumeSource{
+			PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+				ClaimName: pvcName,
+				ReadOnly:  false,
+			},
+		},
+	}
+	volumes := generateOAuthVolumes(cr, OAuthConfig{ProxyImage: defaultOAuthProxyImage})
+
+	volumes = append(volumes, volume)
+
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      cr.Name,
@@ -90,18 +117,9 @@ func (r *TrustyAIServiceReconciler) createDeploymentObject(ctx context.Context,
 					},
 				},
 				Spec: corev1.PodSpec{
-					Containers: containers,
-					Volumes: []corev1.Volume{
-						{
-							Name: volumeMountName,
-							VolumeSource: corev1.VolumeSource{
-								PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
-									ClaimName: pvcName,
-									ReadOnly:  false,
-								},
-							},
-						},
-					},
+					ServiceAccountName: serviceAccountName,
+					Containers:         containers,
+					Volumes:            volumes,
 				},
 			},
 		},
@@ -148,7 +166,7 @@ func (r *TrustyAIServiceReconciler) ensureDeployment(ctx context.Context, instan
 	// Get image and tag from ConfigMap
 	// If there's a ConfigMap with custom images, it is only applied when the operator is first deployed
 	// Changing (or creating) the ConfigMap after the operator is deployed will not have any effect
-	image, err := r.getImageFromConfigMap(ctx)
+	image, err := r.getImageFromConfigMap(ctx, configMapServiceImageKey, defaultImage)
 	if err != nil {
 		return err
 	}