Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Integrated OpenDataHub Centralized Custom Certificate #166

Merged
merged 9 commits into from
Feb 23, 2024
Merged

[Feature] Integrated OpenDataHub Centralized Custom Certificate #166

merged 9 commits into from
Feb 23, 2024

Conversation

Jooho
Copy link
Contributor

@Jooho Jooho commented Feb 22, 2024
edited
Loading

Description

OpenDataHub Centralized Cert PR has been merged.
KServe can now integrate with the centralized certificate as a result of this change.
This PR facilitates the update of the storage-config secret, which includes the custom certificate.
More details about the issue can be found here.

How Has This Been Tested?

Setup
Manual

  1. install ossm/serverless operators
  2. create this catalogsource
cat << EOF|oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: rhods-catalog-dev
  namespace: openshift-marketplace
spec:
  displayName: Red Hat OpenShift Data Science
  publisher: RHODS Development Catalog
  image: quay.io/opendatahub/opendatahub-operator-catalog:v2.8.0-incubation
  sourceType: grpc
EOF
  1. install rhods v2.8.0-incubation operator
  2. create dsci
  3. update dsci
kubectl patch DSCInitialization default-dsci --type='json' -p='[{"op": "add", "path": "/spec/trustedCABundle", "value": {"managementState": "Managed", "customCABundle": ""}}]'
  1. create dsc (Managed for dashboard/kserve)
  2. deploy ssl minio for test
# SSL Minio 
export MINIO_DEMO_HOME=/tmp/demo
mkdir $MINIO_DEMO_HOME
cd $MINIO_DEMO_HOME
git clone git@github.com:Jooho/jhouse_openshift.git
cd jhouse_openshift/Minio/minio-tls-kserve/
source env.sh
./1.setup.sh 
./2.generate-cert.sh 

./3.deploy-minio.sh 
cp ${DEMO_HOME}/minio_certs/root.crt   ${DEMO_HOME}/minio_certs/cabundle.crt
cp ${DEMO_HOME}/minio_certs/cabundle.crt $MINIO_DEMO_HOME/.
  1. create a DS namespace
oc new-project kserve-demo 
oc label ns/kserve-demo opendatahub.io/dashboard="true"
  1. Deploy Sample Caikit ISVC for KServe (script

Script
(NOTE) This was tested on fedora only.

git clone   git@github.com:Jooho/loopy.git
cd loopy
make init
cat cluster_info.sh
CLUSTER_CONSOLE_URL=https://console-openshift-console.XXXX
CLUSTER_API_URL=https://api.XXX:443
CLUSTER_ADMIN_ID=admin
CLUSTER_ADMIN_PW=password
CLUSTER_TOKEN=sha256~XXX
CLUSTER_TYPE=ROSA

./loopy playbooks run setup-rhoai-for-global-cert -i ./cluster_info.sh

Set root.crt path

ls /tmp/ms_cli
20240222_XXX

#replace the XXX to yours
export crt_content=/tmp/ms_cli/20240222_XXX/artifacts/8-cert-generate/root.crt

TEST
1. Create a dataconnection

1-1. without global cert

#Create a dataconnection
cat <<EOF |oc apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: aws-connection-minio
  labels:
    opendatahub.io/dashboard: 'true'
    opendatahub.io/managed: 'true'
  annotations:
    opendatahub.io/connection-type: s3
    openshift.io/display-name: minio
stringData:
  AWS_ACCESS_KEY_ID: admin
  AWS_DEFAULT_REGION: us-east-1
  AWS_S3_BUCKET: modelmesh-example-models
  AWS_S3_ENDPOINT: https://minio.minio.svc:9000
  AWS_SECRET_ACCESS_KEY: password
EOF

# It is the usual storage-config secret
oc get secret storage-config -o yaml

1-2. with global cert

# Clear data connection
oc delete secret aws-connection-minio

# Update global cert in dsci
kubectl patch dscinitialization default-dsci --type='json' -p='[{"op":"replace","path":"/spec/trustedCABundle/customCABundle","value":"'"$(awk '{printf "%s\\n", $0}' $crt_content)"'"}]'

# new configmap created for kserve
oc get cm odh-kserve-custom-ca-bundle 

# Create a dataconnection
cat <<EOF |oc apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: aws-connection-minio
  labels:
    opendatahub.io/dashboard: 'true'
    opendatahub.io/managed: 'true'
  annotations:
    opendatahub.io/connection-type: s3
    openshift.io/display-name: minio
stringData:
  AWS_ACCESS_KEY_ID: admin
  AWS_DEFAULT_REGION: us-east-1
  AWS_S3_BUCKET: modelmesh-example-models
  AWS_S3_ENDPOINT: https://minio.minio.svc:9000
  AWS_SECRET_ACCESS_KEY: password
EOF

# storage-config will have certificate information
oc get secret storage-config -o yaml

2. Update global cert

#update global custom cert
kubectl patch dscinitialization default-dsci --type='json' -p='[{"op":"replace","path":"/spec/trustedCABundle/customCABundle","value":"ABC"}]'
# 2-1. updated kserve cm 
oc get cm odh-kserve-custom-ca-bundle -o yaml
# 2-2. updated storage-config
oc get secret storage-config -o yaml

3. KServe test

kubectl patch dscinitialization default-dsci --type='json' -p='[{"op":"replace","path":"/spec/trustedCABundle/customCABundle","value":"'"$(awk '{printf "%s\\n", $0}' $crt_content)"'"}]'
oc delete pod --all -n kserve-demo

4. ModelMesh test

oc label namespace kserve-demo modelmesh-enabled=true --overwrite=true

oc apply -f https://raw.githubusercontent.com/Jooho/jhouse_openshift/main/Kserve/docs/Common/manifests/openvino-serving-runtime.yaml -n kserve-demo
oc patch servingruntime/ovms-1.x -p '{"spec":{"replicas":1}}' --type=merge -n kserve-demo
cat <<EOF| oc apply -f -
apiVersion: serving.kserve.io/v1beta1
kind: InferenceService
metadata:
  name: example-onnx-mnist
  namespace: kserve-demo
  annotations:
    serving.kserve.io/deploymentMode: ModelMesh
spec:
  predictor:
    model:
      modelFormat:
        name: onnx
      runtime: ovms-1.x
      storage:
        key: aws-connection-minio
        path: onnx/mnist.onnx
EOF

# You can see that it successfully pull a model from ssl minio       
oc logs deploy/modelmesh-serving-ovms-1.x -c ovms-adapter

Clean up demo

oc delete isvc,servingruntime,pod --all -n kserve-demo --force
oc delete ns kserve-demo minio --force --grace-period=0
oc delete all --all --force --grace-period=0 -n opendatahub
oc patch DataScienceCluster rhoai -p '{"metadata":{"finalizers":[]}}' --type=merge
oc delete dsc,dsci --all --force --grace-period=0

oc delete subs serverless-operator -n rhoai-serverless
oc delete subs servicemeshoperator -n openshift-operators 
oc delete subs opendatahub-operator -n openshift-operators

oc delete csv serverless-operator.v1.31.1 servicemeshoperator.v2.4.5 opendatahub-operator.v2.8.0-incubation -n openshift-operators
oc delete catalogsource rhods-catalog-dev -n openshift-marketplace
oc delete pod --all -n rhoai-serverless --force --grace-period=0
oc delete validatingwebhookconfiguration openshift-operators.servicemesh-resources.maistra.io
oc delete mutatingwebhookconfiguration openshift-operators.servicemesh-resources.maistra.io 
oc patch smmr default -p '{"metadata":{"finalizers":[]}}' --type=merge -n istio-system
oc delete ns opendatahub redhat-ods-monitoring rhoai-serverless istio-system

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@Jooho
integrated with odh global certificate
701fd75 
Signed-off-by: jooho <jlee@redhat.com>
@Jooho
fix conflict sources
5f18a45 
Signed-off-by: jooho <jlee@redhat.com>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 22, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Jooho

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Jooho
Update source based on comments
33b691b 
Update kserve customcacert controller logic

Signed-off-by: jooho <jlee@redhat.com>
vaibhavjainwiz
vaibhavjainwiz reviewed Feb 22, 2024
View reviewed changes
Copy link
Member

@vaibhavjainwiz vaibhavjainwiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current reconciliation logic looks fine but could I request you to please write in similiar pattern that we follow in other reconciler like below. It help us to maintain uniformity in code and its more robust.

https://github.com/opendatahub-io/odh-model-controller/blob/ba123e578471dabfd6154cb6a9588342abb2662c/controllers/reconcilers/kserve_istio_peerauthentication_reconciler.go#L15-L14

controllers/kserve_customcacert_controller.go Outdated Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Outdated Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Outdated Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Outdated Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Show resolved Hide resolved
controllers/kserve_customcacert_controller.go Outdated Show resolved Hide resolved
@vaibhavjainwiz
Copy link
Member

@Jooho I am not following whole centralized cert story from begining, Could I ask Who is responsible to create odhGlobalCACertConfigMap? I mean does some operator create it or user will create it manually?

If its created by some other operator like odh-operator then ideally that operator should maintain the kserveCustomCACertConfigMap as well.

@lucferbux lucferbux mentioned this pull request Feb 22, 2024
Merged
7 tasks
@Jooho
refactorying kserve_customcacert_controller
c157b30 
Signed-off-by: jooho <jlee@redhat.com>
@Jooho
Add logic to recover Kserve custom cert ConfigMap after manual edits
1f34cc0 
Signed-off-by: jooho <jlee@redhat.com>
@Jooho
pass log to reconcileConfigMap
210ec7a 
Signed-off-by: jooho <jlee@redhat.com>
@Jooho
remove GenericEvent
00a33a5 
Signed-off-by: jooho <jlee@redhat.com>
@Jooho
Copy link
Contributor Author

Jooho commented Feb 22, 2024

Current reconciliation logic looks fine but could I request you to please write in similiar pattern that we follow in other reconciler like below. It help us to maintain uniformity in code and its more robust.
https://github.com/opendatahub-io/odh-model-controller/blob/ba123e578471dabfd6154cb6a9588342abb2662c/controllers/reconcilers/kserve_istio_peerauthentication_reconciler.go#L15-L14

@vaibhavjainwiz I agree. Therefore, I have accepted your recommendation and made significant changes to the source code accordingly. Please review.

Could I ask Who is responsible to create odhGlobalCACertConfigMap? I mean does some operator create it or user will create it manually? If its created by some other operator like odh-operator then ideally that operator should maintain the kserveCustomCACertConfigMap as well.

The odhGlobalCACertConfigMap is created by the opendatahub operator. Each component owner must use this centralized certificate appropriately for their respective components. This is because each component applies certificates in very different ways. Although kserve and modelmesh both apply certificates, their methods are different from each other. The kserveCustomCACertConfigMap is created specifically for utilizing kserve's functionality, therefore, it needs to be managed by us.

danielezonca
danielezonca reviewed Feb 23, 2024
View reviewed changes
Copy link

@danielezonca danielezonca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall the PR looks good to me, just a couple of comments to clarify impact on existing code

controllers/storageconfig_controller.go Show resolved Hide resolved
controllers/storageconfig_controller.go Show resolved Hide resolved
controllers/storageconfig_controller.go Show resolved Hide resolved
@Jooho
remove unused code
071794b 
Signed-off-by: jooho <jlee@redhat.com>
@Jooho
add more conditions when data connection does not exist
1559c31 
Signed-off-by: jooho <jlee@redhat.com>
@vaibhavjainwiz
Copy link
Member

changes looks good to me as well. I had reviewed it by dry run on code.

@vaibhavjainwiz
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Feb 23, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 86c1d45 into opendatahub-io:main Feb 23, 2024
5 checks passed
@Jooho Jooho mentioned this pull request Feb 23, 2024
Merged
@Jooho
Copy link
Contributor Author

Jooho commented Feb 23, 2024

@danielezonca I found the root cause why the old logic was working. I fixed it with #167 and it will be included.

@Jooho
Copy link
Contributor Author

Jooho commented Feb 23, 2024

This pr had to be squeezed and merged. I will do it manually.

This was referenced Feb 23, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtrifiro dtrifiro dtrifiro left review comments

@israel-hdez israel-hdez israel-hdez left review comments

@vaibhavjainwiz vaibhavjainwiz vaibhavjainwiz left review comments

@spolti spolti spolti left review comments

@danielezonca danielezonca danielezonca left review comments

@davidesalerno davidesalerno Awaiting requested review from davidesalerno

@VedantMahabaleshwarkar VedantMahabaleshwarkar Awaiting requested review from VedantMahabaleshwarkar

Assignees

@vaibhavjainwiz vaibhavjainwiz

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Jooho @vaibhavjainwiz @danielezonca @spolti @israel-hdez @dtrifiro